ID: 378033 Cookbook: urldownload.jbs Time: 11:41:54 Date: 30/03/2021 Version: 31.0.0 Emerald Table of Contents

Table of Contents 2 Analysis Report ://bazaar.abuse.ch/download/37a2259b9791e03125fef3ca14baa3336ca823c354a9b864944bcfe7892241e0/ Overview 33 General Information 3 Detection 3 Signatures 3 Classification 3 Startup 3 Configuration 3 Yara Overview 3 Sigma Overview 3 Signature Overview 3 Mitre Att&ck Matrix 4 Behavior Graph 4 Screenshots 5 Thumbnails 5 Antivirus, Machine Learning and Genetic Malware Detection 6 Initial Sample 6 Dropped Files 6 Unpacked PE Files 6 Domains 6 6 Domains and IPs 7 Contacted Domains 7 URLs from Memory and Binaries 7 Contacted IPs 7 Public 8 Private 8 General Information 8 Simulations 9 Behavior and APIs 9 Joe Sandbox View / Context 9 IPs 9 Domains 9 ASN 9 JA3 Fingerprints 10 Dropped Files 10 Created / dropped Files 10 Static File Info 15 No static file info 15 Network Behavior 15 UDP Packets 15 DNS Queries 16 DNS Answers 16 Code Manipulations 16 Statistics 16 Behavior 16 System Behavior 17 Analysis Process: cmd.exe PID: 1068 Parent PID: 4676 17 General 17 File Activities 17 File Created 17 Analysis Process: conhost.exe PID: 4988 Parent PID: 1068 17 General 17 Analysis Process: .exe PID: 5476 Parent PID: 1068 17 General 17 File Activities 18 File Created 18 Analysis Process: iexplore.exe PID: 4652 Parent PID: 5596 18 General 18 File Activities 18 Registry Activities 18 Analysis Process: iexplore.exe PID: 4596 Parent PID: 4652 19 General 19 File Activities 19 Disassembly 19 Code Analysis 19

Copyright Joe Security LLC 2021 Page 2 of 19 Analysis Report https://bazaar.abuse.ch/download/37a2…259b9791e03125fef3ca14baa3336ca823c354a9b864944bcfe7892241e0/

Overview

General Information Detection Signatures Classification

Sample URL: https://bazaar.abuse. ch/download/37a2259b979 Quueerrriiieess ttthhee vvoollluumee iiinnfffoorrrmaatttiiioonn (((nnaam… 1e03125fef3ca14baa3336c Queries the volume information (nam a823c354a9b864944bcfe7 892241e0/

Analysis ID: 378033 Ransomware

Infos: Miner Spreading

mmaallliiiccciiioouusss Most interesting Screenshot: malicious Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Score: 0 Range: 0 - 100 Whitelisted: false Confidence: 100%

Startup

System is w10x64 cmd.exe (PID: 1068 cmdline: :\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-ag ent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://bazaar.abuse.ch/download/37a2259b9791e03125fef3ca14baa3336ca823c354a9b864944bcfe78 92241e0/' > cmdline.out 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D) conhost.exe (PID: 4988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) wget.exe (PID: 5476 cmdline: wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://bazaar.abuse.ch/download/37a2259b9791e03125fef3ca14baa3336ca823c354a9b864944bcfe7892241e0/' MD5: 3DADB6E2ECE9C4B3E1E322E617658B60) iexplore.exe (PID: 4652 cmdline: 'C:\Program Files\ Explorer\iexplore.exe' C:\Users\user\Desktop\download\index. MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596) iexplore.exe (PID: 4596 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4652 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A) cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Copyright Joe Security LLC 2021 Page 3 of 19 • Compliance • Networking • System Summary • Hooking and other Techniques for Hiding and Protection • Language, Device and Detection

Click to jump to signature section

There are no malicious signatures, click here to show all signatures .

Mitre Att&ck Matrix

Remote Initial Privilege Defense Credential Lateral Command Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration and Control Effects Effects Valid Windows Path Process Masquerading 1 OS File and Remote Data from Exfiltration Non- Eavesdrop on Remotely Accounts Management Interception Injection 1 Credential Directory Services Local Over Other Application Insecure Track Device Instrumentation Dumping Discovery 1 System Network Layer Network Without Medium Protocol 1 Communication Authorization Default Scheduled Boot or Boot or Process LSASS System Remote Data from Exfiltration Application Exploit SS7 to Remotely Accounts Task/Job Logon Logon Injection 1 Memory Information Desktop Removable Over Layer Redirect Phone Wipe Data Initialization Initialization Discovery 1 2 Protocol Media Bluetooth Protocol 1 Calls/SMS Without Scripts Scripts Authorization Domain At () Logon Script Logon Obfuscated Files Security Remote System SMB/Windows Data from Automated Steganography Exploit SS7 to Obtain Accounts (Windows) Script or Information Account Discovery 1 Admin Shares Network Exfiltration Track Device Device (Windows) Manager Shared Location Cloud Drive Backups

Behavior Graph

Copyright Joe Security LLC 2021 Page 4 of 19 Hide Legend Legend: Process Behavior Graph Signature ID: 378033 Created File URL: https://bazaar.abuse.ch/dow... DNS/IP Info Startdate: 30/03/2021 Is Dropped Architecture: WINDOWS Score: 0 Is Windows Process Number of created Registry Values

started Nstuamrtebde o f created Files

Visual Basic

cmd.exe iexpDloerelp.ehxi e Java

.Net C# or VB.NET 2 1 74 C, C++ or other language

Is malicious started started started Internet

wget.exe conhost.exe iexplore.exe

3 22

192.168.2.1 unknown bazaar.abuse.ch unknown

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Copyright Joe Security LLC 2021 Page 5 of 19 Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source Detection Scanner Label Link 0% Avira URL Cloud safe https://bazaar.abuse.ch/download/37a2259b9791e03125fef3ca14baa3336ca823c354a9b864944bcfe7892 241e0/

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source Detection Scanner Label Link www.wikipedia.com/ 0% URL Reputation safe www.wikipedia.com/ 0% URL Reputation safe

Copyright Joe Security LLC 2021 Page 6 of 19 Source Detection Scanner Label Link www.wikipedia.com/ 0% URL Reputation safe www.wikipedia.com/ 0% URL Reputation safe

Domains and IPs

Contacted Domains

Name IP Active Malicious Antivirus Detection Reputation bazaar.abuse.ch unknown unknown false high

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation wget.exe, 00000002.00000002.21 false high https://bazaar.abuse.ch/download/37a2259b9791e03125fef3c 3115024.00000000011B0000.00000 a14baa3336ca823c354a9b864944bcfe7892241e0/E 004.00000040.sdmp www.wikipedia.com/ msapplication.xml6.3.dr false URL Reputation: safe unknown URL Reputation: safe URL Reputation: safe URL Reputation: safe wget.exe, 00000002.00000002.21 false high https://bazaar.abuse.ch/download/37a2259b9791e03125fef3c 3115024.00000000011B0000.00000 a14baa3336ca823c354a9b864944bcfe7892241e0/C 004.00000040.sdmp www.amazon.com/ msapplication.xml.3.dr false high www.nytimes.com/ msapplication.xml3.3.dr false high www.live.com/ msapplication.xml2.3.dr false high www.reddit.com/ msapplication.xml4.3.dr false high www.twitter.com/ msapplication.xml5.3.dr false high wget.exe, 00000002.00000003.21 false high https://bazaar.abuse.ch/download/37a2259b9791e03125fef3c 2707867.0000000002B58000.00000 a14baa3336ca823c354a9b864944bcfe7892241e0/ 004.00000001.sdmp, cmdline.out.2.dr www.youtube.com/ msapplication.xml7.3.dr false high wget.exe, 00000002.00000002.21 false high https://bazaar.abuse.ch/download/37a2259b9791e03125fef3c 3115024.00000000011B0000.00000 a14baa3336ca823c354a9b864944bcfe7892241e0/O 004.00000040.sdmp

Contacted IPs

No. of IPs < 25%

25% < No. of IPs < 50%

50% < No. of IPs < 75%

75% < No. of IPs

Copyright Joe Security LLC 2021 Page 7 of 19 Public

IP Domain Country Flag ASN ASN Name Malicious

Private

IP 192.168.2.1

General Information

Joe Sandbox Version: 31.0.0 Emerald Analysis ID: 378033 Start date: 30.03.2021 Start time: 11:41:54 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 4m 5s Hypervisor based Inspection enabled: false Report type: light Cookbook file name: urldownload.jbs Sample URL: https://bazaar.abuse.ch/download/37a2259b9791 e03125fef3ca14baa3336ca823c354a9b864944bcfe7892 241e0/ Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 23 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: CLEAN Classification: clean0.win@7/16@1/1 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI

Copyright Joe Security LLC 2021 Page 8 of 19 Warnings: Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 104.43.193.48, 51.103.5.159, 204.79.197.200, 13.107.21.200, 20.82.210.154, 151.101.2.49, 151.101.66.49, 151.101.130.49, 151.101.194.49, 168.61.161.212, 52.147.198.201, 88.221.62.148, 184.30.20.56, 152.199.19.161, 104.42.151.234, 13.88.21.125, 40.88.32.150, 51.103.5.186, 2.20.142.210, 2.20.142.209, 20.82.209.183, 92.122.213.247, 92.122.213.194, 20.54.26.129 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, p2.shared.global.fastly.net, fs-wildcard.microsoft.com.edgekey.net, fs- wildcard.microsoft.com.edgekey.net.globalredir.aka dns.net, a1449.dscg2.akamai.net, arc.msn.com, vip1-par02p.wns.notify.trafficmanager.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, skypedataprdcoleus15.cloudapp.net, wns.notify.trafficmanager.net, go.microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt- microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg- shim.trafficmanager.net, www.bing.com, .wns.windows.com, fs.microsoft.com, dual-a- 0001.a-msedge.net, ie9comview.vo.msecnd.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a- afdentry.net.trafficmanager.net, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net, vip2- par02p.wns.notify.trafficmanager.net, cs9.wpc.v0cdn.net Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Copyright Joe Security LLC 2021 Page 9 of 19 JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B371FDA4-9187-11EB-90E5-ECF4BB570DC9}.dat Process: C:\Program Files\internet explorer\iexplore.exe File Type: Microsoft Word Document Category: dropped Size (): 24152 Entropy (8bit): 1.7572144380511023 Encrypted: false SSDEEP: 48:IwTGcprWhGwpL3G/ap80mGIpc0zMSUGvnZpv0zMWGvHZp90zMvGoTiqpv0zM+Goo:rpZW7Z/20GW0Tdt04f0w7t0Yn2KW0N+6 MD5: 7C8904F9496B3A642AF6E6339B4426BA SHA1: 7A5BB5F3A58A2CFB36B285ED63E12FEF4A32EFEC SHA-256: C7F6F076D8C248BBD933EB03FE571E16870DE26E7E657D521C76F5AD785CAC61 SHA-512: 4CD3A3E2E48C59E4F7F79C25C204A792E20F2193C140E4783E99DDEBBFEB9355FF9A8B2C0640619CD7971B0132DB3EACEF3E2FB3F164CE62DA3CE562E6E296 F3 Malicious: false Reputation: low Preview: ...... R.o.o.t. .E.n.t.r. y......

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B371FDA6-9187-11EB-90E5-ECF4BB570DC9}.dat Process: C:\Program Files\internet explorer\iexplore.exe File Type: Microsoft Word Document Category: dropped Size (bytes): 23772 Entropy (8bit): 1.7409310459657326 Encrypted: false SSDEEP: 48:Iw+GcprZhGwpafG4pQ5GrHpbSuy7TGQp7S0GPYpAvWGSXpYEGAEpIa1WGI0pjF9e:riZZ7Qx6IBSuKhSsKvMSkECa1z1XuL MD5: 0FDFC7326349DE00BE8EA2CF7E6FB228 SHA1: A45CA8EEE91F9A0EB122DF4F65A4EFC91F736A9B SHA-256: 897D3B69E3443557F66EA2D16D49C67F358B34D66B20E115D5124A6B15456382 SHA-512: B2F62C046F892A0D4FA7BB25B30DA3F08E28EDC91A15E5F2F02F07E768857B66B4AB87CFD7DB05C431A7E2019D9F3AB7F8549631265B564E4E1D4231F000203F Malicious: false Reputation: low Preview: ...... R.o.o.t. .E.n.t.r. y......

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Category: dropped Size (bytes): 657 Entropy (8bit): 5.124611951324194 Encrypted: false SSDEEP: 12:TMHdNMNxOEEntCnWimI002EtM3MHdNMNxOEEntCnWimI00ONVbkEtMb:2d6NxOBntCSZHKd6NxOBntCSZ7Qb MD5: 73AD487F3CC598D837ADD4EC39490565 SHA1: 237025D4B117225B76910775CFC058CFE1262E44 SHA-256: 4F30D724178E3C6A9ADBD80C5F8B601ADE555389D7AE869A0F99107DCA1F9270 SHA-512: 8C50F28CA1393B0C3073A07944A27A1000775F804857EF6C76BA384ACF6303314E2BEEE3DC5891E286D7378846F376835E7E8F9D4DEA8C6E58CBA8874AC7BD71 Malicious: false Reputation: low

Copyright Joe Security LLC 2021 Page 10 of 19 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Preview: ..0x88afb889,0x01d72594< accdate>0x88afb889,0x01d72594....0x88afb889,0x01d725940 x88afb889,0x01d72594..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Category: dropped Size (bytes): 654 Entropy (8bit): 5.165691022835024 Encrypted: false SSDEEP: 12:TMHdNMNxe2kEl1Nl1vCnWimI002EtM3MHdNMNxe2kEl1Nl1vCnWimI00ONkak6Es:2d6NxrhlrlhCSZHKd6NxrhlrlhCSZ72S MD5: 0BFE0A4D0BD17770FB7F850498D3AC3B SHA1: 67964B3BD4582F683B9A13446603981756080BB5 SHA-256: 1DCBC62B8693EEA8375E8C8B35A0B3BCD376BF73CA74747E14A77731EBFD18EB SHA-512: 999628ABF67A50CF32D95FC1C16245F7864D4DDE1011DE193E3D4FF24D1BBC8C332CE92606B3AA18934D2D45F198A74DE218DBDD4B9172085F41090B91AFE337 Malicious: false Reputation: low Preview: ..0x88a89167,0x01d725940x88a89167,0x01d72594....0x88a89167,0x01d725940x88a89167,0x01d72594..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Category: dropped Size (bytes): 663 Entropy (8bit): 5.142304756978107 Encrypted: false SSDEEP: 12:TMHdNMNxvLEntCnWimI002EtM3MHdNMNxvLEnkPCnWimI00ONmZEtMb:2d6NxvIntCSZHKd6NxvInSCSZ7Ub MD5: C2F1B07ECDED5DA9396AE7330ED60F8D SHA1: 42EFC97C02768E25D89A256A77BE7BE2320474B0 SHA-256: CAD59D149BA45E74A98FE965DE4630F049B6959299BCD653538CE9C574D585E7 SHA-512: CC081CF856DDD66A60AD9F2F80B898C250D8D30149594BC54C9BDD9FE3B5221999C70B1F899178586E0D40F76E8C65404771E662E399860E33F7A64925E4CAC7 Malicious: false Reputation: low Preview: ..0x88afb889,0x01d72594 0x88afb889,0x01d72594....0x88afb889,0x01d725940x88b21ae0,0x01d72594..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Category: dropped Size (bytes): 648 Entropy (8bit): 5.151325783319418 Encrypted: false SSDEEP: 12:TMHdNMNxiENJNLCnWimI002EtM3MHdNMNxiENJNLCnWimI00ONd5EtMb:2d6NxfNJNLCSZHKd6NxfNJNLCSZ7njb MD5: 0A16F1F1C838B4794DE938885512B876 SHA1: 3B51B4AB77E678541A107E4290C66E1EB80311DF SHA-256: 8FDE91A3BD0D4849CDB1393B11C5651A75EC87672412ADB5FC8BE85DB365D184 SHA-512: B27D502339436BB990413D0D7618581EDF4A7AFC7FA507C193CD392E5E3C78AF45391D3744F5B458574E3EC987A2AE8483C05B47AEEF8B293DC5F8C4B42C212A Malicious: false Reputation: low Preview: ..0x88ad5631,0x01d725940x88ad5631,0x01d72594....0x88ad5631,0x01d725940x88ad5 631,0x01d72594 ..

Copyright Joe Security LLC 2021 Page 11 of 19 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Category: dropped Size (bytes): 657 Entropy (8bit): 5.139407740930731 Encrypted: false SSDEEP: 12:TMHdNMNxhGwEktkPCnWimI002EtM3MHdNMNxhGwEktkPCnWimI00ON8K075EtMb:2d6NxQtCSCSZHKd6NxQtCSCSZ7uKajb MD5: 53F242C70D1887F77494A7E4449B57EA SHA1: 6706806D663DED09A7527EB2A995412929087E6F SHA-256: B3B196A4798BB5D51B64C9D7FD55E01B370CB43D6DC40A514D392C7E58064263 SHA-512: A6FB02BE6B6087D4979C62B3FF84A30E4283F728B0EC29E06D8847D72F0F13801AABD6465826F5AA0CA1622983C3214223460E80420FA5EF48AD965E297E3FF3 Malicious: false Reputation: low Preview: ..0x88b21ae0,0x01d72594< accdate>0x88b21ae0,0x01d72594....0x88b21ae0,0x01d725940 x88b21ae0,0x01d72594 ..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Category: dropped Size (bytes): 654 Entropy (8bit): 5.128499068579867 Encrypted: false SSDEEP: 12:TMHdNMNx0nEntCnWimI002EtM3MHdNMNx0nEntCnWimI00ONxEtMb:2d6Nx0EntCSZHKd6Nx0EntCSZ7Vb MD5: 6356652C714EBBEC22A8661BD1C1B029 SHA1: 61816609ACFE66E80B6AE59BAEF9CBD2FE67E7A2 SHA-256: 414BFC677B7437F75AD8FEBB829FD7D13B67A86A2BAC059C7B4EB3B689B1E8CE SHA-512: E9F82980DACA4CEB867856E6BF1323BC8B0E5C2A336FDFB8C7C3C402EB05E9ECA8E5D06D53612D362ED9D4A5DD73DB951321F42A64162F26B4BBA90F8043C0 49 Malicious: false Reputation: low Preview: ..0x88afb889,0x01d725940x88afb889,0x01d72594....0x88afb889,0x01d725940x8 8afb889,0x01d72594 ..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Category: dropped Size (bytes): 657 Entropy (8bit): 5.175155798209235 Encrypted: false SSDEEP: 12:TMHdNMNxxENJNLCnWimI002EtM3MHdNMNxxENJNLCnWimI00ON6Kq5EtMb:2d6Nx2NJNLCSZHKd6Nx2NJNLCSZ7ub MD5: 91C05593E12E6F6F049853CE4E8D1408 SHA1: 89C5DB4CA1A8987AAA971772F81A1023A44D47D6 SHA-256: D75AB2B2C33FF98634A0C5DEE0AD2F8023B9B6761D02FAF8E62AA9953849C352 SHA-512: F783EC738E932E7C1AF4F1174EA790E57557387B2AF0EDEA11338D3687941E26C0891AA59EBA7770D94E68F3A482BF3F0E45C6EB607C5178F2A4B90CB6A9C48E Malicious: false Reputation: low Preview: ..0x88ad5631,0x01d72594< accdate>0x88ad5631,0x01d72594....0x88ad5631,0x01d725940 x88ad5631,0x01d72594 ..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Category: dropped Size (bytes): 660 Entropy (8bit): 5.11857681316592

Copyright Joe Security LLC 2021 Page 12 of 19 C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Encrypted: false SSDEEP: 12:TMHdNMNxcENX9NXfCnWimI002EtM3MHdNMNxcENX9NXfCnWimI00ONVEtMb:2d6NxJT5CSZHKd6NxJT5CSZ71b MD5: DE6DDE3FEF7A338E4E9C9661DC3274DE SHA1: B0CEFFCFF8E8084CD5A863EFCA4481AF2129C5CB SHA-256: 3C06AE94AE99A9C38BE6161A7B8E35298B644D9102F4F2F498E6983B94510A30 SHA-512: 8FEB5A20BB98A18AEFACCD0F40B8F3B206ECCEF00EC81F774E71216721A7F0F914C483136FC9E68462621A81B6F6A0E388C29F81994CD3C9482820276732178C Malicious: false Reputation: low Preview: ..0x88aaf3c8,0x01d72594 0x88aaf3c8,0x01d72594....0x88aaf3c8,0x01d725940x88aaf3c8,0x01d72594..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Process: C:\Program Files\internet explorer\iexplore.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Category: dropped Size (bytes): 654 Entropy (8bit): 5.1362167008250585 Encrypted: false SSDEEP: 12:TMHdNMNxfnENJNLCnWimI002EtM3MHdNMNxfnENJNLCnWimI00ONe5EtMb:2d6NxsNJNLCSZHKd6NxsNJNLCSZ7Ejb MD5: 38DFC21A4547C2723C32815B478CA124 SHA1: 8B54F50CCEE29CA585295697D6EDC1DFB1371B0D SHA-256: 2676F5B1A3252D2C79C24B4BF8E2AF6E62B030CAC5CF70AB05F728B9FF0FEE7A SHA-512: 9159F96E0B0B94CC5A402ED31F9B0424574AFB739F77824B4F54CCAC018555BF1E54B68575096B91A80BBDCB975B53A15BF1AAFAAA8A754E35C299051EB04BE 0 Malicious: false Reputation: low Preview: ..0x88ad5631,0x01d725940x88ad5631,0x01d72594....0x88ad5631,0x01d725940x88ad5631,0x01d72594..

C:\Users\user\AppData\Local\Temp\~DFEE3469C78E3A6DF4.TMP Process: C:\Program Files\internet explorer\iexplore.exe File Type: data Category: dropped Size (bytes): 34721 Entropy (8bit): 0.45294590159924075 Encrypted: false SSDEEP: 24:c9lLh9lLh9lIn9lIn9lRg9lRA9lTq9lTK9lSSV9lSS19lK69lKa9lbK9lb69lrE1:kBqoxKA2HSUSc/ueeEDHFS8 MD5: 095BA631510E878A50FB0CBE4F833399 SHA1: C5F4A9E7DA16E61C574158F0102F12429A0DF3B6 SHA-256: 1D702FB54B0F0E4DF77ED8A2908938E2331DC119F021DBD6666D24756BCE23A2 SHA-512: 3BC7D6A2D6633FAA365BF01C8A4C59E7EF821320A436816950D9271C6C272CF1EA59C41A13CE52EFE058F7576A90EB05E50648F6E64920E21CE88C5155ADD2C3 Malicious: false Reputation: low Preview: ...... *%..H..M..{y..+.0...(...... *%..H..M..{y..+.0...(......

C:\Users\user\AppData\Local\Temp\~DFF751079DA8E92E8E.TMP Process: C:\Program Files\internet explorer\iexplore.exe File Type: data Category: dropped Size (bytes): 12965 Entropy (8bit): 0.41908536467580115 Encrypted: false SSDEEP: 24:c9lLh9lLh9lIn9lIn9lo/9lo/9lW0ibR5F:kBqoIg+0wRr MD5: 2436D1E8BFF86447EBEFB046FF78281C SHA1: BDAB676A5510C3510E92DD441496F2B8FA1C2171 SHA-256: 59F8A716232A3FEFD56C7A4260323808A87FDD4CC0AFBFE2CC58DA5A8A5C6749 SHA-512: ABDCB04113375A524EC2D421ABD8412A8E500C3815A56F299163CE448B0113E9FD6FC31264A0F36E174CAAA3A22022F30825B1E093F156896CD1591A795A51DB Copyright Joe Security LLC 2021 Page 13 of 19 C:\Users\user\AppData\Local\Temp\~DFF751079DA8E92E8E.TMP Malicious: false Reputation: low Preview: ...... *%..H..M..{y..+.0...(...... *%..H..M..{y..+.0...(......

C:\Users\user\Desktop\cmdline.out Process: C:\Windows\SysWOW64\wget.exe File Type: ASCII text, with CRLF line terminators Category: modified Size (bytes): 627 Entropy (8bit): 5.147614480558491 Encrypted: false SSDEEP: 12:HqV9BPpfy/1TBZ0K3DGsC1YaZ0KV9MSXT1De5RhKgv1DbV3JRbKjVovX2AV9xvKO:+pfy/1TBZz3DGsC1YaZzoSjxePggv1Nx MD5: E7704663E60532CFC78B6C08075DC1FC SHA1: FAB1A519E4D73FA0C8F0758610D6B6BEE1309855 SHA-256: 8FB544594442A5E40695D1BA0BD061D0EAAF4536D842E1922C2630A1A7D9CDF1 SHA-512: 01F88C5577DB91E24B2862F019B2BF614F9E42245A001DF5FD8154134C529083D335F595BC16F4DE7639938C5132C42C1129CDC4E9381602A49B9AB4E8760CD1 Malicious: false Reputation: low Preview: --2021-03-30 11:42:36-- https://bazaar.abuse.ch/download/37a2259b9791e03125fef3ca14baa3336ca823c354a9b864944bcfe7892241e0/..Resolving bazaar.abuse.ch (bazaar.abuse.ch)... 151.101.2.49, 151.101.66.49, 151.101.130.49, .....Connecting to bazaar.abuse.ch (bazaar.abuse.ch)|151.101.2.49|:443... connected...HTTP request sent, awaiting response... 200 OK..Length: 4588 (4.5K) [text/html]..Saving to: 'C:/Users/user/Desktop/download/index.html'.... 0K .... 100% 61.2K=0.07s....2021-03-30 11:42:37 (61.2 KB/s) - 'C:/Users/user/Desktop/download/index.html' saved [4588/4588]....

C:\Users\user\Desktop\download\.wget-hsts Process: C:\Windows\SysWOW64\wget.exe File Type: ASCII text, with CRLF line terminators Category: dropped Size (bytes): 174 Entropy (8bit): 5.142666879908284 Encrypted: false SSDEEP: 3:SY2FyFARLlbwFAM9CxnOLVFzDwIVhyyJxWQ5RdkA8dykfRuDwD1YjZTXq:SYeRLlbA0noH9VhyyJQQ5oA8UkfovJa MD5: 2DDCE8A7AB54169CD2B68D6C4CDDAA37 SHA1: 7394F06005E5FA80D8B17834B355F4D626DBFF25 SHA-256: 39257EF0AB63D68A441C0A0DCB5616E1D460D80C00F22612C6080A3EB23443F4 SHA-512: FD98B9D8B66905E53685343893642CAEEC09F512855AB0EE025B23B277497674B986283D7A8D37E032AF7B15C965B5ED94D112985D41705A44E1D323FF3BF7FB Malicious: false Reputation: low Preview: # HSTS 1.0 Known Hosts database for GNU Wget...# Edit at your own risk...# ......bazaar.abuse.ch.0 .1.1617129757.15768000..

C:\Users\user\Desktop\download\index.html Process: C:\Windows\SysWOW64\wget.exe File Type: HTML document, ASCII text Category: dropped Size (bytes): 4588 Entropy (8bit): 4.5956506904454555 Encrypted: false SSDEEP: 96:GSOtsZcZxpPsCkHInCnir7NmEhIMA1b4pE4R:LOts+sGnRsqIM/R MD5: C4025DCDE7BF3989B0C7FA379E494B36 SHA1: 6AAFA837AA8A767D9396D6E3661A1D3AC5A3DF98 SHA-256: 09BA28CA70DE45A1AFEC38A09194645F2264E2FE354EF68E69CA53DF51633E2B SHA-512: B5F29766CB5C9F2F3AF0131A4B446965ADC6A23EC04B6935567FB70597090BEAF7B805DC6E6A20393C0D79EE870D13492028A67166BBEF1AE428F410CCC1F48C Malicious: false Reputation: low Preview: .. . . . . . MalwareBazaar | Download malware samples.. Bootstrap core CSS -->. . Font Awesome CSS -->. . Custom styles -->. . . .. .

.