ID: 378032 Cookbook: urldownload.jbs Time: 11:41:34 Date: 30/03/2021 Version: 31.0.0 Emerald Table of Contents

Table of Contents 2 Analysis Report ://bazaar.abuse.ch/download/37a2259b9791e03125fef3ca14baa3336ca823c354a9b864944bcfe7892241e0/ Overview 33 General Information 3 Detection 3 Signatures 3 Classification 3 Startup 3 Configuration 3 Yara Overview 3 Sigma Overview 3 Signature Overview 3 Mitre Att&ck Matrix 4 Behavior Graph 4 Screenshots 5 Thumbnails 5 Antivirus, Machine Learning and Genetic Malware Detection 6 Initial Sample 6 Dropped Files 6 Unpacked PE Files 6 Domains 6 6 Domains and IPs 7 Contacted Domains 7 URLs from Memory and Binaries 7 Contacted IPs 7 Public 8 Private 8 General Information 8 Simulations 9 Behavior and APIs 9 Joe Sandbox View / Context 9 IPs 9 Domains 9 ASN 9 JA3 Fingerprints 10 Dropped Files 10 Created / dropped Files 10 Static File Info 15 No static file info 15 Network Behavior 15 UDP Packets 15 DNS Queries 16 DNS Answers 16 Code Manipulations 16 Statistics 16 Behavior 16 System Behavior 17 Analysis Process: cmd.exe PID: 6692 Parent PID: 4812 17 General 17 File Activities 17 File Created 17 Analysis Process: conhost.exe PID: 6704 Parent PID: 6692 17 General 17 Analysis Process: .exe PID: 6736 Parent PID: 6692 18 General 18 File Activities 18 File Created 18 Analysis Process: iexplore.exe PID: 6836 Parent PID: 6032 18 General 18 File Activities 19 Registry Activities 19 Analysis Process: iexplore.exe PID: 6884 Parent PID: 6836 19 General 19 File Activities 19 Disassembly 19 Code Analysis 19

Copyright Joe Security LLC 2021 Page 2 of 19 Analysis Report https://bazaar.abuse.ch/download/37a2…259b9791e03125fef3ca14baa3336ca823c354a9b864944bcfe7892241e0/

Overview

General Information Detection Signatures Classification

Sample URL: https://bazaar.abuse. ch/download/37a2259b979 Quueerrriiieess ttthhee vvoollluumee iiinnfffoorrrmaatttiiioonn (((nnaam… 1e03125fef3ca14baa3336c Queries the volume information (nam a823c354a9b864944bcfe7 892241e0/

Analysis ID: 378032 Ransomware

Infos: Miner Spreading

mmaallliiiccciiioouusss Most interesting Screenshot: malicious Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Score: 0 Range: 0 - 100 Whitelisted: false Confidence: 100%

Startup

System is w10x64 cmd.exe (PID: 6692 cmdline: :\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-ag ent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://bazaar.abuse.ch/download/37a2259b9791e03125fef3ca14baa3336ca823c354a9b864944bcfe78 92241e0/' > cmdline.out 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D) conhost.exe (PID: 6704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) wget.exe (PID: 6736 cmdline: wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://bazaar.abuse.ch/download/37a2259b9791e03125fef3ca14baa3336ca823c354a9b864944bcfe7892241e0/' MD5: 3DADB6E2ECE9C4B3E1E322E617658B60) iexplore.exe (PID: 6836 cmdline: 'C:\Program Files\ Explorer\iexplore.exe' C:\Users\user\Desktop\download\index. MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596) iexplore.exe (PID: 6884 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6836 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A) cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Copyright Joe Security LLC 2021 Page 3 of 19 • Compliance • Networking • System Summary • Language, Device and Detection

Click to jump to signature section

There are no malicious signatures, click here to show all signatures .

Mitre Att&ck Matrix

Remote Initial Privilege Defense Credential Lateral Command Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects Valid Windows Path Process Masquerading 1 OS File and Remote Data from Exfiltration Non- Eavesdrop on Remotely Accounts Management Interception Injection 1 Credential Directory Services Local Over Other Application Insecure Track Device Instrumentation Dumping Discovery 1 System Network Layer Network Without Medium Protocol 1 Communication Authorization Default Scheduled Boot or Boot or Process LSASS System Remote Data from Exfiltration Application Exploit SS7 to Remotely Accounts Task/Job Logon Logon Injection 1 Memory Information Desktop Removable Over Layer Redirect Phone Wipe Data Initialization Initialization Discovery 1 2 Protocol Media Bluetooth Protocol 1 Calls/SMS Without Scripts Scripts Authorization Domain At () Logon Script Logon Obfuscated Files Security Remote System SMB/Windows Data from Automated Steganography Exploit SS7 to Obtain Accounts (Windows) Script or Information Account Discovery 1 Admin Shares Network Exfiltration Track Device Device (Windows) Manager Shared Location Cloud Drive Backups

Behavior Graph

Copyright Joe Security LLC 2021 Page 4 of 19 Hide Legend Behavior Graph Legend: ID: 378032 Process

URL: https://bazaar.abuse.ch/dow... Signature Startdate: 30/03/2021 Created File Architecture: WINDOWS DNS/IP Info Score: 0 Is Dropped

Is Windows Process started started Number of created Registry Values

Number of created Files cmd.exe iexplore.exe Visual Basic

Delphi

2 1 7J4ava .Net C# or VB.NET

C, C++ or other language

Is malicious 192.168.2.1 started started unknown I n t e rsntaertted unknown

wget.exe conhost.exe iexplore.exe

3 22

bazaar.abuse.ch

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Copyright Joe Security LLC 2021 Page 5 of 19 Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source Detection Scanner Label Link 0% Avira URL Cloud safe https://bazaar.abuse.ch/download/37a2259b9791e03125fef3ca14baa3336ca823c354a9b864944bcfe7892 241e0/

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source Detection Scanner Label Link www.wikipedia.com/ 0% URL Reputation safe www.wikipedia.com/ 0% URL Reputation safe

Copyright Joe Security LLC 2021 Page 6 of 19 Source Detection Scanner Label Link www.wikipedia.com/ 0% URL Reputation safe www.wikipedia.com/ 0% URL Reputation safe

Domains and IPs

Contacted Domains

Name IP Active Malicious Antivirus Detection Reputation bazaar.abuse.ch unknown unknown false high

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation www.wikipedia.com/ msapplication.xml6.3.dr false URL Reputation: safe unknown URL Reputation: safe URL Reputation: safe URL Reputation: safe www.amazon.com/ msapplication.xml.3.dr false high www.nytimes.com/ msapplication.xml3.3.dr false high wget.exe, 00000002.00000002.64 false high https://bazaar.abuse.ch/download/37a2259b9791e03125fef3c 0781683.0000000002B1A000.00000 a14baa3336ca823c354a9b864944bcfe7892241e0/re 004.00000001.sdmp www.live.com/ msapplication.xml2.3.dr false high wget.exe, 00000002.00000002.64 false high https://bazaar.abuse.ch/download/37a2259b9791e03125fef3c 0257464.0000000000FE0000.00000 a14baa3336ca823c354a9b864944bcfe7892241e0/V 004.00000040.sdmp, wget.exe, 0 0000002.00000002.640262128.000 0000000FE6000.00000004.0000004 0.sdmp www.reddit.com/ msapplication.xml4.3.dr false high www.twitter.com/ msapplication.xml5.3.dr false high wget.exe, 00000002.00000002.64 false high https://bazaar.abuse.ch/download/37a2259b9791e03125fef3c 0262128.0000000000FE6000.00000 a14baa3336ca823c354a9b864944bcfe7892241e0/ 004.00000040.sdmp, cmdline.out.2.dr www.youtube.com/ msapplication.xml7.3.dr false high wget.exe, 00000002.00000002.64 false high https://bazaar.abuse.ch/download/37a2259b9791e03125fef3c 0257464.0000000000FE0000.00000 a14baa3336ca823c354a9b864944bcfe7892241e0/P 004.00000040.sdmp

Contacted IPs

Copyright Joe Security LLC 2021 Page 7 of 19 No. of IPs < 25%

25% < No. of IPs < 50% 50% < No. of IPs < 75% 75% < No. of IPs

Public

IP Domain Country Flag ASN ASN Name Malicious

Private

IP 192.168.2.1

General Information

Joe Sandbox Version: 31.0.0 Emerald Analysis ID: 378032 Start date: 30.03.2021 Start time: 11:41:34 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 4m 6s Hypervisor based Inspection enabled: false Report type: light Cookbook file name: urldownload.jbs Sample URL: https://bazaar.abuse.ch/download/37a2259b9791 e03125fef3ca14baa3336ca823c354a9b864944bcfe7892 241e0/ Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 13 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Copyright Joe Security LLC 2021 Page 8 of 19 Analysis Mode: default Analysis stop reason: Timeout Detection: CLEAN Classification: clean0.win@7/16@1/1 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Warnings: Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe Excluded IPs from analysis (whitelisted): 104.43.139.144, 52.147.198.201, 151.101.2.49, 151.101.66.49, 151.101.130.49, 151.101.194.49, 88.221.62.148, 104.43.193.48, 168.61.161.212, 20.82.210.154, 104.42.151.234, 152.199.19.161, 2.20.142.209, 2.20.142.210, 20.50.102.62, 92.122.213.247, 92.122.213.194, 204.79.197.200, 13.107.21.200, 20.54.26.129 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, p2.shared.global.fastly.net, a1449.dscg2.akamai.net, arc.msn.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, go.microsoft.com, audownload.windowsupdate.nsatc.net, www-bing- com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt- microsoft-com.akamaized.net, au-bg- shim.trafficmanager.net, www.bing.com, ie9comview.vo.msecnd.net, dual-a-0001.a- msedge.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a- afdentry.net.trafficmanager.net, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, skypedataprdcolwus16.cloudapp.net, cs9.wpc.v0cdn.net Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Copyright Joe Security LLC 2021 Page 9 of 19 No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{395B91BA-913C-11EB-90EB-ECF4BBEA1588}.dat Process: C:\Program Files\internet explorer\iexplore.exe File Type: Microsoft Word Document Category: dropped Size (): 24152 Entropy (8bit): 1.757073224156244 Encrypted: false SSDEEP: 48:IwPGcpr2GwpL6G/ap8xGIpcmAGvnZpvmRGvHZp9mTGo+vqpvmJGo4Suzpc2GW+Ty:rFZuZg2zWUtDfrCtFSuzWTW/ MD5: 029BB2FAF5F402ABF4C9A7934EC8D843 SHA1: C540D3E69E39AD6A686650FB6E7048F58BF470EF SHA-256: 95AD219AFD8D39A5F6582C54022CE54FFB6F2EDC3ED701E80743BA16D80E1936 SHA-512: 84857E7C5F60B058F86272EFE4D1303B9B90D62231AF65C6AAECD5521759A6A3F565BDF3E9B2634484C168327214C497B93FDC1F4F705702659883D042682829 Malicious: false Reputation: low Preview: ...... .o.o.t. .E.n.t.r. y......

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{395B91BC-913C-11EB-90EB-ECF4BBEA1588}.dat Process: C:\Program Files\internet explorer\iexplore.exe File Type: Microsoft Word Document Category: dropped Size (bytes): 23772 Entropy (8bit): 1.7369027425616046 Encrypted: false SSDEEP: 48:Iw1GcprQGwpasG4pQHzoGrHpbSHzATGQp7SHzdGPYpAHz7GSXpYHzEoGAEpIHzMZ:rrZ4Qs6HXBSHQhSHrKHLSHYAECHt1gL MD5: C963C0A503BB3F3F02DD47830A351104 SHA1: 98BB1C870C1206BAB68B3CDE8C2987DBB8F8E700 SHA-256: 2A370ADE642A54342D19826C42B2527656B6CA25633246647B36A11FB58C8D13 SHA-512: B63B5940CC038FD960767D07BD5429446B2F53B9C72A61A6179C1BF33FE12BA52EC377ECBD7BB89F8F28D90DF4FE59EA22FB39EE043A771937F3386E6CAD6F1 4 Malicious: false Reputation: low Preview: ...... R.o.o.t. .E.n.t.r. y......

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Category: dropped Size (bytes): 656 Entropy (8bit): 5.114524045439238 Encrypted: false SSDEEP: 12:TMHdNMNxOEjYEGYEanWimI002EtM3MHdNMNxOEjYEGYEanWimI00OYGVbkEtMb:2d6NxOyeaSZHKd6NxOyeaSZ7YLb MD5: 55DA943A35A318513D1B5620228E9981 SHA1: 4B3BE7D419317800A308D70976F0992862C53C09 SHA-256: 67CA485F71BB0B20DD3091C3B11AA9722EF8DB5A3F0AC5495B8A5744CB605110 SHA-512: B92F5779A580ED232542AE8B2B2D5EFA3B86A6B11F7B30699975537FBD0035E60E1579FD288E838ECE57275B1517A05D310D9FF7A782B1267E2B4E4191E39EFF

Copyright Joe Security LLC 2021 Page 10 of 19 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Malicious: false Reputation: low Preview: ..0x0e8fc056,0x01d72549< accdate>0x0e8fc056,0x01d72549....0x0e8fc056,0x01d725490 x0e8fc056,0x01d72549..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Category: dropped Size (bytes): 653 Entropy (8bit): 5.142927601017393 Encrypted: false SSDEEP: 12:TMHdNMNxe2kRHSHanWimI002EtM3MHdNMNxe2kRHSHanWimI00OYGkak6EtMb:2d6Nxra+aSZHKd6Nxra+aSZ7Yza7b MD5: B73F5324FB04901FFE2A26E2B7F8E17F SHA1: FC2BAEEE29D3983CFC2061E37B4371CC8A921694 SHA-256: 523823B8328CD6E8F8E594CD930A845A5612B842DAE800FA4E2A3EEE4BFB19EA SHA-512: 578B1A89FA76FFAD450D806077585FA89B8C8CD77D01CB32885A23F7BCE8A529C126E7459C0437311B4D42170E0D1BE12B7436E20D9A593F23F3CD73926804A2 Malicious: false Reputation: low Preview: ..0x0e83d4bc,0x01d725490x0e83d4bc,0x01d72549....0x0e83d4bc,0x01d725490x0e83d4bc,0x01d72549..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Category: dropped Size (bytes): 662 Entropy (8bit): 5.134658924096363 Encrypted: false SSDEEP: 12:TMHdNMNxvLjYEGYEanWimI002EtM3MHdNMNxvLjYEGYEanWimI00OYGmZEtMb:2d6NxvFeaSZHKd6NxvFeaSZ7Yjb MD5: AC69F91C9B380E0DBA12A6C57C8D3CEF SHA1: ED0CC5F174CDB2FF2DB4F53F9E77B36AFACD2178 SHA-256: 7D9CDD12A53CAB143BB597F0E19038D1C1E06A3260FD19AD0A4A63E155025E97 SHA-512: 8D34B37B10F44F4125B5D4A43F5EC19F4AFBEC5D94988029D8DEBCDAAD10163D48DA9FE2129105EEA928AFFED131D5F1B38B188B89DD744932CE3307FFEDF3 2C Malicious: false Reputation: low Preview: ..0x0e8fc056,0x01d72549 0x0e8fc056,0x01d72549....0x0e8fc056,0x01d725490x0e8fc056,0x01d72549..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Category: dropped Size (bytes): 647 Entropy (8bit): 5.116625499409423 Encrypted: false SSDEEP: 12:TMHdNMNxiIQ3rQ3anWimI002EtM3MHdNMNxiIQ3rQ3anWimI00OYGd5EtMb:2d6NxqoaSZHKd6NxqoaSZ7YEjb MD5: 95C5159B0D87DABDC3096DE2FF2A2A11 SHA1: B334246A9D3F4EDE8771A088A5471FD896BFE92B SHA-256: 6926DC802250519F19661139F8C26669CFC681DA358F63B929DFDE6CDBE4F143 SHA-512: CE9E96953B9A9D478DD136BC1C9BC96F54EB193E9C57D29BDA20187C74CDA9F61DE3EA4CDAEAFADECB70F91272A048A5440A4D5C63745C170449DCE5718D3 EB7 Malicious: false Reputation: low

Copyright Joe Security LLC 2021 Page 11 of 19 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Preview: ..0x0e8d5df1,0x01d725490x0e8d5df1,0x01d72549....0x0e8d5df1,0x01d725490x0e8d5 df1,0x01d72549 ..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Category: dropped Size (bytes): 656 Entropy (8bit): 5.1488254986034985 Encrypted: false SSDEEP: 12:TMHdNMNxhGwjYEGYEanWimI002EtM3MHdNMNxhGwjYEGYEanWimI00OYG8K075Es:2d6NxQeeaSZHKd6NxQeeaSZ7YrKajb MD5: 662C2D592507F7DA3E332AD5D2A4AD82 SHA1: 11107A9507E903C5FCEF4D277D3A9F1D8C3C50F1 SHA-256: 918AF88376B0251D3BB51C4F72D96A29F30760E01CDCE026DE5037365F09035C SHA-512: C227C84FD0692E27319D7E2CA9FE5DAE4A98F6973A08FD7B46072FDC533994318E4E9E3CDFB090524FE9BC14615B45EA46999C25D5AB530ADAFA6B3EDCD0359 3 Malicious: false Reputation: low Preview: ..0x0e8fc056,0x01d72549< accdate>0x0e8fc056,0x01d72549....0x0e8fc056,0x01d725490 x0e8fc056,0x01d72549 ..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Category: dropped Size (bytes): 653 Entropy (8bit): 5.100172984438291 Encrypted: false SSDEEP: 12:TMHdNMNx0nIQ3rQ3anWimI002EtM3MHdNMNx0nIQ3rQ3anWimI00OYGxEtMb:2d6Nx03oaSZHKd6Nx03oaSZ7Ygb MD5: E7D3A07EC1CAE284BD039644A0D1B0BF SHA1: DF46E780EAC783ED2B4B2954D06D5A3BFE060837 SHA-256: 3B9ADD63F53EDCF78C79D1B3270D5BB8BB67672BF1C2C17E87B51034D0F33005 SHA-512: 55FDBCD30C8851A653B5DD5F6A6EAD1F7A78F8C17E9F7A7495D1B532F0D85B4101097A3E69D1AF93E79AC28B64B872B0656DB4DD24CD4F19F5BCAC2BEA85CD 43 Malicious: false Reputation: low Preview: ..0x0e8d5df1,0x01d725490x0e8d5df1,0x01d72549....0x0e8d5df1,0x01d725490x0 e8d5df1,0x01d72549 ..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Category: dropped Size (bytes): 656 Entropy (8bit): 5.1406995087051 Encrypted: false SSDEEP: 12:TMHdNMNxxIQ3rQ3anWimI002EtM3MHdNMNxxIQ3rQ3anWimI00OYG6Kq5EtMb:2d6NxRoaSZHKd6NxRoaSZ7Yhb MD5: DED0201E0369E433A20CAF12BDBF328E SHA1: CF1E7357D8EA6693A6688320228E2A7F02A1B5DB SHA-256: E449E9BFBD0848099CC6C3006AF207060C5FB3055FAEC573F4FD4FB6DA06273D SHA-512: 55D425BDA4BC34F89484DBFB53FAEF8E44F9D3582766730FDE65AF90A9B879676D0AB8FE2DCEEE6ADB95F14D9C78AB3AE201FFBE71B9667515FB97189AF411 E6 Malicious: false Reputation: low

Copyright Joe Security LLC 2021 Page 12 of 19 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Preview: ..0x0e8d5df1,0x01d72549< accdate>0x0e8d5df1,0x01d72549....0x0e8d5df1,0x01d725490 x0e8d5df1,0x01d72549 ..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Category: dropped Size (bytes): 659 Entropy (8bit): 5.119288195920439 Encrypted: false SSDEEP: 12:TMHdNMNxcw373anWimI002EtM3MHdNMNxcw373anWimI00OYGVEtMb:2d6NxnraSZHKd6NxnraSZ7Ykb MD5: 80325BB437BCC22D48C3819DA7502A75 SHA1: 0217E029BEB0E14B520AEA4306D72585A9772DBB SHA-256: 7641A7BF728E57CAD69F0FEFFD30BA2554044422EF592A5BA907CE1D6D0A3179 SHA-512: 78A1735B35F22A7B88CFB40F4C516D5C61F63933E11D78B24B4732555133E938B6DACE6223E073B4CF202C830133A0AE9E8E38CD43A0960D1E59410CC3166D45 Malicious: false Reputation: low Preview: ..0x0e8afbbb,0x01d72549 0x0e8afbbb,0x01d72549....0x0e8afbbb,0x01d725490x0e8afbbb,0x01d72549..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Category: dropped Size (bytes): 653 Entropy (8bit): 5.10880730863916 Encrypted: false SSDEEP: 12:TMHdNMNxfnw373anWimI002EtM3MHdNMNxfnw373anWimI00OYGe5EtMb:2d6Nx0raSZHKd6Nx0raSZ7YLjb MD5: 8C8E03B8A0016B0C5D4D1A4F05A87836 SHA1: 08EAC80B4615AB5BFEC9E39261AF1AC975398984 SHA-256: 3A3C245DC4F101579BF5E5C01A720583E063BCBF5B825CB6241A2DC8387F8870 SHA-512: CCD0CD368DBFB7D53DE0889F4460B58D18BAFB574CE25A8A6F229C72C50F48EB4039A7A129B0F351ABF575C9F52D76C55D6B9DC7930FBA1C05671D16A10AE0 F1 Malicious: false Reputation: low Preview: ..0x0e8afbbb,0x01d725490x0e8afbbb,0x01d72549....0x0e8afbbb,0x01d725490x0 e8afbbb,0x01d72549 ..

C:\Users\user\AppData\Local\Temp\~DF78F1CC9912465D56.TMP Process: C:\Program Files\internet explorer\iexplore.exe File Type: data Category: dropped Size (bytes): 34721 Entropy (8bit): 0.4480722190168621 Encrypted: false SSDEEP: 48:kBqoxKAHzJHzQSHzjSHzrHz4HzhHzgHzAHzODHz9Hv:kBqoxKAH1HMSHPSHnHkHdHMHsHmHxP MD5: 9914C68C6AA14AAEA2C047104FC16B35 SHA1: A6E768D7EB281A6C25BB76F977D48DAD80181134 SHA-256: 39E9A083FCC5CF7411AE65025F952188BE475AFB9187756A71309755A3DA2DDD SHA-512: D7AC0A6DF2E8428D945B4FB6885DA40252EBFBF18E0C57D06ABD57C0D60AF0842A0273DC961148A8F5F5EA4DA6A36AE2C7B95B51EAF183013707F505B8BB537 F Malicious: false Reputation: low Preview: ...... *%..H..M..{y..+.0...(...... *%..H..M..{y..+.0...(......

Copyright Joe Security LLC 2021 Page 13 of 19 C:\Users\user\AppData\Local\Temp\~DFD78F665A6ED0905A.TMP Process: C:\Program Files\internet explorer\iexplore.exe File Type: data Category: dropped Size (bytes): 12965 Entropy (8bit): 0.41445437028497406 Encrypted: false SSDEEP: 24:c9lLh9lLh9lIn9lIn9loA9loQ9lWkppGkJ:kBqoI7dkppZJ MD5: 44C7E06BA4D5A59BFED0138FD8F37FE5 SHA1: 33BA1B3F33F6E8AFCDE8BB88D310714A88EB0971 SHA-256: C31462CB14BDC78E8F096F910ADD5C6D03A16077B6A6ED8C94279C8E78E90659 SHA-512: 3C18CFA93B8EE67B3554B6BBF694AA6E265939EE9121330B79E3228AADA47D58E12BFB27DAFF9FA15BC598345A73F2DCB8FC9EC8B21D0309901034591083770 E Malicious: false Reputation: low Preview: ...... *%..H..M..{y..+.0...(...... *%..H..M..{y..+.0...(......

C:\Users\user\Desktop\cmdline.out Process: C:\Windows\SysWOW64\wget.exe File Type: ASCII text, with CRLF line terminators Category: modified Size (bytes): 625 Entropy (8bit): 5.148530433449197 Encrypted: false SSDEEP: 12:HqV98Ppfy/1TBZ0K3DGsC1YaZ0KV9MSXT1De5RhKgv1DbfbKjVovXkV9uVifbKj9:Npfy/1TBZz3DGsC1YaZzoSjxePggv1X3 MD5: 40458375AFEFF7EEC8B4D560E5B8B1E2 SHA1: 2A81FB25BF4D691EED295F23A5CB29E5C59261F5 SHA-256: 0EA0431DA5E57A1D217BB5A43955F6FDCEB1D9034846D34AE823EBAB50588259 SHA-512: 9FC3F4C3C7F205BBBBA1F3E2DC8683EB300663F04EA6B15FA1B74192A70B9A570985E4757939FC723A7332C24B9B3570123DFB82AC497E251D6C75D6CBEEA35 2 Malicious: false Reputation: low Preview: --2021-03-30 11:42:19-- https://bazaar.abuse.ch/download/37a2259b9791e03125fef3ca14baa3336ca823c354a9b864944bcfe7892241e0/..Resolving bazaar.abuse.ch (bazaar.abuse.ch)... 151.101.2.49, 151.101.66.49, 151.101.130.49, .....Connecting to bazaar.abuse.ch (bazaar.abuse.ch)|151.101.2.49|:443... connected...HTTP request sent, awaiting response... 200 OK..Length: 4588 (4.5K) [text/html]..Saving to: 'C:/Users/user/Desktop/download/index.html'.... 0K .... 100% 92.7K=0.05s....2021-03-30 11:42:20 (92.7 KB/s) - 'C:/Users/user/Desktop/download/index.html' saved [4588/4588]....

C:\Users\user\Desktop\download\.wget-hsts Process: C:\Windows\SysWOW64\wget.exe File Type: ASCII text, with CRLF line terminators Category: dropped Size (bytes): 174 Entropy (8bit): 5.1490082767344925 Encrypted: false SSDEEP: 3:SY2FyFARLlbwFAM9CxnOLVFzDwIVhyyJxWQ5RdkA8dykfRuDwD1YrLVsidVq:SYeRLlbA0noH9VhyyJQQ5oA8UkfovrLC MD5: 3C8E98FC729AED6A45D110231CE06692 SHA1: 63E8C70B14C760251916BC2EB12C31C939C395AC SHA-256: 2247725E97940B23C55E30B2460F3C789AB22CEF91507DF26AB61909E592EF0D SHA-512: 66AE598C4E610467FBABCA453610ED57725A4E8956B555B149EF4D4E3C6B2462E9BCD9A0A4A0B7496726C4133FF46A5061BD99EB05F41261382E7768ADAF889A Malicious: false Reputation: low Preview: # HSTS 1.0 Known Hosts database for GNU Wget...# Edit at your own risk...# ......bazaar.abuse.ch.0 .1.1617097340.15768000..

C:\Users\user\Desktop\download\index.html Process: C:\Windows\SysWOW64\wget.exe File Type: HTML document, ASCII text Category: dropped Size (bytes): 4588 Entropy (8bit): 4.5956506904454555 Encrypted: false SSDEEP: 96:GSOtsZcZxpPsCkHInCnir7NmEhIMA1b4pE4R:LOts+sGnRsqIM/R MD5: C4025DCDE7BF3989B0C7FA379E494B36 Copyright Joe Security LLC 2021 Page 14 of 19 C:\Users\user\Desktop\download\index.html SHA1: 6AAFA837AA8A767D9396D6E3661A1D3AC5A3DF98 SHA-256: 09BA28CA70DE45A1AFEC38A09194645F2264E2FE354EF68E69CA53DF51633E2B SHA-512: B5F29766CB5C9F2F3AF0131A4B446965ADC6A23EC04B6935567FB70597090BEAF7B805DC6E6A20393C0D79EE870D13492028A67166BBEF1AE428F410CCC1F48C Malicious: false Reputation: low Preview: .. . . . . . MalwareBazaar | Download malware samples.. Bootstrap core CSS -->. . Font Awesome CSS -->. . Custom styles -->. . . .. .

.