Loading ...

Play interactive tourEdit tour

Windows Analysis Report http://www.artforlife.lozhkin.foundation/asperioresab/rerumvel-6647201

Overview

General Information

Sample URL:http://www.artforlife.lozhkin.foundation/asperioresab/rerumvel-6647201
Analysis ID:528463
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: Microsoft Office Product Spawning Windows Shell
Document exploit detected (process start blacklist hit)
Yara detected hidden Macro 4.0 in Excel
Found inlined nop instructions (likely shell or obfuscated code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Tries to load missing DLLs
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • chrome.exe (PID: 6748 cmdline: C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --enable-automation "http://www.artforlife.lozhkin.foundation/asperioresab/rerumvel-6647201 MD5: C139654B5C1438A95B321BB01AD63EF6)
    • chrome.exe (PID: 7048 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1604,14176787574664726196,1403337882875848993,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1912 /prefetch:8 MD5: C139654B5C1438A95B321BB01AD63EF6)
    • chrome.exe (PID: 5528 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1604,14176787574664726196,1403337882875848993,131072 --lang=en-US --service-sandbox-type=none --enable-audio-service-sandbox --mojo-platform-channel-handle=4640 /prefetch:8 MD5: C139654B5C1438A95B321BB01AD63EF6)
    • unarchiver.exe (PID: 6204 cmdline: C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\rerumvel-6647201.zip MD5: 1BFD96908AB2C114F24ABAF0CB630007)
      • 7za.exe (PID: 6364 cmdline: C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\xpo14wsl.qhu" "C:\Users\user\Downloads\rerumvel-6647201.zip MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)
        • conhost.exe (PID: 6312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 3412 cmdline: cmd.exe" /C "C:\Users\user\AppData\Local\Temp\xpo14wsl.qhu\favor-2069844189.xls MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 4592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • EXCEL.EXE (PID: 4344 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /dde MD5: 5D6638F2C8F8571C593999C58866007E)
          • regsvr32.exe (PID: 7056 cmdline: "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx MD5: 426E7499F6A7346F0410DEAD0805586B)
          • regsvr32.exe (PID: 6740 cmdline: "C:\Windows\System32\regsvr32.exe" C:\Datop\bestb.ocx MD5: 426E7499F6A7346F0410DEAD0805586B)
          • regsvr32.exe (PID: 4532 cmdline: "C:\Windows\System32\regsvr32.exe" C:\Datop\bestc.ocx MD5: 426E7499F6A7346F0410DEAD0805586B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\xpo14wsl.qhu\favor-2069844189.xlsSUSP_Excel4Macro_AutoOpenDetects Excel4 macro use with auto open / closeJohn Lambert @JohnLaTwC
  • 0x0:$header_docf: D0 CF 11 E0
  • 0x3b2aa:$s1: Excel
  • 0x3c378:$s1: Excel
  • 0x3521:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
C:\Users\user\AppData\Local\Temp\xpo14wsl.qhu\favor-2069844189.xlsJoeSecurity_HiddenMacroYara detected hidden Macro 4.0 in ExcelJoe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx, CommandLine: "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /dde, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 4344, ProcessCommandLine: "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx, ProcessId: 7056

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\DictionariesJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdicJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
    Source: unknownHTTPS traffic detected: 108.179.253.213:443 -> 192.168.2.3:49781 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 103.53.42.241:443 -> 192.168.2.3:49782 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.4.29.152:443 -> 192.168.2.3:49783 version: TLS 1.2

    Software Vulnerabilities:

    barindex
    Document exploit detected (process start blacklist hit)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe
    Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 04EB09B7h6_2_04EB02A8
    Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 04EB09B6h6_2_04EB02A8
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKConnection: Keep-AliveX-Powered-By: PHP/7.1.33Set-Cookie: PHPSESSID=f287e90eb7e9bd7e2607d5e6083193ef; path=/Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Type: text/html; charset=UTF-8Content-Length: 175Content-Encoding: gzipVary: Accept-EncodingDate: Thu, 25 Nov 2021 09:45:35 GMTServer: LiteSpeedX-Content-Type-Options: nosniffData Raw: 1f 8b 08 00 00 00 00 00 00 03 2d 8e bd 0e 82 30 14 46 5f a5 e9 52 18 68 11 a3 0e 96 26 9a 38 f8 04 ce a5 6d e4 06 fa 93 72 21 c1 a7 37 a0 db c9 37 9c ef c8 1e fd a8 64 17 ed aa a4 85 85 80 6d 69 18 28 b1 58 85 a1 a5 42 4f c9 65 88 d9 4d ba 13 26 06 74 3e c5 ac f3 5a 35 c7 73 dd 9c 2e f5 81 7f 20 51 25 85 85 45 c9 c9 64 48 a8 c6 68 34 42 0c 3c 69 ec 83 f6 8e b4 c4 46 33 7b 17 90 bf 1d 3e 46 b7 e1 7d 7d da 82 85 81 95 db 78 43 cc d0 cd e8 0a b6 df b3 f2 2a c5 5f 28 c5 af 51 ec c1 2f 0d c8 39 ff 02 5f 89 0e 45 be 00 00 00 Data Ascii: -0F_Rh&8mr!77dmi(XBOeM&t>Z5s. Q%EdHh4B<iF3{>F}}xC*_(Q/9_E
    Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
    Source: unknownNetwork traffic detected: HTTP traffic on port 49783 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49783
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49781
    Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49781 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
    Source: angular.js.1.drString found in binary or memory: http://angularjs.org
    Source: angular.js.1.drString found in binary or memory: http://errors.angularjs.org/1.6.4-local
    Source: pnacl_public_x86_64_pnacl_sz_nexe.1.dr, pnacl_public_x86_64_pnacl_llc_nexe.1.drString found in binary or memory: http://llvm.org/):
    Source: mirroring_hangouts.js.1.drString found in binary or memory: http://tools.ietf.org/html/rfc1950
    Source: mirroring_hangouts.js.1.drString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
    Source: data_1.4.dr, 000003.log2.1.dr, rerumvel-6647201.zip_Zone.Identifier.5.drString found in binary or memory: http://www.artforlife.lozhkin.foundation/asperioresab/contemporary-236025701.zip
    Source: History.1.drString found in binary or memory: http://www.artforlife.lozhkin.foundation/asperioresab/contemporary-236025701.zipK
    Source: data_1.4.drString found in binary or memory: http://www.artforlife.lozhkin.foundation/asperioresab/contemporary-236025701.zipL
    Source: Current Session.1.drString found in binary or memory: http://www.artforlife.lozhkin.foundation/asperioresab/rerumvel-6647201
    Source: History.1.drString found in binary or memory: http://www.artforlife.lozhkin.foundation/asperioresab/rerumvel-6647201/07
    Source: History Provider Cache.1.drString found in binary or memory: http://www.artforlife.lozhkin.foundation/asperioresab/rerumvel-66472012
    Source: History Provider Cache.1.drString found in binary or memory: http://www.artforlife.lozhkin.foundation/asperioresab/rerumvel-66472012:
    Source: Current Session.1.drString found in binary or memory: http://www.artforlife.lozhkin.foundation/asperioresab/rerumvel-66472018
    Source: History.1.drString found in binary or memory: http://www.artforlife.lozhkin.foundation/asperioresab/rerumvel-6647201http://www.artforlife.lozhkin.
    Source: mirroring_hangouts.js.1.drString found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions
    Source: mirroring_hangouts.js.1.drString found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01
    Source: manifest.json0.1.dr, 81a9ac02-601b-435d-be4d-21e0784ce8f2.tmp.4.dr, eb61acc6-0a83-4200-9689-2066e6f2ca5b.tmp.4.drString found in binary or memory: https://accounts.google.com
    Source: craw_window.js.1.drString found in binary or memory: https://accounts.google.com/MergeSession
    Source: manifest.json0.1.dr, 81a9ac02-601b-435d-be4d-21e0784ce8f2.tmp.4.dr, eb61acc6-0a83-4200-9689-2066e6f2ca5b.tmp.4.drString found in binary or memory: https://apis.google.com
    Source: mirroring_common.js.1.drString found in binary or memory: https://apis.google.com/js/client.js
    Source: mirroring_common.js.1.drString found in binary or memory: https://castedumessaging-pa.googleapis.com/v1
    Source: pnacl_public_x86_64_libcrt_platform_a.1.drString found in binary or memory: https://chromium.googlesource.com/a/native_client/pnacl-clang.git
    Source: pnacl_public_x86_64_libcrt_platform_a.1.drString found in binary or memory: https://chromium.googlesource.com/a/native_client/pnacl-llvm.git
    Source: 81a9ac02-601b-435d-be4d-21e0784ce8f2.tmp.4.dr, eb61acc6-0a83-4200-9689-2066e6f2ca5b.tmp.4.drString found in binary or memory: https://clients2.google.com
    Source: mirroring_hangouts.js.1.drString found in binary or memory: https://clients2.google.com/cr/report
    Source: manifest.json0.1.dr, manifest.json.1.dr, manifest.json1.1.drString found in binary or memory: https://clients2.google.com/service/update2/crx
    Source: 81a9ac02-601b-435d-be4d-21e0784ce8f2.tmp.4.dr, eb61acc6-0a83-4200-9689-2066e6f2ca5b.tmp.4.drString found in binary or memory: https://clients2.googleusercontent.com
    Source: mirroring_hangouts.js.1.drString found in binary or memory: https://clients6.google.com
    Source: pnacl_public_x86_64_ld_nexe.1.drString found in binary or memory: https://code.google.com/p/nativeclient/issues/entry
    Source: pnacl_public_x86_64_ld_nexe.1.drString found in binary or memory: https://code.google.com/p/nativeclient/issues/entry%s:
    Source: manifest.json0.1.drString found in binary or memory: https://content.googleapis.com
    Source: common.js.1.dr, mirroring_cast_streaming.js.1.drString found in binary or memory: https://crash.corp.google.com/samples?reportid=&q=
    Source: mirroring_hangouts.js.1.drString found in binary or memory: https://creativecommons.org/publicdomain/zero/1.0/.
    Source: d07f6d12-c956-435a-889c-062e1247057e.tmp.4.dr, 602605cd-a010-447a-97a4-267db34edb97.tmp.4.dr, 81a9ac02-601b-435d-be4d-21e0784ce8f2.tmp.4.dr, eb61acc6-0a83-4200-9689-2066e6f2ca5b.tmp.4.drString found in binary or memory: https://dns.google
    Source: mirroring_common.js.1.drString found in binary or memory: https://docs.google.com
    Source: manifest.json0.1.drString found in binary or memory: https://feedback.googleusercontent.com
    Source: eb61acc6-0a83-4200-9689-2066e6f2ca5b.tmp.4.drString found in binary or memory: https://fonts.googleapis.com
    Source: manifest.json0.1.drString found in binary or memory: https://fonts.googleapis.com;
    Source: 81a9ac02-601b-435d-be4d-21e0784ce8f2.tmp.4.dr, eb61acc6-0a83-4200-9689-2066e6f2ca5b.tmp.4.drString found in binary or memory: https://fonts.gstatic.com
    Source: manifest.json0.1.drString found in binary or memory: https://fonts.gstatic.com;
    Source: angular.js.1.dr, material_css_min.css.1.drString found in binary or memory: https://github.com/angular/material
    Source: craw_background.js.1.dr, craw_window.js.1.drString found in binary or memory: https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.p
    Source: mirroring_hangouts.js.1.drString found in binary or memory: https://github.com/madler/zlib/blob/master/zlib.h
    Source: mirroring_hangouts.js.1.drString found in binary or memory: https://hangouts.clients6.google.com
    Source: manifest.json0.1.drString found in binary or memory: https://hangouts.google.com/
    Source: mirroring_hangouts.js.1.drString found in binary or memory: https://hangouts.google.com/hangouts/_/logpref
    Source: mirroring_common.js.1.drString found in binary or memory: https://meet.google.com
    Source: mirroring_hangouts.js.1.drString found in binary or memory: https://meetings.clients6.google.com
    Source: mirroring_common.js.1.drString found in binary or memory: https://networktraversal.googleapis.com/v1alpha
    Source: 81a9ac02-601b-435d-be4d-21e0784ce8f2.tmp.4.dr, eb61acc6-0a83-4200-9689-2066e6f2ca5b.tmp.4.drString found in binary or memory: https://ogs.google.com
    Source: manifest.json.1.dr, craw_window.js.1.drString found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
    Source: 81a9ac02-601b-435d-be4d-21e0784ce8f2.tmp.4.dr, eb61acc6-0a83-4200-9689-2066e6f2ca5b.tmp.4.drString found in binary or memory: https://play.google.com
    Source: mirroring_hangouts.js.1.drString found in binary or memory: https://play.google.com/log?format=json&hasfast=true
    Source: mirroring_hangouts.js.1.drString found in binary or memory: https://preprod-hangouts-googleapis.sandbox.google.com
    Source: 81a9ac02-601b-435d-be4d-21e0784ce8f2.tmp.4.drString found in binary or memory: https://r2---sn-4g5ednse.gvt1.com
    Source: data_3.4.drString found in binary or memory: https://r2---sn-4g5ednse.gvt1.com/edgedl/chrome/dict/en-us-9-0.bdic?cms_redirect=yes&mh=I2&mip=84.17
    Source: 81a9ac02-601b-435d-be4d-21e0784ce8f2.tmp.4.drString found in binary or memory: https://redirector.gvt1.com
    Source: data_1.4.drString found in binary or memory: https://redirector.gvt1.com/edgedl/chrome/dict/en-us-9-0.bdic
    Source: manifest.json.1.dr, craw_window.js.1.drString found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
    Source: 81a9ac02-601b-435d-be4d-21e0784ce8f2.tmp.4.dr, eb61acc6-0a83-4200-9689-2066e6f2ca5b.tmp.4.drString found in binary or memory: https://ssl.gstatic.com
    Source: messages.json27.1.dr, messages.json83.1.dr, messages.json19.1.dr, feedback.html.1.dr, messages.json80.1.dr, messages.json28.1.dr, messages.json72.1.dr, messages.json22.1.dr, messages.json73.1.dr, messages.json37.1.dr, messages.json77.1.dr, messages.json17.1.dr, messages.json29.1.dr, messages.json21.1.dr, messages.json61.1.dr, messages.json74.1.dr, messages.json60.1.dr, messages.json75.1.dr, messages.json85.1.dr, messages.json20.1.dr, messages.json38.1.dr, messages.json4.1.dr, messages.json87.1.dr, messages.json86.1.dr, messages.json76.1.dr, messages.json69.1.dr, messages.json18.1.dr, messages.json39.1.dr, messages.json15.1.dr, messages.json84.1.dr, messages.json49.1.dr, messages.json70.1.dr, messages.json46.1.dr, messages.json26.1.dr, messages.json68.1.dr, messages.json47.1.dr, messages.json12.1.dr, messages.json79.1.dr, messages.json59.1.dr, messages.json45.1.dr, messages.json71.1.dr, messages.json82.1.dr, messages.json36.1.dr, messages.json81.1.dr, messages.json78.1.dr, messages.json67.1.dr, messages.json11.1.dr, messages.json16.1.dr, messages.json.1.drString found in binary or memory: https://support.google.com/chromecast/answer/2998456
    Source: messages.json27.1.dr, messages.json83.1.dr, messages.json19.1.dr, feedback.html.1.dr, messages.json80.1.dr, messages.json28.1.dr, messages.json72.1.dr, messages.json22.1.dr, messages.json73.1.dr, messages.json37.1.dr, messages.json77.1.dr, messages.json17.1.dr, messages.json29.1.dr, messages.json21.1.dr, messages.json61.1.dr, messages.json74.1.dr, messages.json60.1.dr, messages.json75.1.dr, messages.json85.1.dr, messages.json20.1.dr, messages.json38.1.dr, messages.json4.1.dr, messages.json87.1.dr, messages.json86.1.dr, messages.json76.1.dr, messages.json69.1.dr, messages.json18.1.dr, messages.json39.1.dr, messages.json15.1.dr, messages.json84.1.dr, messages.json49.1.dr, messages.json70.1.dr, messages.json46.1.dr, messages.json26.1.dr, messages.json68.1.dr, messages.json47.1.dr, messages.json12.1.dr, messages.json79.1.dr, messages.json59.1.dr, messages.json45.1.dr, messages.json71.1.dr, messages.json82.1.dr, messages.json36.1.dr, messages.json81.1.dr, messages.json78.1.dr, messages.json67.1.dr, messages.json11.1.dr, messages.json16.1.dr, messages.json.1.drString found in binary or memory: https://support.google.com/chromecast/troubleshooter/2995236
    Source: craw_background.js.1.dr, craw_window.js.1.drString found in binary or memory: https://www-googleapis-staging.sandbox.google.com
    Source: manifest.json0.1.dr, 81a9ac02-601b-435d-be4d-21e0784ce8f2.tmp.4.dr, eb61acc6-0a83-4200-9689-2066e6f2ca5b.tmp.4.drString found in binary or memory: https://www.google.com
    Source: manifest.json.1.drString found in binary or memory: https://www.google.com/
    Source: craw_window.js.1.drString found in binary or memory: https://www.google.com/accounts/OAuthLogin?issueuberauth=1
    Source: craw_window.js.1.drString found in binary or memory: https://www.google.com/images/cleardot.gif
    Source: craw_window.js.1.drString found in binary or memory: https://www.google.com/images/dot2.gif
    Source: craw_window.js.1.drString found in binary or memory: https://www.google.com/images/x2.gif
    Source: craw_background.js.1.drString found in binary or memory: https://www.google.com/intl/en-US/chrome/blank.html
    Source: mirroring_hangouts.js.1.drString found in binary or memory: https://www.google.com/log?format=json&hasfast=true
    Source: feedback_script.js.1.drString found in binary or memory: https://www.google.com/tools/feedback
    Source: manifest.json0.1.drString found in binary or memory: https://www.google.com;
    Source: craw_background.js.1.dr, 81a9ac02-601b-435d-be4d-21e0784ce8f2.tmp.4.dr, craw_window.js.1.dr, eb61acc6-0a83-4200-9689-2066e6f2ca5b.tmp.4.drString found in binary or memory: https://www.googleapis.com
    Source: manifest.json.1.drString found in binary or memory: https://www.googleapis.com/
    Source: manifest.json0.1.drString found in binary or memory: https://www.googleapis.com/auth/calendar.readonly
    Source: manifest.json0.1.drString found in binary or memory: https://www.googleapis.com/auth/cast-edu-messaging
    Source: manifest.json.1.drString found in binary or memory: https://www.googleapis.com/auth/chromewebstore
    Source: manifest.json.1.drString found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
    Source: manifest.json0.1.drString found in binary or memory: https://www.googleapis.com/auth/clouddevices
    Source: manifest.json0.1.drString found in binary or memory: https://www.googleapis.com/auth/hangouts
    Source: manifest.json0.1.drString found in binary or memory: https://www.googleapis.com/auth/hangouts.readonly
    Source: manifest.json0.1.drString found in binary or memory: https://www.googleapis.com/auth/meetings
    Source: manifest.json0.1.drString found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwrite
    Source: manifest.json.1.drString found in binary or memory: https://www.googleapis.com/auth/sierra
    Source: manifest.json.1.drString found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
    Source: manifest.json0.1.drString found in binary or memory: https://www.googleapis.com/auth/userinfo.email
    Source: mirroring_common.js.1.drString found in binary or memory: https://www.googleapis.com/calendar/v3
    Source: mirroring_common.js.1.drString found in binary or memory: https://www.googleapis.com/hangouts/v1
    Source: 81a9ac02-601b-435d-be4d-21e0784ce8f2.tmp.4.dr, eb61acc6-0a83-4200-9689-2066e6f2ca5b.tmp.4.drString found in binary or memory: https://www.gstatic.com
    Source: common.js.1.drString found in binary or memory: https://www.gstatic.com/hangouts_echo_detector/release/%
    Source: manifest.json0.1.drString found in binary or memory: https://www.gstatic.com;
    Source: unknownHTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
    Source: unknownDNS traffic detected: queries for: clients2.google.com
    Source: global trafficHTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=85.0.4183.121&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda,pkedcjkdefgpdelpbcmbmeomcjbeemfmX-Goog-Update-Updater: chromecrx-85.0.4183.121Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /crx/blobs/Acy1k0bLIjHsvnKaKN_oRpVaYYvFs25d7GKYF1WXrT6yizCMksBO0c_ggE0B6tx6HPRHe6q1GOEe3_NcIbSiGG8kXeLMUY0sAKVvC6R89zvKM13s5VqoAMZSmuUgjQL5vlygJuArQghXXE_qTL7NlQ/extension_8520_615_0_5.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /aQ6mO5EsFPz/yh.html HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: magnascakes.com.brConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /oqxIAZfo56z/yh.html HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: sherwinclothing.inConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /utGI12nl/yh.html HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: microtechzambia.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /asperioresab/rerumvel-6647201 HTTP/1.1Host: www.artforlife.lozhkin.foundationConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /asperioresab/contemporary-236025701.zip HTTP/1.1Host: www.artforlife.lozhkin.foundationConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: http://www.artforlife.lozhkin.foundation/asperioresab/rerumvel-6647201Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=f287e90eb7e9bd7e2607d5e6083193ef
    Source: unknownHTTPS traffic detected: 108.179.253.213:443 -> 192.168.2.3:49781 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 103.53.42.241:443 -> 192.168.2.3:49782 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.4.29.152:443 -> 192.168.2.3:49783 version: TLS 1.2

    System Summary:

    barindex
    Source: C:\Users\user\AppData\Local\Temp\xpo14wsl.qhu\favor-2069844189.xls, type: DROPPEDMatched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 6_2_04EB02A86_2_04EB02A8
    Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 6_2_04EB02986_2_04EB0298
    Source: C:\Windows\SysWOW64\unarchiver.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
    Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --enable-automation "http://www.artforlife.lozhkin.foundation/asperioresab/rerumvel-6647201
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1604,14176787574664726196,1403337882875848993,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1912 /prefetch:8
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1604,14176787574664726196,1403337882875848993,131072 --lang=en-US --service-sandbox-type=none --enable-audio-service-sandbox --mojo-platform-channel-handle=4640 /prefetch:8
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\SysWOW64\unarchiver.exe C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\rerumvel-6647201.zip
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\xpo14wsl.qhu" "C:\Users\user\Downloads\rerumvel-6647201.zip
    Source: C:\Windows\SysWOW64\7za.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C "C:\Users\user\AppData\Local\Temp\xpo14wsl.qhu\favor-2069844189.xls
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /dde
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\bestb.ocx
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\bestc.ocx
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1604,14176787574664726196,1403337882875848993,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1912 /prefetch:8Jump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1604,14176787574664726196,1403337882875848993,131072 --lang=en-US --service-sandbox-type=none --enable-audio-service-sandbox --mojo-platform-channel-handle=4640 /prefetch:8Jump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\SysWOW64\unarchiver.exe C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\rerumvel-6647201.zipJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\xpo14wsl.qhu" "C:\Users\user\Downloads\rerumvel-6647201.zipJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C "C:\Users\user\AppData\Local\Temp\xpo14wsl.qhu\favor-2069844189.xlsJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /ddeJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocxJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\bestb.ocxJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\bestc.ocxJump to behavior
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4592:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6312:120:WilError_01
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Program Files\Google\Chrome\Application\DictionariesJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-619FD9CB-1A5C.pmaJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Local\Temp\8be7b269-f603-41e6-b4ce-f049d9c78bf5.tmpJump to behavior
    Source: classification engineClassification label: mal52.expl.win@50/262@7/10
    Source: C:\Windows\SysWOW64\cmd.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEAutomated click: OK
    Source: C:\Windows\SysWOW64\regsvr32.exeAutomated click: OK
    Source: C:\Windows\SysWOW64\regsvr32.exeAutomated click: OK
    Source: C:\Windows\SysWOW64\regsvr32.exeAutomated click: OK
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\DictionariesJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdicJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
    Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 6_2_00C82A18 push ecx; ret 6_2_00C82A1A
    Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 6_2_00C82A91 push edi; ret 6_2_00C82A92
    Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 6_2_00C829E8 push ecx; ret 6_2_00C829EA
    Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 6_2_00C82A24 push eax; ret 6_2_00C82A3E
    Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 6_2_00C82AE5 push edi; ret 6_2_00C82AE6